csaf_certbund - wid-sec-w-2025-1439

CVE-2024-53057 (GCVE-0-2024-53057)

Vulnerability from cvelistv5

Published

2024-11-19 17:19

Modified

2025-05-04 09:51

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

References

►

URL

Tags

	https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e
	https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20
	https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b
	https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552
	https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b
	https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24
	https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba
	https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816

Impacted products

Vendor

Product

Version

►

Linux

Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939
Version: 066a3b5b2346febf9a655b444567b7138e3bb939

Linux

Version: 2.6.25

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53057",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:25:23.594430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:31.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e7f9a6f97eb067599a74f3bcb6761976b0ed303e",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "ce691c814bc7a3c30c220ffb5b7422715458fd9b",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "05df1b1dff8f197f1c275b57ccb2ca33021df552",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "580b3189c1972aff0f993837567d36392e9d981b",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "597cf9748c3477bf61bc35f0634129f56764ad24",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "9995909615c3431a5304c1210face5f268d24dba",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "2e95c4384438adeaa772caa560244b1a2efef816",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.323",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.171",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.116",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.323",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.229",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.171",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.116",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.60",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.7",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it\u0027s valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:51:52.422Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"
        },
        {
          "url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"
        },
        {
          "url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"
        },
        {
          "url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"
        }
      ],
      "title": "net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53057",
    "datePublished": "2024-11-19T17:19:40.284Z",
    "dateReserved": "2024-11-19T17:17:24.974Z",
    "dateUpdated": "2025-05-04T09:51:52.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50294 (GCVE-0-2024-50294)

Vulnerability from cvelistv5

Published

2024-11-19 01:30

Modified

2025-05-04 09:51

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing locking causing hanging calls If a call gets aborted (e.g. because kafs saw a signal) between it being queued for connection and the I/O thread picking up the call, the abort will be prioritised over the connection and it will be removed from local->new_client_calls by rxrpc_disconnect_client_call() without a lock being held. This may cause other calls on the list to disappear if a race occurs. Fix this by taking the client_call_lock when removing a call from whatever list its ->wait_link happens to be on.

References

►

URL

Tags

	https://git.kernel.org/stable/c/996a7208dadbf2cdda8d51444d5ee1fdd1ccbc92
	https://git.kernel.org/stable/c/b1fdb0bb3b6513f5bd26f92369fd6ac1a2422d8b
	https://git.kernel.org/stable/c/fc9de52de38f656399d2ce40f7349a6b5f86e787

Impacted products

Vendor

Product

Version

►

Linux

Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d
Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d
Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/conn_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "996a7208dadbf2cdda8d51444d5ee1fdd1ccbc92",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            },
            {
              "lessThan": "b1fdb0bb3b6513f5bd26f92369fd6ac1a2422d8b",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            },
            {
              "lessThan": "fc9de52de38f656399d2ce40f7349a6b5f86e787",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/rxrpc.h",
            "net/rxrpc/conn_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.61",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing locking causing hanging calls\n\nIf a call gets aborted (e.g. because kafs saw a signal) between it being\nqueued for connection and the I/O thread picking up the call, the abort\nwill be prioritised over the connection and it will be removed from\nlocal-\u003enew_client_calls by rxrpc_disconnect_client_call() without a lock\nbeing held.  This may cause other calls on the list to disappear if a race\noccurs.\n\nFix this by taking the client_call_lock when removing a call from whatever\nlist its -\u003ewait_link happens to be on."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:51:03.793Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/996a7208dadbf2cdda8d51444d5ee1fdd1ccbc92"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1fdb0bb3b6513f5bd26f92369fd6ac1a2422d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc9de52de38f656399d2ce40f7349a6b5f86e787"
        }
      ],
      "title": "rxrpc: Fix missing locking causing hanging calls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50294",
    "datePublished": "2024-11-19T01:30:40.699Z",
    "dateReserved": "2024-10-21T19:36:19.986Z",
    "dateUpdated": "2025-05-04T09:51:03.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52831 (GCVE-0-2023-52831)

Vulnerability from cvelistv5

Published

2024-05-21 15:31

Modified

2025-05-04 07:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: cpu/hotplug: Don't offline the last non-isolated CPU If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked(). cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN)); Thus results in an empty CPU mask which triggers the warning and then the subsequent crash: WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930 Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798 Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU. Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908
	https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13
	https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63
	https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52831",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-22T19:07:45.620666Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T20:44:55.485Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:36.073Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3410b702354702b500bde10e3cc1f9db8731d908",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "335a47ed71e332c82339d1aec0c7f6caccfcda13",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3073f6df783d9d75f7f69f73e16c7ef85d6cfb63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "38685e2a0476127db766f81b1c06019ddc4c9ffa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/cpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don\u0027t offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n  rebuild_sched_domains_locked()\n    ndoms = generate_sched_domains(\u0026doms, \u0026attr);\n      cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:43:55.664Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908"
        },
        {
          "url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13"
        },
        {
          "url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63"
        },
        {
          "url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa"
        }
      ],
      "title": "cpu/hotplug: Don\u0027t offline the last non-isolated CPU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52831",
    "datePublished": "2024-05-21T15:31:33.566Z",
    "dateReserved": "2024-05-21T15:19:24.251Z",
    "dateUpdated": "2025-05-04T07:43:55.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21793 (GCVE-0-2025-21793)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: sn-f-ospi: Fix division by zero When there is no dummy cycle in the spi-nor commands, both dummy bus cycle bytes and width are zero. Because of the cpu's warning when divided by zero, the warning should be avoided. Return just zero to avoid such calculations.

References

►

URL

Tags

	https://git.kernel.org/stable/c/966328191b4c389c0f2159fa242915f51cbc1679
	https://git.kernel.org/stable/c/4df6f005bef04a3dd16c028124a1b5684db3922b
	https://git.kernel.org/stable/c/7434135553bc03809a55803ee6a8dcaae6240d55
	https://git.kernel.org/stable/c/3588b1c0fde2f58d166e3f94a5a58d64b893526c

Impacted products

Vendor

Product

Version

►

Linux

Version: 1b74dd64c8612619e399e5a31da79a3636914495
Version: 1b74dd64c8612619e399e5a31da79a3636914495
Version: 1b74dd64c8612619e399e5a31da79a3636914495
Version: 1b74dd64c8612619e399e5a31da79a3636914495

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-sn-f-ospi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "966328191b4c389c0f2159fa242915f51cbc1679",
              "status": "affected",
              "version": "1b74dd64c8612619e399e5a31da79a3636914495",
              "versionType": "git"
            },
            {
              "lessThan": "4df6f005bef04a3dd16c028124a1b5684db3922b",
              "status": "affected",
              "version": "1b74dd64c8612619e399e5a31da79a3636914495",
              "versionType": "git"
            },
            {
              "lessThan": "7434135553bc03809a55803ee6a8dcaae6240d55",
              "status": "affected",
              "version": "1b74dd64c8612619e399e5a31da79a3636914495",
              "versionType": "git"
            },
            {
              "lessThan": "3588b1c0fde2f58d166e3f94a5a58d64b893526c",
              "status": "affected",
              "version": "1b74dd64c8612619e399e5a31da79a3636914495",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-sn-f-ospi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sn-f-ospi: Fix division by zero\n\nWhen there is no dummy cycle in the spi-nor commands, both dummy bus cycle\nbytes and width are zero. Because of the cpu\u0027s warning when divided by\nzero, the warning should be avoided. Return just zero to avoid such\ncalculations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:21.201Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/966328191b4c389c0f2159fa242915f51cbc1679"
        },
        {
          "url": "https://git.kernel.org/stable/c/4df6f005bef04a3dd16c028124a1b5684db3922b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7434135553bc03809a55803ee6a8dcaae6240d55"
        },
        {
          "url": "https://git.kernel.org/stable/c/3588b1c0fde2f58d166e3f94a5a58d64b893526c"
        }
      ],
      "title": "spi: sn-f-ospi: Fix division by zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21793",
    "datePublished": "2025-02-27T02:18:30.281Z",
    "dateReserved": "2024-12-29T08:45:45.767Z",
    "dateUpdated": "2025-05-04T07:21:21.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21859 (GCVE-0-2025-21859)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler.

References

►

URL

Tags

	https://git.kernel.org/stable/c/727dee0857946b85232526de4f5a957fe163e89a
	https://git.kernel.org/stable/c/1f10923404705a94891e612dff3b75e828a78368
	https://git.kernel.org/stable/c/b09957657d7767d164b3432af2129bd72947553c
	https://git.kernel.org/stable/c/24a942610ee9bafb2692a456ae850c5b2e409b05
	https://git.kernel.org/stable/c/deeee3adb2c01eedab32c3b4519337689ad02e8a
	https://git.kernel.org/stable/c/e9fec6f42c45db2f62dc373fb1a10d2488c04e79
	https://git.kernel.org/stable/c/8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba
	https://git.kernel.org/stable/c/4ab37fcb42832cdd3e9d5e50653285ca84d6686f

Impacted products

Vendor

Product

Version

►

Linux

Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05
Version: d5daf49b58661ec4af7a55b277176efbf945ca05

Linux

Version: 3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "727dee0857946b85232526de4f5a957fe163e89a",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "1f10923404705a94891e612dff3b75e828a78368",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "b09957657d7767d164b3432af2129bd72947553c",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "24a942610ee9bafb2692a456ae850c5b2e409b05",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "deeee3adb2c01eedab32c3b4519337689ad02e8a",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "e9fec6f42c45db2f62dc373fb1a10d2488c04e79",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            },
            {
              "lessThan": "4ab37fcb42832cdd3e9d5e50653285ca84d6686f",
              "status": "affected",
              "version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: f_midi: f_midi_complete to call queue_work\n\nWhen using USB MIDI, a lock is attempted to be acquired twice through a\nre-entrant call to f_midi_transmit, causing a deadlock.\n\nFix it by using queue_work() to schedule the inner f_midi_transmit() via\na high priority work queue from the completion handler."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:41.835Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/727dee0857946b85232526de4f5a957fe163e89a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f10923404705a94891e612dff3b75e828a78368"
        },
        {
          "url": "https://git.kernel.org/stable/c/b09957657d7767d164b3432af2129bd72947553c"
        },
        {
          "url": "https://git.kernel.org/stable/c/24a942610ee9bafb2692a456ae850c5b2e409b05"
        },
        {
          "url": "https://git.kernel.org/stable/c/deeee3adb2c01eedab32c3b4519337689ad02e8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9fec6f42c45db2f62dc373fb1a10d2488c04e79"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ab37fcb42832cdd3e9d5e50653285ca84d6686f"
        }
      ],
      "title": "USB: gadget: f_midi: f_midi_complete to call queue_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21859",
    "datePublished": "2025-03-12T09:42:12.036Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:41.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21858 (GCVE-0-2025-21858)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886
	https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c
	https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316
	https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78
	https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf
	https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3
	https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283
	https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929

Impacted products

Vendor

Product

Version

►

Linux

Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b

Linux

Version: 4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21858",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T13:19:41.982339Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-12T13:23:48.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d5e86e27de0936f3cb0a299ce519d993e9cf3886",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "5a0538ac6826807d6919f6aecbb8996c2865af2c",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "f74f6560146714241c6e167b03165ee77a86e316",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "904e746b2e7fa952ab8801b303ce826a63153d78",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "3ce92ca990cfac88a87c61df3cc0b5880e688ecf",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "da9b0ae47f084014b1e4b3f31f70a0defd047ff3",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "788dbca056a8783ec063da3c9d49a3a71c76c283",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            },
            {
              "lessThan": "9593172d93b9f91c362baec4643003dc29802929",
              "status": "affected",
              "version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: Fix use-after-free in geneve_find_dev().\n\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\n\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)-\u003egeneve_list.\n\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\n\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\n\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\n\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\n\nLet\u0027s call geneve_dellink() instead in geneve_destroy_tunnels().\n\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\n\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\n geneve_find_dev drivers/net/geneve.c:1295 [inline]\n geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\n geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\n rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:713 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n __sys_sendmsg net/socket.c:2654 [inline]\n __do_sys_sendmsg net/socket.c:2659 [inline]\n __se_sys_sendmsg net/socket.c:2657 [inline]\n __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\n\nAllocated by task 13247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4298 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\n alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\n rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_n\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:40.675Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316"
        },
        {
          "url": "https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf"
        },
        {
          "url": "https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3"
        },
        {
          "url": "https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283"
        },
        {
          "url": "https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929"
        }
      ],
      "title": "geneve: Fix use-after-free in geneve_find_dev().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21858",
    "datePublished": "2025-03-12T09:42:11.343Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:40.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57974 (GCVE-0-2024-57974)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad ("udp: bind() optimisation") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 ("udp: add rehash on connect()") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.1 || sleep 1 taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null wait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')" while :; do ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & sleep 0.2 || sleep 1 socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null wait cmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/4f8344fce91c5766d368edb0ad80142eacd805c7
	https://git.kernel.org/stable/c/d65d3bf309b2649d27b24efd0d8784da2d81f2a6
	https://git.kernel.org/stable/c/a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c

Impacted products

Vendor

Product

Version

►

Linux

Version: 30fff9231fad757c061285e347b33c5149c2c2e4
Version: 30fff9231fad757c061285e347b33c5149c2c2e4
Version: 30fff9231fad757c061285e347b33c5149c2c2e4

Linux

Version: 2.6.33

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c",
            "net/ipv6/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4f8344fce91c5766d368edb0ad80142eacd805c7",
              "status": "affected",
              "version": "30fff9231fad757c061285e347b33c5149c2c2e4",
              "versionType": "git"
            },
            {
              "lessThan": "d65d3bf309b2649d27b24efd0d8784da2d81f2a6",
              "status": "affected",
              "version": "30fff9231fad757c061285e347b33c5149c2c2e4",
              "versionType": "git"
            },
            {
              "lessThan": "a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c",
              "status": "affected",
              "version": "30fff9231fad757c061285e347b33c5149c2c2e4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c",
            "net/ipv6/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Deal with race between UDP socket address change and rehash\n\nIf a UDP socket changes its local address while it\u0027s receiving\ndatagrams, as a result of connect(), there is a period during which\na lookup operation might fail to find it, after the address is changed\nbut before the secondary hash (port and address) and the four-tuple\nhash (local and remote ports and addresses) are updated.\n\nSecondary hash chains were introduced by commit 30fff9231fad (\"udp:\nbind() optimisation\") and, as a result, a rehash operation became\nneeded to make a bound socket reachable again after a connect().\n\nThis operation was introduced by commit 719f835853a9 (\"udp: add\nrehash on connect()\") which isn\u0027t however a complete fix: the\nsocket will be found once the rehashing completes, but not while\nit\u0027s pending.\n\nThis is noticeable with a socat(1) server in UDP4-LISTEN mode, and a\nclient sending datagrams to it. After the server receives the first\ndatagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to\nthe address of the sender, in order to set up a directed flow.\n\nNow, if the client, running on a different CPU thread, happens to\nsend a (subsequent) datagram while the server\u0027s socket changes its\naddress, but is not rehashed yet, this will result in a failed\nlookup and a port unreachable error delivered to the client, as\napparent from the following reproducer:\n\n  LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))\n  dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in\n\n  while :; do\n  \ttaskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc \u0026\n  \tsleep 0.1 || sleep 1\n  \ttaskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null\n  \twait\n  done\n\nwhere the client will eventually get ECONNREFUSED on a write()\n(typically the second or third one of a given iteration):\n\n  2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused\n\nThis issue was first observed as a seldom failure in Podman\u0027s tests\nchecking UDP functionality while using pasta(1) to connect the\ncontainer\u0027s network namespace, which leads us to a reproducer with\nthe lookup error resulting in an ICMP packet on a tap device:\n\n  LOCAL_ADDR=\"$(ip -j -4 addr show|jq -rM \u0027.[] | .addr_info[0] | select(.scope == \"global\").local\u0027)\"\n\n  while :; do\n  \t./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc \u0026\n  \tsleep 0.2 || sleep 1\n  \tsocat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null\n  \twait\n  \tcmp tmp.in tmp.out\n  done\n\nOnce this fails:\n\n  tmp.in tmp.out differ: char 8193, line 29\n\nwe can finally have a look at what\u0027s going on:\n\n  $ tshark -r pasta.pcap\n      1   0.000000           :: ? ff02::16     ICMPv6 110 Multicast Listener Report Message v2\n      2   0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n      3   0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n      4   0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n      5   0.168827 c6:47:05:8d:dc:04 ? Broadcast    ARP 42 Who has 88.198.0.161? Tell 88.198.0.164\n      6   0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55\n      7   0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n      8   0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable)\n      9   0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n     10   0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n     11   0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096\n     12   0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0\n\nOn the third datagram received, the network namespace of the container\ninitiates an ARP lookup to deliver the ICMP message.\n\nIn another variant of this reproducer, starting the client with:\n\n  strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:29.082Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4f8344fce91c5766d368edb0ad80142eacd805c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d65d3bf309b2649d27b24efd0d8784da2d81f2a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c"
        }
      ],
      "title": "udp: Deal with race between UDP socket address change and rehash",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57974",
    "datePublished": "2025-02-27T02:07:02.973Z",
    "dateReserved": "2025-02-27T02:04:28.912Z",
    "dateUpdated": "2025-05-04T10:07:29.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21779 (GCVE-0-2025-21779)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.

References

►

URL

Tags

	https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a
	https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
	https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690
	https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b
	https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8
	https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074
	https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69

Impacted products

Vendor

Product

Version

►

Linux

Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "61224533f2b61e252b03e214195d27d64b22989a",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "45fa526b0f5a34492ed0536c3cdf88b78380e4de",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "5393cf22312418262679eaadb130d608c75fe690",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "874ff13c73c45ecb38cb82191e8c1d523f0dc81b",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "aca8be4403fb90db7adaf63830e27ebe787a76e8",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "ca29f58ca374c40a0e69c5306fc5c940a0069074",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "a8de7f100bb5989d9c3627d3a223ee1c863f3b69",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel\n\nAdvertise support for Hyper-V\u0027s SEND_IPI and SEND_IPI_EX hypercalls if and\nonly if the local API is emulated/virtualized by KVM, and explicitly reject\nsaid hypercalls if the local APIC is emulated in userspace, i.e. don\u0027t rely\non userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.\n\nRejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if\nHyper-V enlightenments are exposed to the guest without an in-kernel local\nAPIC:\n\n  dump_stack+0xbe/0xfd\n  __kasan_report.cold+0x34/0x84\n  kasan_report+0x3a/0x50\n  __apic_accept_irq+0x3a/0x5c0\n  kvm_hv_send_ipi.isra.0+0x34e/0x820\n  kvm_hv_hypercall+0x8d9/0x9d0\n  kvm_emulate_hypercall+0x506/0x7e0\n  __vmx_handle_exit+0x283/0xb60\n  vmx_handle_exit+0x1d/0xd0\n  vcpu_enter_guest+0x16b0/0x24c0\n  vcpu_run+0xc0/0x550\n  kvm_arch_vcpu_ioctl_run+0x170/0x6d0\n  kvm_vcpu_ioctl+0x413/0xb20\n  __se_sys_ioctl+0x111/0x160\n  do_syscal1_64+0x30/0x40\n  entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nNote, checking the sending vCPU is sufficient, as the per-VM irqchip_mode\ncan\u0027t be modified after vCPUs are created, i.e. if one vCPU has an\nin-kernel local APIC, then all vCPUs have an in-kernel local APIC."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:00.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de"
        },
        {
          "url": "https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690"
        },
        {
          "url": "https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b"
        },
        {
          "url": "https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69"
        }
      ],
      "title": "KVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21779",
    "datePublished": "2025-02-27T02:18:23.001Z",
    "dateReserved": "2024-12-29T08:45:45.764Z",
    "dateUpdated": "2025-05-04T07:21:00.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56720 (GCVE-0-2024-56720)

Vulnerability from cvelistv5

Published

2024-12-29 11:29

Modified

2025-05-04 10:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Several fixes to bpf_msg_pop_data Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG.

References

►

URL

Tags

	https://git.kernel.org/stable/c/d3f5763b3062514a234114e97bbde74d8d702449
	https://git.kernel.org/stable/c/d26d977633d1d0b8bf9407278189bd0a8d973323
	https://git.kernel.org/stable/c/e1f54c61c4c9a5244eb8159dce60d248f7d97b32
	https://git.kernel.org/stable/c/f58d3aa457e77a3d9b3df2ab081dcf9950f6029f
	https://git.kernel.org/stable/c/98c7ea7d11f2588e8197db042e0291e4ac8f8346
	https://git.kernel.org/stable/c/785180bed9879680d8e5c5e1b54c8ae8d948f4c8
	https://git.kernel.org/stable/c/275a9f3ef8fabb0cb282a62b9e164dedba7284c5
	https://git.kernel.org/stable/c/5d609ba262475db450ba69b8e8a557bd768ac07a

Impacted products

Vendor

Product

Version

►

Linux

Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28
Version: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3f5763b3062514a234114e97bbde74d8d702449",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "d26d977633d1d0b8bf9407278189bd0a8d973323",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "e1f54c61c4c9a5244eb8159dce60d248f7d97b32",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "f58d3aa457e77a3d9b3df2ab081dcf9950f6029f",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "98c7ea7d11f2588e8197db042e0291e4ac8f8346",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "785180bed9879680d8e5c5e1b54c8ae8d948f4c8",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "275a9f3ef8fabb0cb282a62b9e164dedba7284c5",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            },
            {
              "lessThan": "5d609ba262475db450ba69b8e8a557bd768ac07a",
              "status": "affected",
              "version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Several fixes to bpf_msg_pop_data\n\nSeveral fixes to bpf_msg_pop_data,\n1. In sk_msg_shift_left, we should put_page\n2. if (len == 0), return early is better\n3. pop the entire sk_msg (last == msg-\u003esg.size) should be supported\n4. Fix for the value of variable \"a\"\n5. In sk_msg_shift_left, after shifting, i has already pointed to the next\nelement. Addtional sk_msg_iter_var_next may result in BUG."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:18.659Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3f5763b3062514a234114e97bbde74d8d702449"
        },
        {
          "url": "https://git.kernel.org/stable/c/d26d977633d1d0b8bf9407278189bd0a8d973323"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1f54c61c4c9a5244eb8159dce60d248f7d97b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/f58d3aa457e77a3d9b3df2ab081dcf9950f6029f"
        },
        {
          "url": "https://git.kernel.org/stable/c/98c7ea7d11f2588e8197db042e0291e4ac8f8346"
        },
        {
          "url": "https://git.kernel.org/stable/c/785180bed9879680d8e5c5e1b54c8ae8d948f4c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/275a9f3ef8fabb0cb282a62b9e164dedba7284c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d609ba262475db450ba69b8e8a557bd768ac07a"
        }
      ],
      "title": "bpf, sockmap: Several fixes to bpf_msg_pop_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56720",
    "datePublished": "2024-12-29T11:29:58.345Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-05-04T10:03:18.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57948 (GCVE-0-2024-57948)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

References

►

URL

Tags

	https://git.kernel.org/stable/c/0d11dc30edfc4acef0acef130bb5ca596317190a
	https://git.kernel.org/stable/c/98ea165a2ac240345c48b57c0a3d08bbcad02929
	https://git.kernel.org/stable/c/80aee0bc0dbe253b6692d33e64455dc742fc52f1
	https://git.kernel.org/stable/c/41e4ca8acba39f1cecff2dfdf14ace4ee52c4272
	https://git.kernel.org/stable/c/2e41e98c4e79edae338f2662dbdf74ac2245d183
	https://git.kernel.org/stable/c/b856d2c1384bc5a7456262afd21aa439ee5cdf6e
	https://git.kernel.org/stable/c/eb09fbeb48709fe66c0d708aed81e910a577a30a

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac802154/iface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d11dc30edfc4acef0acef130bb5ca596317190a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "98ea165a2ac240345c48b57c0a3d08bbcad02929",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "80aee0bc0dbe253b6692d33e64455dc742fc52f1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "41e4ca8acba39f1cecff2dfdf14ace4ee52c4272",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2e41e98c4e79edae338f2662dbdf74ac2245d183",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b856d2c1384bc5a7456262afd21aa439ee5cdf6e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "eb09fbeb48709fe66c0d708aed81e910a577a30a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac802154/iface.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: check local interfaces before deleting sdata list\n\nsyzkaller reported a corrupted list in ieee802154_if_remove. [1]\n\nRemove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4\nhardware device from the system.\n\nCPU0\t\t\t\t\tCPU1\n====\t\t\t\t\t====\ngenl_family_rcv_msg_doit\t\tieee802154_unregister_hw\nieee802154_del_iface\t\t\tieee802154_remove_interfaces\nrdev_del_virtual_intf_deprecated\tlist_del(\u0026sdata-\u003elist)\nieee802154_if_remove\nlist_del_rcu\n\nThe net device has been unregistered, since the rcu grace period,\nunregistration must be run before ieee802154_if_remove.\n\nTo avoid this issue, add a check for local-\u003einterfaces before deleting\nsdata list.\n\n[1]\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56\nCode: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 \u003c0f\u003e 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7\nRSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246\nRAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d\nR10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000\nR13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0\nFS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:124 [inline]\n __list_del_entry include/linux/list.h:215 [inline]\n list_del_rcu include/linux/rculist.h:157 [inline]\n ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687\n rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]\n ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:744\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607\n ___sys_sendmsg net/socket.c:2661 [inline]\n __sys_sendmsg+0x292/0x380 net/socket.c:2690\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:18.808Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d11dc30edfc4acef0acef130bb5ca596317190a"
        },
        {
          "url": "https://git.kernel.org/stable/c/98ea165a2ac240345c48b57c0a3d08bbcad02929"
        },
        {
          "url": "https://git.kernel.org/stable/c/80aee0bc0dbe253b6692d33e64455dc742fc52f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/41e4ca8acba39f1cecff2dfdf14ace4ee52c4272"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e41e98c4e79edae338f2662dbdf74ac2245d183"
        },
        {
          "url": "https://git.kernel.org/stable/c/b856d2c1384bc5a7456262afd21aa439ee5cdf6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb09fbeb48709fe66c0d708aed81e910a577a30a"
        }
      ],
      "title": "mac802154: check local interfaces before deleting sdata list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57948",
    "datePublished": "2025-01-31T11:25:29.762Z",
    "dateReserved": "2025-01-19T11:50:08.380Z",
    "dateUpdated": "2025-05-04T10:07:18.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58078 (GCVE-0-2024-58078)

Vulnerability from cvelistv5

Published

2025-03-06 16:13

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors misc_minor_alloc was allocating id using ida for minor only in case of MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids using ida_free causing a mismatch and following warn: > > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f > > ida_free called for id=127 which is not allocated. > > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ... > > [<60941eb4>] ida_free+0x3e0/0x41f > > [<605ac993>] misc_minor_free+0x3e/0xbc > > [<605acb82>] misc_deregister+0x171/0x1b3 misc_minor_alloc is changed to allocate id from ida for all minors falling in the range of dynamic/ misc dynamic minors

References

►

URL

Tags

	https://git.kernel.org/stable/c/3df72111c39f7e4c5029c9ff720b56ec2e05b764
	https://git.kernel.org/stable/c/8b4120b3e060e137eaa8dc76a1c40401088336e5
	https://git.kernel.org/stable/c/6635332d246d7db89b90e145f2bf937406cecaf0
	https://git.kernel.org/stable/c/6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68

Impacted products

Vendor

Product

Version

►

Linux

Version: ab760791c0cfbb1d7a668f46a135264f56c8f018
Version: ab760791c0cfbb1d7a668f46a135264f56c8f018
Version: ab760791c0cfbb1d7a668f46a135264f56c8f018
Version: ab760791c0cfbb1d7a668f46a135264f56c8f018

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3df72111c39f7e4c5029c9ff720b56ec2e05b764",
              "status": "affected",
              "version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
              "versionType": "git"
            },
            {
              "lessThan": "8b4120b3e060e137eaa8dc76a1c40401088336e5",
              "status": "affected",
              "version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
              "versionType": "git"
            },
            {
              "lessThan": "6635332d246d7db89b90e145f2bf937406cecaf0",
              "status": "affected",
              "version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
              "versionType": "git"
            },
            {
              "lessThan": "6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68",
              "status": "affected",
              "version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors\n\nmisc_minor_alloc was allocating id using ida for minor only in case of\nMISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids\nusing ida_free causing a mismatch and following warn:\n\u003e \u003e WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f\n\u003e \u003e ida_free called for id=127 which is not allocated.\n\u003e \u003e \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n...\n\u003e \u003e [\u003c60941eb4\u003e] ida_free+0x3e0/0x41f\n\u003e \u003e [\u003c605ac993\u003e] misc_minor_free+0x3e/0xbc\n\u003e \u003e [\u003c605acb82\u003e] misc_deregister+0x171/0x1b3\n\nmisc_minor_alloc is changed to allocate id from ida for all minors\nfalling in the range of dynamic/ misc dynamic minors"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:29.311Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3df72111c39f7e4c5029c9ff720b56ec2e05b764"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b4120b3e060e137eaa8dc76a1c40401088336e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6635332d246d7db89b90e145f2bf937406cecaf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68"
        }
      ],
      "title": "misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58078",
    "datePublished": "2025-03-06T16:13:41.909Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-05-04T10:09:29.311Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21711 (GCVE-0-2025-21711)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case.

References

►

URL

Tags

	https://git.kernel.org/stable/c/4bdd449977e2364a53d0b2a5427e71beb1cd702d
	https://git.kernel.org/stable/c/b8583b54455cbec2fc038fa32b6700890b369815
	https://git.kernel.org/stable/c/9bdee49ad6bbd26ab5e13cc6731e54fb1b6c1dca
	https://git.kernel.org/stable/c/352daa50946c3bbb662432e8daf54d6760796589
	https://git.kernel.org/stable/c/d08f4074f9c69f7e95502587eb1b258a965ba7f0
	https://git.kernel.org/stable/c/e5338930a29d0ab2a5af402f5f664aeba0d1a676
	https://git.kernel.org/stable/c/d640627663bfe7d8963c7615316d7d4ef60f3b0b

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4bdd449977e2364a53d0b2a5427e71beb1cd702d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b8583b54455cbec2fc038fa32b6700890b369815",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9bdee49ad6bbd26ab5e13cc6731e54fb1b6c1dca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "352daa50946c3bbb662432e8daf54d6760796589",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d08f4074f9c69f7e95502587eb1b258a965ba7f0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e5338930a29d0ab2a5af402f5f664aeba0d1a676",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d640627663bfe7d8963c7615316d7d4ef60f3b0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rose: prevent integer overflows in rose_setsockopt()\n\nIn case of possible unpredictably large arguments passed to\nrose_setsockopt() and multiplied by extra values on top of that,\ninteger overflows may occur.\n\nDo the safest minimum and fix these issues by checking the\ncontents of \u0027opt\u0027 and returning -EINVAL if they are too large. Also,\nswitch to unsigned int and remove useless check for negative \u0027opt\u0027\nin ROSE_IDLE case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:29.310Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4bdd449977e2364a53d0b2a5427e71beb1cd702d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8583b54455cbec2fc038fa32b6700890b369815"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bdee49ad6bbd26ab5e13cc6731e54fb1b6c1dca"
        },
        {
          "url": "https://git.kernel.org/stable/c/352daa50946c3bbb662432e8daf54d6760796589"
        },
        {
          "url": "https://git.kernel.org/stable/c/d08f4074f9c69f7e95502587eb1b258a965ba7f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5338930a29d0ab2a5af402f5f664aeba0d1a676"
        },
        {
          "url": "https://git.kernel.org/stable/c/d640627663bfe7d8963c7615316d7d4ef60f3b0b"
        }
      ],
      "title": "net/rose: prevent integer overflows in rose_setsockopt()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21711",
    "datePublished": "2025-02-27T02:07:23.746Z",
    "dateReserved": "2024-12-29T08:45:45.752Z",
    "dateUpdated": "2025-05-04T07:19:29.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21802 (GCVE-0-2025-21802)

Vulnerability from cvelistv5

Published

2025-02-27 20:00

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process.

References

►

URL

Tags

	https://git.kernel.org/stable/c/622d92a67656e5c4d2d6ccac02d688ed995418c6
	https://git.kernel.org/stable/c/8c640dd3d900cc8988a39c007591f1deee776df4
	https://git.kernel.org/stable/c/e876522659012ef2e73834a0b9f1cbe3f74d5fad
	https://git.kernel.org/stable/c/b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c
	https://git.kernel.org/stable/c/82736bb83fb0221319c85c2e9917d0189cd84e1e
	https://git.kernel.org/stable/c/cafe9a27e22736d4a01b3933e36225f9857c7988
	https://git.kernel.org/stable/c/92e5995773774a3e70257e9c95ea03518268bea5

Impacted products

Vendor

Product

Version

►

Linux

Version: d36b15e3e7b5937cb1f6ac590a85facc3a320642
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5
Version: b06ad258e01389ca3ff13bc180f3fcd6a608f1cd
Version: c4b64011e458aa2b246cd4e42012cfd83d2d9a5c
Version: 9b5a29f0acefa3eb1dbe2fa302b393eeff64d933

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hnae3.c",
            "drivers/net/ethernet/hisilicon/hns3/hnae3.h",
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "622d92a67656e5c4d2d6ccac02d688ed995418c6",
              "status": "affected",
              "version": "d36b15e3e7b5937cb1f6ac590a85facc3a320642",
              "versionType": "git"
            },
            {
              "lessThan": "8c640dd3d900cc8988a39c007591f1deee776df4",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "e876522659012ef2e73834a0b9f1cbe3f74d5fad",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "82736bb83fb0221319c85c2e9917d0189cd84e1e",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "cafe9a27e22736d4a01b3933e36225f9857c7988",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "92e5995773774a3e70257e9c95ea03518268bea5",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b06ad258e01389ca3ff13bc180f3fcd6a608f1cd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c4b64011e458aa2b246cd4e42012cfd83d2d9a5c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b5a29f0acefa3eb1dbe2fa302b393eeff64d933",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hnae3.c",
            "drivers/net/ethernet/hisilicon/hns3/hnae3.h",
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.214",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.156",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix oops when unload drivers paralleling\n\nWhen unload hclge driver, it tries to disable sriov first for each\nae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at\nthe time, because it removes all the ae_dev nodes, and it may cause\noops.\n\nBut we can\u0027t simply use hnae3_common_lock for this. Because in the\nprocess flow of pci_disable_sriov(), it will trigger the remove flow\nof VF, which will also take hnae3_common_lock.\n\nTo fixes it, introduce a new mutex to protect the unload process."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:33.466Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/622d92a67656e5c4d2d6ccac02d688ed995418c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c640dd3d900cc8988a39c007591f1deee776df4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e876522659012ef2e73834a0b9f1cbe3f74d5fad"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/82736bb83fb0221319c85c2e9917d0189cd84e1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cafe9a27e22736d4a01b3933e36225f9857c7988"
        },
        {
          "url": "https://git.kernel.org/stable/c/92e5995773774a3e70257e9c95ea03518268bea5"
        }
      ],
      "title": "net: hns3: fix oops when unload drivers paralleling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21802",
    "datePublished": "2025-02-27T20:00:56.292Z",
    "dateReserved": "2024-12-29T08:45:45.771Z",
    "dateUpdated": "2025-05-04T13:06:33.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21870 (GCVE-0-2025-21870)

Vulnerability from cvelistv5

Published

2025-03-27 13:38

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier

References

►

URL

Tags

	https://git.kernel.org/stable/c/87c8768a96092ce75cd47fe076db5080db7ac515
	https://git.kernel.org/stable/c/93c6c2e5801aab09ef1ef99f248f3cd323c3f152
	https://git.kernel.org/stable/c/6fd60136d256b3b948333ebdb3835f41a95ab7ef

Impacted products

Vendor

Product

Version

►

Linux

Version: a150345aa758492e05d2934f318ce7c2566b1cfe
Version: a150345aa758492e05d2934f318ce7c2566b1cfe
Version: a150345aa758492e05d2934f318ce7c2566b1cfe

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/ipc4-topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "87c8768a96092ce75cd47fe076db5080db7ac515",
              "status": "affected",
              "version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
              "versionType": "git"
            },
            {
              "lessThan": "93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
              "status": "affected",
              "version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
              "versionType": "git"
            },
            {
              "lessThan": "6fd60136d256b3b948333ebdb3835f41a95ab7ef",
              "status": "affected",
              "version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/ipc4-topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers\n\nOther, non DAI copier widgets could have the same  stream name (sname) as\nthe ALH copier and in that case the copier-\u003edata is NULL, no alh_data is\nattached, which could lead to NULL pointer dereference.\nWe could check for this NULL pointer in sof_ipc4_prepare_copier_module()\nand avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()\nwill miscalculate the ALH device count, causing broken audio.\n\nThe correct fix is to harden the matching logic by making sure that the\n1. widget is a DAI widget - so dai = w-\u003eprivate is valid\n2. the dai (and thus the copier) is ALH copier"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:54.538Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/87c8768a96092ce75cd47fe076db5080db7ac515"
        },
        {
          "url": "https://git.kernel.org/stable/c/93c6c2e5801aab09ef1ef99f248f3cd323c3f152"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fd60136d256b3b948333ebdb3835f41a95ab7ef"
        }
      ],
      "title": "ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21870",
    "datePublished": "2025-03-27T13:38:22.849Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:54.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-10041 (GCVE-0-2024-10041)

Vulnerability from cvelistv5

Published

2024-10-23 13:46

Modified

2025-07-29 09:27

Severity ?

4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-922 - Insecure Storage of Sensitive Information

Summary

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2024:10379	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:11250	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:9941	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-10041	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2319212	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

►

Version: 1.6.0 ≤

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:1.3.1-36.el8_10 < * cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.5.1-21.el9_5 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.5.1-21.el9_5 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:1.5.1-21.el9_4 < * cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/o:redhat:rhel_eus:9.4::baseos
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10041",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T14:35:15.520510Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-922",
                "description": "CWE-922 Insecure Storage of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T17:03:47.703Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/linux-pam/linux-pam",
          "defaultStatus": "unaffected",
          "packageName": "pam",
          "versions": [
            {
              "lessThan": "1.6.0",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.3.1-36.el8_10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.5.1-21.el9_5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.5.1-21.el9_5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.4::appstream",
            "cpe:/o:redhat:rhel_eus:9.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.5.1-21.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "pam",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-10-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T09:27:24.696Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:10379",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:10379"
        },
        {
          "name": "RHSA-2024:11250",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:11250"
        },
        {
          "name": "RHSA-2024:9941",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:9941"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-10041"
        },
        {
          "name": "RHBZ#2319212",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319212"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-16T15:08:30.331000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-10-18T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Pam: libpam: libpam vulnerable to read hashed password",
      "workarounds": [
        {
          "lang": "en",
          "value": "This vulnerability is mitigated if SELinux is in Enforcing mode.\n\nTo verify if SELinux is in Enforcing mode, the output of the `getenforce` command will return `Enforcing\u0027, see the example below:\n\n~~~\n$ getenforce\nEnforcing\n~~~\n\nTo more information about SELinux, specifically how to set it to Enforcing mode, see the links below.\n\nhttps://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-to-enforcing-mode_changing-selinux-states-and-modes\nhttps://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/using_selinux/index#changing-to-enforcing-mode_changing-selinux-states-and-modes"
        }
      ],
      "x_redhatCweChain": "CWE-922: Insecure Storage of Sensitive Information"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-10041",
    "datePublished": "2024-10-23T13:46:27.963Z",
    "dateReserved": "2024-10-16T16:13:54.632Z",
    "dateUpdated": "2025-07-29T09:27:24.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50185 (GCVE-0-2024-50185)

Vulnerability from cvelistv5

Published

2024-11-08 05:38

Modified

2025-05-04 09:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: handle consistently DSS corruption Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type.

References

►

URL

Tags

	https://git.kernel.org/stable/c/fde99e972b8f88cebe619241d7aa43d288ef666a
	https://git.kernel.org/stable/c/12c1676d598e3b8dd92a033b623b792cc2ea1ec5
	https://git.kernel.org/stable/c/35668f8ec84f6c944676e48ecc6bbc5fc8e6fe25
	https://git.kernel.org/stable/c/b8be15d1ae7ea4eedd547c3b3141f592fbddcd30
	https://git.kernel.org/stable/c/8bfd391bde685df7289b928ce8876a3583be4bfb
	https://git.kernel.org/stable/c/e32d262c89e2b22cb0640223f953b548617ed8a6

Impacted products

Vendor

Product

Version

►

Linux

Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716
Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716
Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716
Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716
Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716
Version: 6771bfd9ee2460c13e38c0cd46a3afb5404ae716

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/mib.c",
            "net/mptcp/mib.h",
            "net/mptcp/protocol.c",
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fde99e972b8f88cebe619241d7aa43d288ef666a",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            },
            {
              "lessThan": "12c1676d598e3b8dd92a033b623b792cc2ea1ec5",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            },
            {
              "lessThan": "35668f8ec84f6c944676e48ecc6bbc5fc8e6fe25",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            },
            {
              "lessThan": "b8be15d1ae7ea4eedd547c3b3141f592fbddcd30",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            },
            {
              "lessThan": "8bfd391bde685df7289b928ce8876a3583be4bfb",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            },
            {
              "lessThan": "e32d262c89e2b22cb0640223f953b548617ed8a6",
              "status": "affected",
              "version": "6771bfd9ee2460c13e38c0cd46a3afb5404ae716",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/mib.c",
            "net/mptcp/mib.h",
            "net/mptcp/protocol.c",
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.228",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.169",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.228",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.169",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.57",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle consistently DSS corruption\n\nBugged peer implementation can send corrupted DSS options, consistently\nhitting a few warning in the data path. Use DEBUG_NET assertions, to\navoid the splat on some builds and handle consistently the error, dumping\nrelated MIBs and performing fallback and/or reset according to the\nsubflow type."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:48:10.729Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fde99e972b8f88cebe619241d7aa43d288ef666a"
        },
        {
          "url": "https://git.kernel.org/stable/c/12c1676d598e3b8dd92a033b623b792cc2ea1ec5"
        },
        {
          "url": "https://git.kernel.org/stable/c/35668f8ec84f6c944676e48ecc6bbc5fc8e6fe25"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8be15d1ae7ea4eedd547c3b3141f592fbddcd30"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bfd391bde685df7289b928ce8876a3583be4bfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e32d262c89e2b22cb0640223f953b548617ed8a6"
        }
      ],
      "title": "mptcp: handle consistently DSS corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50185",
    "datePublished": "2024-11-08T05:38:26.359Z",
    "dateReserved": "2024-10-21T19:36:19.966Z",
    "dateUpdated": "2025-05-04T09:48:10.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27219 (GCVE-0-2025-27219)

Vulnerability from cvelistv5

Published

2025-03-03 00:00

Modified

2025-03-04 16:41

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

References

►

URL

Tags

	https://hackerone.com/reports/2936778
	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml

Impacted products

	Vendor	Product	Version
	ruby-lang	CGI	Version: 0 < 0.3.5.1 Version: 0.3.6 < 0.3.7 Version: 0.4.0 < 0.4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27219",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T16:41:05.727608Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T16:41:20.234Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CGI",
          "vendor": "ruby-lang",
          "versions": [
            {
              "lessThan": "0.3.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "0.3.7",
              "status": "affected",
              "version": "0.3.6",
              "versionType": "custom"
            },
            {
              "lessThan": "0.4.2",
              "status": "affected",
              "version": "0.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.7",
                  "versionStartIncluding": "0.3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.4.2",
                  "versionStartIncluding": "0.4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-03T23:38:00.413Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2936778"
        },
        {
          "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27219",
    "datePublished": "2025-03-03T00:00:00.000Z",
    "dateReserved": "2025-02-20T00:00:00.000Z",
    "dateUpdated": "2025-03-04T16:41:20.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-12243 (GCVE-0-2024-12243)

Vulnerability from cvelistv5

Published

2025-02-10 15:28

Modified

2025-07-28 09:46

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-407 - Inefficient Algorithmic Complexity

Summary

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:4051	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7076	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8020	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8385	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-12243	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2344615	issue-tracking, x_refsource_REDHAT
	https://gitlab.com/gnutls/libtasn1/-/issues/52

Impacted products

Vendor

Product

Version

►

Version: 0   ≤ 3.6.16
Version: 3.7.0   ≤ 3.7.11
Version: 3.8.0   ≤

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:3.6.16-8.el8_10.3 < * cpe:/o:redhat:enterprise_linux:8::baseos cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:3.6.16-8.el8_10.3 < * cpe:/o:redhat:enterprise_linux:8::baseos cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-6.el9 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-6.el9 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:3.8.3-4.el9_4.2 < * cpe:/o:redhat:rhel_eus:9.4::baseos cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Discovery 1.14	Unaffected: sha256:ad1045aa0de937c3a6969ec377f7bfeda9a44ee434a954e8245e9840316ffc1c < * cpe:/a:redhat:discovery:1.14::el9
Red Hat	Red Hat Discovery 1.14	Unaffected: sha256:492e412759cf0eedfa5b557f7b0865f8864f84d0ed75e11dc8d7a840837d9644 < * cpe:/a:redhat:discovery:1.14::el9
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T16:25:20.087658Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T16:25:30.798Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-23T13:11:00.539Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250523-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.com/gnutls/gnutls/",
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "versions": [
            {
              "lessThanOrEqual": "3.6.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "3.7.11",
              "status": "affected",
              "version": "3.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.8.8",
              "status": "affected",
              "version": "3.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "3.8.9",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos",
            "cpe:/a:redhat:enterprise_linux:8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-8.el8_10.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos",
            "cpe:/a:redhat:enterprise_linux:8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-8.el8_10.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-6.el9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-6.el9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:9.4::baseos",
            "cpe:/a:redhat:rhel_eus:9.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-4.el9_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:1.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/discovery/discovery-server-rhel9",
          "product": "Red Hat Discovery 1.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:ad1045aa0de937c3a6969ec377f7bfeda9a44ee434a954e8245e9840316ffc1c",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:1.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/discovery/discovery-ui-rhel9",
          "product": "Red Hat Discovery 1.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:492e412759cf0eedfa5b557f7b0865f8864f84d0ed75e11dc8d7a840837d9644",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Bing Shi for reporting this issue."
        }
      ],
      "datePublic": "2025-02-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T09:46:18.881Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:4051",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4051"
        },
        {
          "name": "RHSA-2025:7076",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7076"
        },
        {
          "name": "RHSA-2025:8020",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8020"
        },
        {
          "name": "RHSA-2025:8385",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8385"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-12243"
        },
        {
          "name": "RHBZ#2344615",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344615"
        },
        {
          "url": "https://gitlab.com/gnutls/libtasn1/-/issues/52"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-10T08:33:56.422000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-10T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos",
      "x_redhatCweChain": "CWE-407: Inefficient Algorithmic Complexity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-12243",
    "datePublished": "2025-02-10T15:28:10.328Z",
    "dateReserved": "2024-12-05T14:26:25.188Z",
    "dateUpdated": "2025-07-28T09:46:18.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21727 (GCVE-0-2025-21727)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/

References

►

URL

Tags

	https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6
	https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079
	https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd
	https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de
	https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738
	https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781
	https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668

Impacted products

Vendor

Product

Version

►

Linux

Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:06.104597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:52.256Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
        },
        {
          "url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
        },
        {
          "url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
        }
      ],
      "title": "padata: fix UAF in padata_reorder",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21727",
    "datePublished": "2025-02-27T02:07:33.501Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T07:19:52.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21706 (GCVE-0-2025-21706)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before. That's what syzbot found, triggering the following warning: WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48 RSP: 0018:ffffc9000d307240 EFLAGS: 00010293 RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0 R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5fe8785d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29 RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007 RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000 ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb
	https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2
	https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1
	https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc
	https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6

Impacted products

Vendor

Product

Version

►

Linux

Version: 73c762c1f07dacba4fd1cefd15e24b419d42320d
Version: 73c762c1f07dacba4fd1cefd15e24b419d42320d
Version: 73c762c1f07dacba4fd1cefd15e24b419d42320d
Version: 73c762c1f07dacba4fd1cefd15e24b419d42320d
Version: 73c762c1f07dacba4fd1cefd15e24b419d42320d

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22b0734c9401a74ed4ebd9e8ef0da33e493852eb",
              "status": "affected",
              "version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
              "versionType": "git"
            },
            {
              "lessThan": "de3b8d41d2547452c4cafb146d003fa4689fbaf2",
              "status": "affected",
              "version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
              "versionType": "git"
            },
            {
              "lessThan": "8ac344cbd84fda75e05e1f445f7f8fb24dc175e1",
              "status": "affected",
              "version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
              "versionType": "git"
            },
            {
              "lessThan": "9e3d61620a3cd033319553b980ff3a350adbe1bc",
              "status": "affected",
              "version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
              "versionType": "git"
            },
            {
              "lessThan": "1bb0d1348546ad059f55c93def34e67cb2a034a6",
              "status": "affected",
              "version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the \u0027fullmesh\u0027\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n\u0027subflow\u0027 endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed \u0027implicit\u0027 endpoints to get the \u0027fullmesh\u0027 flag while it is not\nallowed before.\n\nThat\u0027s what syzbot found, triggering the following warning:\n\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 \u003c0f\u003e 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n  RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n  RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n  R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n  R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n  FS:  00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n   netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f5fe8785d29\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n  RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n  RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:23.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6"
        }
      ],
      "title": "mptcp: pm: only set fullmesh for subflow endp",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21706",
    "datePublished": "2025-02-27T02:07:20.458Z",
    "dateReserved": "2024-12-29T08:45:45.751Z",
    "dateUpdated": "2025-05-04T07:19:23.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57900 (GCVE-0-2024-57900)

Vulnerability from cvelistv5

Published

2025-01-15 13:05

Modified

2025-05-04 10:06

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049

References

►

URL

Tags

	https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190
	https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137
	https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e
	https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca
	https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553
	https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460
	https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e

Impacted products

Vendor

Product

Version

►

Linux

Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd

Linux

Version: 4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:56:44.602768Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:04:27.590Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1638f430f8900f2375f5de45508fbe553997e190",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "d3017895e393536b234cf80a83fc463c08a28137",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "ad0677c37c14fa28913daea92d139644d7acf04e",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "17e8fa894345e8d2c7a7642482267b275c3d4553",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "3d1b63cf468e446b9feaf4e4e73182b9cc82f460",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "260466b576bca0081a7d4acecc8e93687aa22d0e",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: serialize calls to nf_register_net_hooks()\n\nsyzbot found a race in ila_add_mapping() [1]\n\ncommit 031ae72825ce (\"ila: call nf_unregister_net_hooks() sooner\")\nattempted to fix a similar issue.\n\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\n\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\n\n[1]\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\n\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0xc3/0x620 mm/kasan/report.c:489\n  kasan_report+0xd9/0x110 mm/kasan/report.c:602\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\n  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\n  NF_HOOK include/linux/netfilter.h:312 [inline]\n  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\n  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\n  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\n  process_backlog+0x443/0x15f0 net/core/dev.c:6117\n  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\n  napi_poll net/core/dev.c:6952 [inline]\n  net_rx_action+0xa94/0x1010 net/core/dev.c:7074\n  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\n  __do_softirq kernel/softirq.c:595 [inline]\n  invoke_softirq kernel/softirq.c:435 [inline]\n  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:12.424Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca"
        },
        {
          "url": "https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460"
        },
        {
          "url": "https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e"
        }
      ],
      "title": "ila: serialize calls to nf_register_net_hooks()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57900",
    "datePublished": "2025-01-15T13:05:51.798Z",
    "dateReserved": "2025-01-11T14:45:42.030Z",
    "dateUpdated": "2025-05-04T10:06:12.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27113 (GCVE-0-2025-27113)

Vulnerability from cvelistv5

Published

2025-02-18 00:00

Modified

2025-03-07 00:10

Severity ?

2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-476 - NULL Pointer Dereference

Summary

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxml2/-/issues/861

Impacted products

	Vendor	Product	Version
	xmlsoft	libxml2	Version: 0 ≤ Version: 2.13.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27113",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-19T15:33:43.940899Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T15:34:14.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-07T00:10:52.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250306-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.12.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.13.6",
              "status": "affected",
              "version": "2.13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.12.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.6",
                  "versionStartIncluding": "2.13.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-18T22:29:44.033Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27113",
    "datePublished": "2025-02-18T00:00:00.000Z",
    "dateReserved": "2025-02-18T00:00:00.000Z",
    "dateUpdated": "2025-03-07T00:10:52.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1795 (GCVE-0-2025-1795)

Vulnerability from cvelistv5

Published

2025-02-28 18:59

Modified

2025-02-28 20:32

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

References

►

URL

Tags

	https://github.com/python/cpython/issues/100884	issue-tracking
	https://github.com/python/cpython/pull/100885	patch
	https://github.com/python/cpython/pull/119099	patch
	https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48	patch
	https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593	patch
	https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74	patch
	https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/	vendor-advisory

Impacted products

	Vendor	Product	Version
	Python Software Foundation	CPython	Version: 0 Version: 3.12.0 Version: 3.13.0a1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-28T20:30:47.670593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-116",
                "description": "CWE-116 Improper Encoding or Escaping of Output",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-28T20:32:56.849Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "email"
          ],
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.11.9",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            },
            {
              "lessThan": "3.12.3",
              "status": "affected",
              "version": "3.12.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.13.0a5",
              "status": "affected",
              "version": "3.13.0a1",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers."
            }
          ],
          "value": "During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-28T19:16:32.270Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/100884"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/100885"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/119099"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mishandling of comma during folding and unicode-encoding of email headers",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2025-1795",
    "datePublished": "2025-02-28T18:59:31.784Z",
    "dateReserved": "2025-02-28T18:49:37.957Z",
    "dateUpdated": "2025-02-28T20:32:56.849Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21848 (GCVE-0-2025-21848)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference.

References

►

URL

Tags

	https://git.kernel.org/stable/c/d64c6ca420019712e194fe095b55f87363e22a9a
	https://git.kernel.org/stable/c/e976ea6c5e1b005c64467cbf94a8577aae9c7d81
	https://git.kernel.org/stable/c/924b239f9704566e0d86abd894d2d64bd73c11eb
	https://git.kernel.org/stable/c/1358d8e07afdf21d49ca6f00c56048442977e00a
	https://git.kernel.org/stable/c/29ccb1e4040da6ff02b7e64efaa2f8e6bf06020d
	https://git.kernel.org/stable/c/897c32cd763fd11d0b6ed024c52f44d2475bb820
	https://git.kernel.org/stable/c/bd97f60750bb581f07051f98e31dfda59d3a783b
	https://git.kernel.org/stable/c/878e7b11736e062514e58f3b445ff343e6705537

Impacted products

Vendor

Product

Version

►

Linux

Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c

Linux

Version: 4.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/netronome/nfp/bpf/cmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d64c6ca420019712e194fe095b55f87363e22a9a",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "e976ea6c5e1b005c64467cbf94a8577aae9c7d81",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "924b239f9704566e0d86abd894d2d64bd73c11eb",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "1358d8e07afdf21d49ca6f00c56048442977e00a",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "29ccb1e4040da6ff02b7e64efaa2f8e6bf06020d",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "897c32cd763fd11d0b6ed024c52f44d2475bb820",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "bd97f60750bb581f07051f98e31dfda59d3a783b",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            },
            {
              "lessThan": "878e7b11736e062514e58f3b445ff343e6705537",
              "status": "affected",
              "version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/netronome/nfp/bpf/cmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: bpf: Add check for nfp_app_ctrl_msg_alloc()\n\nAdd check for the return value of nfp_app_ctrl_msg_alloc() in\nnfp_bpf_cmsg_alloc() to prevent null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:28.992Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d64c6ca420019712e194fe095b55f87363e22a9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e976ea6c5e1b005c64467cbf94a8577aae9c7d81"
        },
        {
          "url": "https://git.kernel.org/stable/c/924b239f9704566e0d86abd894d2d64bd73c11eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/1358d8e07afdf21d49ca6f00c56048442977e00a"
        },
        {
          "url": "https://git.kernel.org/stable/c/29ccb1e4040da6ff02b7e64efaa2f8e6bf06020d"
        },
        {
          "url": "https://git.kernel.org/stable/c/897c32cd763fd11d0b6ed024c52f44d2475bb820"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd97f60750bb581f07051f98e31dfda59d3a783b"
        },
        {
          "url": "https://git.kernel.org/stable/c/878e7b11736e062514e58f3b445ff343e6705537"
        }
      ],
      "title": "nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21848",
    "datePublished": "2025-03-12T09:42:04.263Z",
    "dateReserved": "2024-12-29T08:45:45.779Z",
    "dateUpdated": "2025-05-04T07:22:28.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21754 (GCVE-0-2025-21754)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details at btrfs_extract_ordered_extent()), we will fail on the following assertion at btrfs_split_ordered_extent(): ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS)); because the BTRFS_ORDERED_IOERR flag is set and the definition of BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the type of write (regular, nocow, prealloc, compressed, direct IO, encoded). Fix this by returning an error from btrfs_extract_ordered_extent() if we find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will be the error that resulted in the transaction abort or -EIO if no transaction abort happened. This was recently reported by syzbot with the following trace: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 fail_dump lib/fault-inject.c:53 [inline] should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154 should_failslab+0xac/0x100 mm/failslab.c:46 slab_pre_alloc_hook mm/slub.c:4072 [inline] slab_alloc_node mm/slub.c:4148 [inline] __do_kmalloc_node mm/slub.c:4297 [inline] __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742 reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292 check_system_chunk fs/btrfs/block-group.c:4319 [inline] do_chunk_alloc fs/btrfs/block-group.c:3891 [inline] btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187 find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline] find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579 btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672 btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline] btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525 iomap_iter+0x697/0xf60 fs/iomap/iter.c:90 __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702 btrfs_dio_write fs/btrfs/direct-io.c:775 [inline] btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880 btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_pwritev fs/read_write.c:1146 [inline] __do_sys_pwritev2 fs/read_write.c:1204 [inline] __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328 </TASK> BTRFS error (device loop0 state A): Transaction aborted (error -12) BTRFS: error (device loop0 state A ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/927b930f117bbae730a853c1dc43da8afe8380fa
	https://git.kernel.org/stable/c/0ff88c2a742a7cbaa4d08507d864737d099b435a
	https://git.kernel.org/stable/c/8ea8db4216d1029527ab4666f730650419451e32
	https://git.kernel.org/stable/c/0d85f5c2dd91df6b5da454406756f463ba923b69

Impacted products

Vendor

Product

Version

►

Linux

Version: 52b1fdca23ac0fbcad363a1a5b426bf0d56b715a
Version: 52b1fdca23ac0fbcad363a1a5b426bf0d56b715a
Version: 52b1fdca23ac0fbcad363a1a5b426bf0d56b715a
Version: 52b1fdca23ac0fbcad363a1a5b426bf0d56b715a

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ordered-data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "927b930f117bbae730a853c1dc43da8afe8380fa",
              "status": "affected",
              "version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
              "versionType": "git"
            },
            {
              "lessThan": "0ff88c2a742a7cbaa4d08507d864737d099b435a",
              "status": "affected",
              "version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
              "versionType": "git"
            },
            {
              "lessThan": "8ea8db4216d1029527ab4666f730650419451e32",
              "status": "affected",
              "version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
              "versionType": "git"
            },
            {
              "lessThan": "0d85f5c2dd91df6b5da454406756f463ba923b69",
              "status": "affected",
              "version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ordered-data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion failure when splitting ordered extent after transaction abort\n\nIf while we are doing a direct IO write a transaction abort happens, we\nmark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done\nat btrfs_destroy_ordered_extents()), and then after that if we enter\nbtrfs_split_ordered_extent() and the ordered extent has bytes left\n(meaning we have a bio that doesn\u0027t cover the whole ordered extent, see\ndetails at btrfs_extract_ordered_extent()), we will fail on the following\nassertion at btrfs_split_ordered_extent():\n\n   ASSERT(!(flags \u0026 ~BTRFS_ORDERED_TYPE_FLAGS));\n\nbecause the BTRFS_ORDERED_IOERR flag is set and the definition of\nBTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the\ntype of write (regular, nocow, prealloc, compressed, direct IO, encoded).\n\nFix this by returning an error from btrfs_extract_ordered_extent() if we\nfind the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will\nbe the error that resulted in the transaction abort or -EIO if no\ntransaction abort happened.\n\nThis was recently reported by syzbot with the following trace:\n\n   FAULT_INJECTION: forcing a failure.\n   name failslab, interval 1, probability 0, space 0, times 1\n   CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Call Trace:\n    \u003cTASK\u003e\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    fail_dump lib/fault-inject.c:53 [inline]\n    should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154\n    should_failslab+0xac/0x100 mm/failslab.c:46\n    slab_pre_alloc_hook mm/slub.c:4072 [inline]\n    slab_alloc_node mm/slub.c:4148 [inline]\n    __do_kmalloc_node mm/slub.c:4297 [inline]\n    __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310\n    kmalloc_noprof include/linux/slab.h:905 [inline]\n    kzalloc_noprof include/linux/slab.h:1037 [inline]\n    btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742\n    reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292\n    check_system_chunk fs/btrfs/block-group.c:4319 [inline]\n    do_chunk_alloc fs/btrfs/block-group.c:3891 [inline]\n    btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187\n    find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline]\n    find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579\n    btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672\n    btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline]\n    btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321\n    btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525\n    iomap_iter+0x697/0xf60 fs/iomap/iter.c:90\n    __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702\n    btrfs_dio_write fs/btrfs/direct-io.c:775 [inline]\n    btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880\n    btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397\n    do_iter_readv_writev+0x600/0x880\n    vfs_writev+0x376/0xba0 fs/read_write.c:1050\n    do_pwritev fs/read_write.c:1146 [inline]\n    __do_sys_pwritev2 fs/read_write.c:1204 [inline]\n    __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   RIP: 0033:0x7f1281f85d29\n   RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148\n   RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29\n   RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005\n   RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003\n   R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002\n   R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328\n    \u003c/TASK\u003e\n   BTRFS error (device loop0 state A): Transaction aborted (error -12)\n   BTRFS: error (device loop0 state A\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:27.815Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/927b930f117bbae730a853c1dc43da8afe8380fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ff88c2a742a7cbaa4d08507d864737d099b435a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ea8db4216d1029527ab4666f730650419451e32"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d85f5c2dd91df6b5da454406756f463ba923b69"
        }
      ],
      "title": "btrfs: fix assertion failure when splitting ordered extent after transaction abort",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21754",
    "datePublished": "2025-02-27T02:12:23.738Z",
    "dateReserved": "2024-12-29T08:45:45.760Z",
    "dateUpdated": "2025-05-04T07:20:27.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-47268 (GCVE-0-2025-47268)

Vulnerability from cvelistv5

Published

2025-05-05 00:00

Modified

2025-07-23 15:11

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-190 - Integer Overflow or Wraparound

Summary

ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.

References

►

URL

Tags

	https://github.com/iputils/iputils/issues/584
	https://github.com/Zephkek/ping-rtt-overflow/
	https://bugzilla.suse.com/show_bug.cgi?id=1242300
	https://github.com/iputils/iputils/pull/585
	https://github.com/iputils/iputils/releases/tag/20250602

Impacted products

	Vendor	Product	Version
	iputils	iputils	Version: 0 < 20250602

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47268",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T13:24:34.246742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T13:24:37.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Zephkek/ping-rtt-overflow/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "iputils",
          "vendor": "iputils",
          "versions": [
            {
              "lessThan": "20250602",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:iputils:iputils:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "20250602",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-23T15:11:08.132Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/iputils/iputils/issues/584"
        },
        {
          "url": "https://github.com/Zephkek/ping-rtt-overflow/"
        },
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1242300"
        },
        {
          "url": "https://github.com/iputils/iputils/pull/585"
        },
        {
          "url": "https://github.com/iputils/iputils/releases/tag/20250602"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-47268",
    "datePublished": "2025-05-05T00:00:00.000Z",
    "dateReserved": "2025-05-05T00:00:00.000Z",
    "dateUpdated": "2025-07-23T15:11:08.132Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-46316 (GCVE-0-2023-46316)

Vulnerability from cvelistv5

Published

2023-10-24 00:00

Modified

2024-08-02 20:45

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

n/a

Summary

In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines.

References

►

URL

Tags

	https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/
	https://security-tracker.debian.org/tracker/CVE-2023-46316
	http://packetstormsecurity.com/files/176660/Traceroute-2.1.2-Privilege-Escalation.html

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:buc:traceroute:*:*:*:*:*:linux:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "traceroute",
            "vendor": "buc",
            "versions": [
              {
                "status": "affected",
                "version": "2.0.12"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-46316",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-22T17:55:09.562701Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-234",
                "description": "CWE-234 Failure to Handle Missing Parameter",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:22:11.063Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:45:41.288Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/CVE-2023-46316"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/176660/Traceroute-2.1.2-Privilege-Escalation.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-22T17:06:25.305605",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2023-46316"
        },
        {
          "url": "http://packetstormsecurity.com/files/176660/Traceroute-2.1.2-Privilege-Escalation.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-46316",
    "datePublished": "2023-10-24T00:00:00",
    "dateReserved": "2023-10-22T00:00:00",
    "dateUpdated": "2024-08-02T20:45:41.288Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21773 (GCVE-0-2025-21773)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: fix potential NULL pointer dereference on udev->serial The driver assumed that es58x_dev->udev->serial could never be NULL. While this is true on commercially available devices, an attacker could spoof the device identity providing a NULL USB serial number. That would trigger a NULL pointer dereference. Add a check on es58x_dev->udev->serial before accessing it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1590667a60753ee5a54871f2840ceefd4a7831fa
	https://git.kernel.org/stable/c/722e8e1219c8b6ac2865011fe339315d6a8d0721
	https://git.kernel.org/stable/c/5059ea98d7bc133903d3e47ab36df6ed11d0c95f
	https://git.kernel.org/stable/c/a1ad2109ce41c9e3912dadd07ad8a9c640064ffb

Impacted products

Vendor

Product

Version

►

Linux

Version: 9f06631c3f1f0f298536443df85a6837ba4c5f5c
Version: 9f06631c3f1f0f298536443df85a6837ba4c5f5c
Version: 9f06631c3f1f0f298536443df85a6837ba4c5f5c
Version: 9f06631c3f1f0f298536443df85a6837ba4c5f5c

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/etas_es58x/es58x_devlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1590667a60753ee5a54871f2840ceefd4a7831fa",
              "status": "affected",
              "version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
              "versionType": "git"
            },
            {
              "lessThan": "722e8e1219c8b6ac2865011fe339315d6a8d0721",
              "status": "affected",
              "version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
              "versionType": "git"
            },
            {
              "lessThan": "5059ea98d7bc133903d3e47ab36df6ed11d0c95f",
              "status": "affected",
              "version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
              "versionType": "git"
            },
            {
              "lessThan": "a1ad2109ce41c9e3912dadd07ad8a9c640064ffb",
              "status": "affected",
              "version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/etas_es58x/es58x_devlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: fix potential NULL pointer dereference on udev-\u003eserial\n\nThe driver assumed that es58x_dev-\u003eudev-\u003eserial could never be NULL.\nWhile this is true on commercially available devices, an attacker\ncould spoof the device identity providing a NULL USB serial number.\nThat would trigger a NULL pointer dereference.\n\nAdd a check on es58x_dev-\u003eudev-\u003eserial before accessing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:48.039Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1590667a60753ee5a54871f2840ceefd4a7831fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/722e8e1219c8b6ac2865011fe339315d6a8d0721"
        },
        {
          "url": "https://git.kernel.org/stable/c/5059ea98d7bc133903d3e47ab36df6ed11d0c95f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1ad2109ce41c9e3912dadd07ad8a9c640064ffb"
        }
      ],
      "title": "can: etas_es58x: fix potential NULL pointer dereference on udev-\u003eserial",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21773",
    "datePublished": "2025-02-27T02:18:20.013Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-05-04T07:20:48.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56719 (GCVE-0-2024-56719)

Vulnerability from cvelistv5

Published

2024-12-29 08:48

Modified

2025-05-04 13:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/

References

►

URL

Tags

	https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286
	https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
	https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e

Impacted products

Vendor

Product

Version

►

Linux

Version: 07c9c26e37542486e34d767505e842f48f29c3f6
Version: 66600fac7a984dea4ae095411f644770b2561ede
Version: 66600fac7a984dea4ae095411f644770b2561ede
Version: ece593fc9c00741b682869d3f3dc584d37b7c9df
Version: a3ff23f7c3f0e13f718900803e090fd3997d6bc9
Version: 58d23d835eb498336716cca55b5714191a309286

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db3667c9bbfbbf5de98e6c9542f7e03fb5243286",
              "status": "affected",
              "version": "07c9c26e37542486e34d767505e842f48f29c3f6",
              "versionType": "git"
            },
            {
              "lessThan": "9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2",
              "status": "affected",
              "version": "66600fac7a984dea4ae095411f644770b2561ede",
              "versionType": "git"
            },
            {
              "lessThan": "4c49f38e20a57f8abaebdf95b369295b153d1f8e",
              "status": "affected",
              "version": "66600fac7a984dea4ae095411f644770b2561ede",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "58d23d835eb498336716cca55b5714191a309286",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "6.6.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.171",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.116",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]\u0027s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv-\u003edma_cap.addr64 \u003e 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n  dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n  DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:18.123Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e"
        }
      ],
      "title": "net: stmmac: fix TSO DMA API usage causing oops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56719",
    "datePublished": "2024-12-29T08:48:51.495Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-05-04T13:01:18.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21799 (GCVE-0-2025-21799)

Vulnerability from cvelistv5

Published

2025-02-27 20:00

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns().

References

►

URL

Tags

	https://git.kernel.org/stable/c/321990fdf4f1bb64e818c7140688bf33d129e48d
	https://git.kernel.org/stable/c/ed8c0300f302338c36edb06bca99051e5be6fb2f
	https://git.kernel.org/stable/c/aea5cca681d268f794fa2385f9ec26a5cce025cd
	https://git.kernel.org/stable/c/88fd5db8c0073bd91d18391feb5741aeb0a2b475
	https://git.kernel.org/stable/c/8448c87b3af68bebca21e3136913f7f77e363515
	https://git.kernel.org/stable/c/8aae91ae1c65782a169ec070e023d4d269e5d6e6
	https://git.kernel.org/stable/c/4395a44acb15850e492dd1de9ec4b6479d96bc80

Impacted products

Vendor

Product

Version

►

Linux

Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100
Version: 93a76530316a3d8cc2d82c3deca48424fee92100

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ti/am65-cpsw-nuss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "321990fdf4f1bb64e818c7140688bf33d129e48d",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "ed8c0300f302338c36edb06bca99051e5be6fb2f",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "aea5cca681d268f794fa2385f9ec26a5cce025cd",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "88fd5db8c0073bd91d18391feb5741aeb0a2b475",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "8448c87b3af68bebca21e3136913f7f77e363515",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "8aae91ae1c65782a169ec070e023d4d269e5d6e6",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            },
            {
              "lessThan": "4395a44acb15850e492dd1de9ec4b6479d96bc80",
              "status": "affected",
              "version": "93a76530316a3d8cc2d82c3deca48424fee92100",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ti/am65-cpsw-nuss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()\n\nWhen getting the IRQ we use k3_udma_glue_tx_get_irq() which returns\nnegative error value on error. So not NULL check is not sufficient\nto deteremine if IRQ is valid. Check that IRQ is greater then zero\nto ensure it is valid.\n\nThere is no issue at probe time but at runtime user can invoke\n.set_channels which results in the following call chain.\nam65_cpsw_set_channels()\n am65_cpsw_nuss_update_tx_rx_chns()\n  am65_cpsw_nuss_remove_tx_chns()\n  am65_cpsw_nuss_init_tx_chns()\n\nAt this point if am65_cpsw_nuss_init_tx_chns() fails due to\nk3_udma_glue_tx_get_irq() then tx_chn-\u003eirq will be set to a\nnegative value.\n\nThen, at subsequent .set_channels with higher channel count we\nwill attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()\nleading to a kernel warning.\n\nThe issue is present in the original commit that introduced this driver,\nalthough there, am65_cpsw_nuss_update_tx_rx_chns() existed as\nam65_cpsw_nuss_update_tx_chns()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:28.563Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/321990fdf4f1bb64e818c7140688bf33d129e48d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed8c0300f302338c36edb06bca99051e5be6fb2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/aea5cca681d268f794fa2385f9ec26a5cce025cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/88fd5db8c0073bd91d18391feb5741aeb0a2b475"
        },
        {
          "url": "https://git.kernel.org/stable/c/8448c87b3af68bebca21e3136913f7f77e363515"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aae91ae1c65782a169ec070e023d4d269e5d6e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4395a44acb15850e492dd1de9ec4b6479d96bc80"
        }
      ],
      "title": "net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21799",
    "datePublished": "2025-02-27T20:00:54.223Z",
    "dateReserved": "2024-12-29T08:45:45.770Z",
    "dateUpdated": "2025-05-04T07:21:28.563Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41077 (GCVE-0-2024-41077)

Vulnerability from cvelistv5

Published

2024-07-29 14:57

Modified

2025-05-04 09:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: null_blk: fix validation of block size Block size should be between 512 and PAGE_SIZE and be a power of 2. The current check does not validate this, so update the check. Without this patch, null_blk would Oops due to a null pointer deref when loaded with bs=1536 [1]. [axboe: remove unnecessary braces and != 0 check]

References

►

URL

Tags

	https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1
	https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0
	https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e
	https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7
	https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3
	https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:46:52.417Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41077",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:21:17.956039Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:59.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/null_blk/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9625afe1dd4a158a14bb50f81af9e2dac634c0b1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9b873bdaae64bddade9d8c6df23c8a31948d47d0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2772ed2fc075eef7df3789906fc9dae01e4e132e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "08f03186b96e25e3154916a2e70732557c770ea7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f92409a9da02f27d05d713bff5f865e386cef9b3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c462ecd659b5fce731f1d592285832fd6ad54053",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/null_blk/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.223",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.164",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.101",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.42",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:21:34.218Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e"
        },
        {
          "url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053"
        }
      ],
      "title": "null_blk: fix validation of block size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41077",
    "datePublished": "2024-07-29T14:57:36.680Z",
    "dateReserved": "2024-07-12T12:17:45.632Z",
    "dateUpdated": "2025-05-04T09:21:34.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58054 (GCVE-0-2024-58054)

Vulnerability from cvelistv5

Published

2025-03-06 15:53

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: media: max96712: fix kernel oops when removing module The following kernel oops is thrown when trying to remove the max96712 module: Unable to handle kernel paging request at virtual address 00007375746174db Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 [00007375746174db] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi] CPU: 0 UID: 0 PID: 754 Comm: rmmod Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 Tainted: [C]=CRAP Hardware name: NXP i.MX95 19X19 board (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : led_put+0x1c/0x40 lr : v4l2_subdev_put_privacy_led+0x48/0x58 sp : ffff80008699bbb0 x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) ---[ end trace 0000000000000000 ]--- This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() is called again and the data is overwritten to point to sd, instead of priv. So, in remove(), the wrong pointer is passed to v4l2_async_unregister_subdev(), leading to a crash.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3311c5395e7322298b659b8addc704b39fb3a59c
	https://git.kernel.org/stable/c/dfde3d63afbaae664c4d36e53cfb4045d5374561
	https://git.kernel.org/stable/c/278a98f6d8a7bbe1110433b057333536e4490edf
	https://git.kernel.org/stable/c/1556b9149b81cc549c13f5e56e81e89404d8a666
	https://git.kernel.org/stable/c/ee1b5046d5cd892a0754ab982aeaaad3702083a5

Impacted products

Vendor

Product

Version

►

Linux

Version: 5814f32fef137e34577c4f053272c53e7ca33cd9
Version: 5814f32fef137e34577c4f053272c53e7ca33cd9
Version: 5814f32fef137e34577c4f053272c53e7ca33cd9
Version: 5814f32fef137e34577c4f053272c53e7ca33cd9
Version: 5814f32fef137e34577c4f053272c53e7ca33cd9

Linux

Version: 5.17

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/max96712/max96712.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3311c5395e7322298b659b8addc704b39fb3a59c",
              "status": "affected",
              "version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
              "versionType": "git"
            },
            {
              "lessThan": "dfde3d63afbaae664c4d36e53cfb4045d5374561",
              "status": "affected",
              "version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
              "versionType": "git"
            },
            {
              "lessThan": "278a98f6d8a7bbe1110433b057333536e4490edf",
              "status": "affected",
              "version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
              "versionType": "git"
            },
            {
              "lessThan": "1556b9149b81cc549c13f5e56e81e89404d8a666",
              "status": "affected",
              "version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
              "versionType": "git"
            },
            {
              "lessThan": "ee1b5046d5cd892a0754ab982aeaaad3702083a5",
              "status": "affected",
              "version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/max96712/max96712.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: max96712: fix kernel oops when removing module\n\nThe following kernel oops is thrown when trying to remove the max96712\nmodule:\n\nUnable to handle kernel paging request at virtual address 00007375746174db\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000\n[00007375746174db] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan\n    snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2\n    imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev\n    snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils\n    max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse\n    [last unloaded: imx8_isi]\nCPU: 0 UID: 0 PID: 754 Comm: rmmod\n\t    Tainted: G         C    6.12.0-rc6-06364-g327fec852c31 #17\nTainted: [C]=CRAP\nHardware name: NXP i.MX95 19X19 board (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : led_put+0x1c/0x40\nlr : v4l2_subdev_put_privacy_led+0x48/0x58\nsp : ffff80008699bbb0\nx29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8\nx20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000\nx11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1\nx2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473\nCall trace:\n led_put+0x1c/0x40\n v4l2_subdev_put_privacy_led+0x48/0x58\n v4l2_async_unregister_subdev+0x2c/0x1a4\n max96712_remove+0x1c/0x38 [max96712]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x4c/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n max96712_i2c_driver_exit+0x18/0x1d0 [max96712]\n __arm64_sys_delete_module+0x1a4/0x290\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xd8\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\nCode: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)\n---[ end trace 0000000000000000 ]---\n\nThis happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()\nis called again and the data is overwritten to point to sd, instead of\npriv. So, in remove(), the wrong pointer is passed to\nv4l2_async_unregister_subdev(), leading to a crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:48.431Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3311c5395e7322298b659b8addc704b39fb3a59c"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfde3d63afbaae664c4d36e53cfb4045d5374561"
        },
        {
          "url": "https://git.kernel.org/stable/c/278a98f6d8a7bbe1110433b057333536e4490edf"
        },
        {
          "url": "https://git.kernel.org/stable/c/1556b9149b81cc549c13f5e56e81e89404d8a666"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee1b5046d5cd892a0754ab982aeaaad3702083a5"
        }
      ],
      "title": "staging: media: max96712: fix kernel oops when removing module",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58054",
    "datePublished": "2025-03-06T15:53:58.243Z",
    "dateReserved": "2025-03-06T15:52:09.178Z",
    "dateUpdated": "2025-05-04T10:08:48.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21673 (GCVE-0-2025-21673)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a
	https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a
	https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e

Impacted products

Vendor

Product

Version

►

Linux

Version: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541
Version: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541
Version: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541
Version: 49f933bb3016269dc50074eac5f6033d127644f1
Version: 1c35a216ef77db708178ca225d796271f2f60a7a

Linux

Version: 5.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ea68070338518a1d31ce71e6abfe1b30001b27a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "fa2f9906a7b333ba757a7dbae0713d8a5396186e",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "49f933bb3016269dc50074eac5f6033d127644f1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1c35a216ef77db708178ca225d796271f2f60a7a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double free of TCP_Server_Info::hostname\n\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\nmight be reconnecting to multiple DFS targets before it realizes it\nshould exit the loop, so @server-\u003ehostname can\u0027t be freed as long as\ncifsd thread isn\u0027t done.  Otherwise the following can happen:\n\n  RIP: 0010:__slab_free+0x223/0x3c0\n  Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\n  1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u003c0f\u003e\n  0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\n  RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\n  RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\n  RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\n  RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\n  R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\n  R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\n  FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\n  000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   ? __die_body.cold+0x8/0xd\n   ? die+0x2b/0x50\n   ? do_trap+0xce/0x120\n   ? __slab_free+0x223/0x3c0\n   ? do_error_trap+0x65/0x80\n   ? __slab_free+0x223/0x3c0\n   ? exc_invalid_op+0x4e/0x70\n   ? __slab_free+0x223/0x3c0\n   ? asm_exc_invalid_op+0x16/0x20\n   ? __slab_free+0x223/0x3c0\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? __kmalloc+0x4b/0x140\n   __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   reconnect_dfs_server+0x145/0x430 [cifs]\n   cifs_handle_standard+0x1ad/0x1d0 [cifs]\n   cifs_demultiplex_thread+0x592/0x730 [cifs]\n   ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n   kthread+0xdd/0x100\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x29/0x50\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:14.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e"
        }
      ],
      "title": "smb: client: fix double free of TCP_Server_Info::hostname",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21673",
    "datePublished": "2025-01-31T11:25:35.922Z",
    "dateReserved": "2024-12-29T08:45:45.736Z",
    "dateUpdated": "2025-05-04T13:06:14.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21714 (GCVE-0-2025-21714)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/7cc8f681f6d4ae4478ae0f60485fc768f2b450da
	https://git.kernel.org/stable/c/edfb65dbb9ffd3102f3ff4dd21316158e56f1976
	https://git.kernel.org/stable/c/d3d930411ce390e532470194296658a960887773

Impacted products

Vendor

Product

Version

►

Linux

Version: 5256edcb98a14b11409a2d323f56a70a8b366363
Version: 5256edcb98a14b11409a2d323f56a70a8b366363
Version: 5256edcb98a14b11409a2d323f56a70a8b366363

Linux

Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:41.666348Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:30.244Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cc8f681f6d4ae4478ae0f60485fc768f2b450da",
              "status": "affected",
              "version": "5256edcb98a14b11409a2d323f56a70a8b366363",
              "versionType": "git"
            },
            {
              "lessThan": "edfb65dbb9ffd3102f3ff4dd21316158e56f1976",
              "status": "affected",
              "version": "5256edcb98a14b11409a2d323f56a70a8b366363",
              "versionType": "git"
            },
            {
              "lessThan": "d3d930411ce390e532470194296658a960887773",
              "status": "affected",
              "version": "5256edcb98a14b11409a2d323f56a70a8b366363",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP use after free\n\nPrevent double queueing of implicit ODP mr destroy work by using\n__xa_cmpxchg() to make sure this is the only time we are destroying this\nspecific mr.\n\nWithout this change, we could try to invalidate this mr twice, which in\nturn could result in queuing a MR work destroy twice, and eventually the\nsecond work could execute after the MR was freed due to the first work,\ncausing a user after free and trace below.\n\n   refcount_t: underflow; use-after-free.\n   WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130\n   Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\n   CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n   Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]\n   RIP: 0010:refcount_warn_saturate+0x12b/0x130\n   Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff \u003c0f\u003e 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff\n   RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286\n   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027\n   RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0\n   RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019\n   R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00\n   R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0\n   FS:  0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000\n   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n   CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0\n   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n   Call Trace:\n    \u003cTASK\u003e\n    ? refcount_warn_saturate+0x12b/0x130\n    free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]\n    process_one_work+0x1cc/0x3c0\n    worker_thread+0x218/0x3c0\n    kthread+0xc6/0xf0\n    ret_from_fork+0x1f/0x30\n    \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:32.764Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cc8f681f6d4ae4478ae0f60485fc768f2b450da"
        },
        {
          "url": "https://git.kernel.org/stable/c/edfb65dbb9ffd3102f3ff4dd21316158e56f1976"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3d930411ce390e532470194296658a960887773"
        }
      ],
      "title": "RDMA/mlx5: Fix implicit ODP use after free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21714",
    "datePublished": "2025-02-27T02:07:25.570Z",
    "dateReserved": "2024-12-29T08:45:45.752Z",
    "dateUpdated": "2025-05-04T07:19:32.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21742 (GCVE-0-2025-21742)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately.

References

►

URL

Tags

	https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca
	https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7
	https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4
	https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb

Impacted products

Vendor

Product

Version

►

Linux

Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8fb062178e1ce180e2cfdc9abc83a1b9fea381ca",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "cf1ac7f7cf601ac31d1580559c002b5e37b733b7",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "2b619445dcb6dab97d8ed033fb57225aca1288c4",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "86586dcb75cb8fd062a518aca8ee667938b91efb",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: use static NDP16 location in URB\n\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\n\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\n\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\n\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:09.463Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb"
        }
      ],
      "title": "usbnet: ipheth: use static NDP16 location in URB",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21742",
    "datePublished": "2025-02-27T02:12:16.207Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:09.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21749 (GCVE-0-2025-21749)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue.

References

►

URL

Tags

	https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f3ff7d98ec577c969f687513
	https://git.kernel.org/stable/c/ed00c5f907d08a647b8bf987514ad8c6b17971a7
	https://git.kernel.org/stable/c/d308661a0f4e7c8e86dfc7074a55ee5894c61538
	https://git.kernel.org/stable/c/667f61b3498df751c8b3f0be1637e7226cbe3ed0
	https://git.kernel.org/stable/c/e0384efd45f615603e6869205b72040c209e69cc
	https://git.kernel.org/stable/c/970cd2ed26cdab2b0f15b6d90d7eaa36538244a5
	https://git.kernel.org/stable/c/4c04b0ab3a647e76d0e752b013de8e404abafc63
	https://git.kernel.org/stable/c/a1300691aed9ee852b0a9192e29e2bdc2411a7e6

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8bf5c3fb778bbb1f3ff7d98ec577c969f687513",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed00c5f907d08a647b8bf987514ad8c6b17971a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d308661a0f4e7c8e86dfc7074a55ee5894c61538",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "667f61b3498df751c8b3f0be1637e7226cbe3ed0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e0384efd45f615603e6869205b72040c209e69cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "970cd2ed26cdab2b0f15b6d90d7eaa36538244a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c04b0ab3a647e76d0e752b013de8e404abafc63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a1300691aed9ee852b0a9192e29e2bdc2411a7e6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: lock the socket in rose_bind()\n\nsyzbot reported a soft lockup in rose_loopback_timer(),\nwith a repro calling bind() from multiple threads.\n\nrose_bind() must lock the socket to avoid this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:17.259Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f3ff7d98ec577c969f687513"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed00c5f907d08a647b8bf987514ad8c6b17971a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d308661a0f4e7c8e86dfc7074a55ee5894c61538"
        },
        {
          "url": "https://git.kernel.org/stable/c/667f61b3498df751c8b3f0be1637e7226cbe3ed0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0384efd45f615603e6869205b72040c209e69cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/970cd2ed26cdab2b0f15b6d90d7eaa36538244a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c04b0ab3a647e76d0e752b013de8e404abafc63"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1300691aed9ee852b0a9192e29e2bdc2411a7e6"
        }
      ],
      "title": "net: rose: lock the socket in rose_bind()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21749",
    "datePublished": "2025-02-27T02:12:20.305Z",
    "dateReserved": "2024-12-29T08:45:45.758Z",
    "dateUpdated": "2025-05-04T07:20:17.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21819 (GCVE-0-2025-21819)

Vulnerability from cvelistv5

Published

2025-02-27 20:04

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/display: Use HW lock mgr for PSR1" This reverts commit a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1") Because it may cause system hang while connect with two edp panel.

References

►

URL

Tags

	https://git.kernel.org/stable/c/915697c2e69ac8d14dad498e6d6f43dbb7de3787
	https://git.kernel.org/stable/c/dcc3f2c06d80da39eee742b51ddf0781affb260c
	https://git.kernel.org/stable/c/95c75578c420110c43791295985abb961d6dc033
	https://git.kernel.org/stable/c/a978864653e45d2671f99b09afcc1110e45d3dd9
	https://git.kernel.org/stable/c/f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6

Impacted products

Vendor

Product

Version

►

Linux

Version: b7d2461858ac75c9d6bc4ab8af1a738d0814b716
Version: 758abba3dd413dc5de2016f8588403294263a30a
Version: 4b46fc30b37e457d25cf3908c0c4dc3fbedd2044
Version: b5c764d6ed556c4e81fbe3fd976da77ec450c08e
Version: b5c764d6ed556c4e81fbe3fd976da77ec450c08e

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "915697c2e69ac8d14dad498e6d6f43dbb7de3787",
              "status": "affected",
              "version": "b7d2461858ac75c9d6bc4ab8af1a738d0814b716",
              "versionType": "git"
            },
            {
              "lessThan": "dcc3f2c06d80da39eee742b51ddf0781affb260c",
              "status": "affected",
              "version": "758abba3dd413dc5de2016f8588403294263a30a",
              "versionType": "git"
            },
            {
              "lessThan": "95c75578c420110c43791295985abb961d6dc033",
              "status": "affected",
              "version": "4b46fc30b37e457d25cf3908c0c4dc3fbedd2044",
              "versionType": "git"
            },
            {
              "lessThan": "a978864653e45d2671f99b09afcc1110e45d3dd9",
              "status": "affected",
              "version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
              "versionType": "git"
            },
            {
              "lessThan": "f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6",
              "status": "affected",
              "version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.6.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.12.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/display: Use HW lock mgr for PSR1\"\n\nThis reverts commit\na2b5a9956269 (\"drm/amd/display: Use HW lock mgr for PSR1\")\n\nBecause it may cause system hang while connect with two edp panel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:49.995Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/915697c2e69ac8d14dad498e6d6f43dbb7de3787"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcc3f2c06d80da39eee742b51ddf0781affb260c"
        },
        {
          "url": "https://git.kernel.org/stable/c/95c75578c420110c43791295985abb961d6dc033"
        },
        {
          "url": "https://git.kernel.org/stable/c/a978864653e45d2671f99b09afcc1110e45d3dd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6"
        }
      ],
      "title": "Revert \"drm/amd/display: Use HW lock mgr for PSR1\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21819",
    "datePublished": "2025-02-27T20:04:17.284Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:49.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-31335 (GCVE-0-2025-31335)

Vulnerability from cvelistv5

Published

2025-03-28 00:00

Modified

2025-03-28 14:31

Severity ?

4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Summary

The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures).

References

►

URL

Tags

	https://shibboleth.net/community/advisories/secadv_20250313.txt
	https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee
	https://shibboleth.atlassian.net/browse/CPPOST-126
	https://lists.debian.org/debian-security-announce/2025/msg00041.html

Impacted products

	Vendor	Product	Version
	Shibboleth	OpenSAML C++ library	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31335",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T14:30:51.735024Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T14:31:11.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSAML C++ library",
          "vendor": "Shibboleth",
          "versions": [
            {
              "lessThan": "3.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347 Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-28T05:25:12.442Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://shibboleth.net/community/advisories/secadv_20250313.txt"
        },
        {
          "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee"
        },
        {
          "url": "https://shibboleth.atlassian.net/browse/CPPOST-126"
        },
        {
          "url": "https://lists.debian.org/debian-security-announce/2025/msg00041.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-31335",
    "datePublished": "2025-03-28T00:00:00.000Z",
    "dateReserved": "2025-03-28T00:00:00.000Z",
    "dateUpdated": "2025-03-28T14:31:11.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50029 (GCVE-0-2024-50029)

Vulnerability from cvelistv5

Published

2024-10-21 19:39

Modified

2025-05-04 09:44

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30

References

►

URL

Tags

	https://git.kernel.org/stable/c/867639300759e3e1c5b1e1a5ff89231f263a32a7
	https://git.kernel.org/stable/c/98ccd44002d88cbf4edfc4480df532a3da5a013e
	https://git.kernel.org/stable/c/18fd04ad856df07733f5bb07e7f7168e7443d393

Impacted products

Vendor

Product

Version

►

Linux

Version: e07a06b4eb417f5271d33ce2240e93c62d98b7b4
Version: e07a06b4eb417f5271d33ce2240e93c62d98b7b4
Version: e07a06b4eb417f5271d33ce2240e93c62d98b7b4

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50029",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:26:20.682749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:28:46.027Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_conn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "867639300759e3e1c5b1e1a5ff89231f263a32a7",
              "status": "affected",
              "version": "e07a06b4eb417f5271d33ce2240e93c62d98b7b4",
              "versionType": "git"
            },
            {
              "lessThan": "98ccd44002d88cbf4edfc4480df532a3da5a013e",
              "status": "affected",
              "version": "e07a06b4eb417f5271d33ce2240e93c62d98b7b4",
              "versionType": "git"
            },
            {
              "lessThan": "18fd04ad856df07733f5bb07e7f7168e7443d393",
              "status": "affected",
              "version": "e07a06b4eb417f5271d33ce2240e93c62d98b7b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_conn.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.57",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync\n\nThis checks if the ACL connection remains valid as it could be destroyed\nwhile hci_enhanced_setup_sync is pending on cmd_sync leading to the\nfollowing trace:\n\nBUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60\nRead of size 1 at addr ffff888002328ffd by task kworker/u5:2/37\n\nCPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n ? hci_enhanced_setup_sync+0x91b/0xa60\n print_report+0x152/0x4c0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n ? __virt_addr_valid+0x1fa/0x420\n ? hci_enhanced_setup_sync+0x91b/0xa60\n kasan_report+0xda/0x1b0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n hci_enhanced_setup_sync+0x91b/0xa60\n ? __pfx_hci_enhanced_setup_sync+0x10/0x10\n ? __pfx___mutex_lock+0x10/0x10\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x167/0x240\n worker_thread+0x5b7/0xf60\n ? __kthread_parkme+0xac/0x1c0\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x293/0x360\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 34:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __hci_conn_add+0x187/0x17d0\n hci_connect_sco+0x2e1/0xb90\n sco_sock_connect+0x2a2/0xb80\n __sys_connect+0x227/0x2a0\n __x64_sys_connect+0x6d/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 37:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x101/0x160\n kfree+0xd0/0x250\n device_release+0x9a/0x210\n kobject_put+0x151/0x280\n hci_conn_del+0x448/0xbf0\n hci_abort_conn_sync+0x46f/0x980\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n worker_thread+0x5b7/0xf60\n kthread+0x293/0x360\n ret_from_fork+0x2f/0x70\n ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:44:11.355Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/867639300759e3e1c5b1e1a5ff89231f263a32a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/98ccd44002d88cbf4edfc4480df532a3da5a013e"
        },
        {
          "url": "https://git.kernel.org/stable/c/18fd04ad856df07733f5bb07e7f7168e7443d393"
        }
      ],
      "title": "Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50029",
    "datePublished": "2024-10-21T19:39:32.459Z",
    "dateReserved": "2024-10-21T12:17:06.067Z",
    "dateUpdated": "2025-05-04T09:44:11.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56638 (GCVE-0-2024-56638)

Vulnerability from cvelistv5

Published

2024-12-27 15:02

Modified

2025-05-04 10:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area.

References

►

URL

Tags

	https://git.kernel.org/stable/c/53c7314208c865086d78b4e88da53bc33da0b603
	https://git.kernel.org/stable/c/da5cc778e7bf78fe525bc90ec2043f41415c31d9
	https://git.kernel.org/stable/c/7b1d83da254be3bf054965c8f3b1ad976f460ae5

Impacted products

Vendor

Product

Version

►

Linux

Version: 3a07327d10a09379315c844c63f27941f5081e0a
Version: 3a07327d10a09379315c844c63f27941f5081e0a
Version: 3a07327d10a09379315c844c63f27941f5081e0a

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_tables_core.h",
            "net/netfilter/nft_inner.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "53c7314208c865086d78b4e88da53bc33da0b603",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            },
            {
              "lessThan": "da5cc778e7bf78fe525bc90ec2043f41415c31d9",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            },
            {
              "lessThan": "7b1d83da254be3bf054965c8f3b1ad976f460ae5",
              "status": "affected",
              "version": "3a07327d10a09379315c844c63f27941f5081e0a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_tables_core.h",
            "net/netfilter/nft_inner.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: incorrect percpu area handling under softirq\n\nSoftirq can interrupt ongoing packet from process context that is\nwalking over the percpu area that contains inner header offsets.\n\nDisable bh and perform three checks before restoring the percpu inner\nheader offsets to validate that the percpu area is valid for this\nskbuff:\n\n1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff\n   has already been parsed before for inner header fetching to\n   register.\n\n2) Validate that the percpu area refers to this skbuff using the\n   skbuff pointer as a cookie. If there is a cookie mismatch, then\n   this skbuff needs to be parsed again.\n\n3) Finally, validate if the percpu area refers to this tunnel type.\n\nOnly after these three checks the percpu area is restored to a on-stack\ncopy and bh is enabled again.\n\nAfter inner header fetching, the on-stack copy is stored back to the\npercpu area."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:44.112Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/53c7314208c865086d78b4e88da53bc33da0b603"
        },
        {
          "url": "https://git.kernel.org/stable/c/da5cc778e7bf78fe525bc90ec2043f41415c31d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b1d83da254be3bf054965c8f3b1ad976f460ae5"
        }
      ],
      "title": "netfilter: nft_inner: incorrect percpu area handling under softirq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56638",
    "datePublished": "2024-12-27T15:02:40.796Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-05-04T10:00:44.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57990 (GCVE-0-2024-57990)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison should be >= instead of > to prevent an out of bounds read and write.

References

►

URL

Tags

	https://git.kernel.org/stable/c/d03b8fe1b518fc2ea2d82588e905f56d80cd64b2
	https://git.kernel.org/stable/c/2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d
	https://git.kernel.org/stable/c/08fa656c91fd5fdf47ba393795b9c0d1e97539ed

Impacted products

Vendor

Product

Version

►

Linux

Version: 9679ca7326e52282cc923c4d71d81c999cb6cd55
Version: 9679ca7326e52282cc923c4d71d81c999cb6cd55
Version: 9679ca7326e52282cc923c4d71d81c999cb6cd55
Version: fb60020cb5b3ea4715e538c77e745c16516c5656
Version: ba09084d81c6480bd02fd74052045e533a5e8469

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7925/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d03b8fe1b518fc2ea2d82588e905f56d80cd64b2",
              "status": "affected",
              "version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
              "versionType": "git"
            },
            {
              "lessThan": "2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d",
              "status": "affected",
              "version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
              "versionType": "git"
            },
            {
              "lessThan": "08fa656c91fd5fdf47ba393795b9c0d1e97539ed",
              "status": "affected",
              "version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fb60020cb5b3ea4715e538c77e745c16516c5656",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ba09084d81c6480bd02fd74052045e533a5e8469",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7925/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_load_clc()\n\nThis comparison should be \u003e= instead of \u003e to prevent an out of bounds\nread and write."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:48.826Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d03b8fe1b518fc2ea2d82588e905f56d80cd64b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/08fa656c91fd5fdf47ba393795b9c0d1e97539ed"
        }
      ],
      "title": "wifi: mt76: mt7925: fix off by one in mt7925_load_clc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57990",
    "datePublished": "2025-02-27T02:07:13.010Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-05-04T13:01:48.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-26597 (GCVE-0-2025-26597)

Vulnerability from cvelistv5

Published

2025-02-25 15:54

Modified

2025-07-29 00:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Summary

A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:2500	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2502	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2861	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2862	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2865	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2866	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2873	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2874	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2875	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2879	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2880	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7163	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7165	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7458	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-26597	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2345255	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

►

Version: 0 ≤
Version: 22.0.0 ≤

Red Hat	Red Hat Enterprise Linux 10	Unaffected: 0:24.1.5-3.el10_0 < * cpe:/o:redhat:enterprise_linux:10.0
Red Hat	Red Hat Enterprise Linux 7 Extended Lifecycle Support	Unaffected: 0:1.8.0-36.el7_9 < * cpe:/o:redhat:rhel_els:7
Red Hat	Red Hat Enterprise Linux 7 Extended Lifecycle Support	Unaffected: 0:1.20.4-30.el7_9 < * cpe:/o:redhat:rhel_els:7
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:1.13.1-15.el8_10 < * cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	Unaffected: 0:1.9.0-15.el8_2.13 < * cpe:/a:redhat:rhel_aus:8.2::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Unaffected: 0:1.11.0-8.el8_4.12 < * cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_tus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Unaffected: 0:1.11.0-8.el8_4.12 < * cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_tus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Unaffected: 0:1.11.0-8.el8_4.12 < * cpe:/a:redhat:rhel_e4s:8.4::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_tus:8.4::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	Unaffected: 0:1.12.0-6.el8_6.13 < * cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	Unaffected: 0:1.12.0-6.el8_6.13 < * cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	Unaffected: 0:1.12.0-6.el8_6.13 < * cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream
Red Hat	Red Hat Enterprise Linux 8.8 Extended Update Support	Unaffected: 0:1.12.0-15.el8_8.12 < * cpe:/a:redhat:rhel_eus:8.8::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.14.1-1.el9_5.1 < * cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:1.20.11-28.el9_6 < * cpe:/a:redhat:enterprise_linux:9::crb cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:23.2.7-3.el9_6 < * cpe:/a:redhat:enterprise_linux:9::crb cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	Unaffected: 0:1.11.0-22.el9_0.13 < * cpe:/a:redhat:rhel_e4s:9.0::appstream
Red Hat	Red Hat Enterprise Linux 9.2 Extended Update Support	Unaffected: 0:1.12.0-14.el9_2.10 < * cpe:/a:redhat:rhel_eus:9.2::appstream
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:1.13.1-8.el9_4.5 < * cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-26597",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T16:39:35.677718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T19:14:54.385Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.freedesktop.org/xorg/xserver/",
          "defaultStatus": "unaffected",
          "packageName": "xserver",
          "versions": [
            {
              "lessThan": "21.1.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "24.1.6",
              "status": "affected",
              "version": "22.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10.0"
          ],
          "defaultStatus": "affected",
          "packageName": "xorg-x11-server-Xwayland",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:24.1.5-3.el10_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_els:7"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.8.0-36.el7_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_els:7"
          ],
          "defaultStatus": "affected",
          "packageName": "xorg-x11-server",
          "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.20.4-30.el7_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.13.1-15.el8_10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_aus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.9.0-15.el8_2.13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.0-8.el8_4.12",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.0-8.el8_4.12",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.0-8.el8_4.12",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_tus:8.6::appstream",
            "cpe:/a:redhat:rhel_aus:8.6::appstream",
            "cpe:/a:redhat:rhel_e4s:8.6::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.0-6.el8_6.13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_tus:8.6::appstream",
            "cpe:/a:redhat:rhel_aus:8.6::appstream",
            "cpe:/a:redhat:rhel_e4s:8.6::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.0-6.el8_6.13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_tus:8.6::appstream",
            "cpe:/a:redhat:rhel_aus:8.6::appstream",
            "cpe:/a:redhat:rhel_e4s:8.6::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.0-6.el8_6.13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.0-15.el8_8.12",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.14.1-1.el9_5.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::crb",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "xorg-x11-server",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.20.11-28.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::crb",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "xorg-x11-server-Xwayland",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:23.2.7-3.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:9.0::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.0-22.el9_0.13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.0-14.el9_2.10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.13.1-8.el9_4.5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "affected",
          "packageName": "tigervnc",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "xorg-x11-server",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xorg-x11-server",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xorg-x11-server-Xwayland",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T00:19:40.102Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:2500",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2500"
        },
        {
          "name": "RHSA-2025:2502",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2502"
        },
        {
          "name": "RHSA-2025:2861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2861"
        },
        {
          "name": "RHSA-2025:2862",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2862"
        },
        {
          "name": "RHSA-2025:2865",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2865"
        },
        {
          "name": "RHSA-2025:2866",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2866"
        },
        {
          "name": "RHSA-2025:2873",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2873"
        },
        {
          "name": "RHSA-2025:2874",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2874"
        },
        {
          "name": "RHSA-2025:2875",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2875"
        },
        {
          "name": "RHSA-2025:2879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2879"
        },
        {
          "name": "RHSA-2025:2880",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2880"
        },
        {
          "name": "RHSA-2025:7163",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7163"
        },
        {
          "name": "RHSA-2025:7165",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7165"
        },
        {
          "name": "RHSA-2025:7458",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7458"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-26597"
        },
        {
          "name": "RHBZ#2345255",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345255"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-12T14:15:01.517000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-25T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Xorg: xwayland: buffer overflow in xkbchangetypesofkey()",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-26597",
    "datePublished": "2025-02-25T15:54:48.196Z",
    "dateReserved": "2025-02-12T14:12:22.795Z",
    "dateUpdated": "2025-07-29T00:19:40.102Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32414 (GCVE-0-2025-32414)

Vulnerability from cvelistv5

Published

2025-04-08 00:00

Modified

2025-04-09 14:57

Severity ?

5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-393 - Return of Wrong Status Code

Summary

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxml2/-/issues/889

Impacted products

	Vendor	Product	Version
	xmlsoft	libxml2	Version: 0 ≤ Version: 2.14.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32414",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T14:56:33.455181Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T14:57:02.635Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.13.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.14.2",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.14.2",
                  "versionStartIncluding": "2.14.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-393",
              "description": "CWE-393 Return of Wrong Status Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-08T02:55:58.812Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32414",
    "datePublished": "2025-04-08T00:00:00.000Z",
    "dateReserved": "2025-04-08T00:00:00.000Z",
    "dateUpdated": "2025-04-09T14:57:02.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-31650 (GCVE-0-2025-31650)

Vulnerability from cvelistv5

Published

2025-04-28 19:14

Modified

2025-08-08 11:43

Severity ?

CWE

CWE-459 - Incomplete Cleanup

Summary

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

References

►

URL

Tags

https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 9.0.76 ≤ 9.0.102 Version: 10.1.10 ≤ 10.1.39 Version: 11.0.0-M2 ≤ 11.0.5 Version: 8.5.90 ≤ 8.5.100

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-28T22:02:46.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/28/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-31650",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T20:07:38.530859Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T20:07:50.531Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "9.0.102",
              "status": "affected",
              "version": "9.0.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.39",
              "status": "affected",
              "version": "10.1.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.5",
              "status": "affected",
              "version": "11.0.0-M2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.90",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.90 though 8.5.100.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\n\nThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.90 though 8.5.100.\n\n\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459 Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T11:43:00.251Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-31650",
    "datePublished": "2025-04-28T19:14:31.107Z",
    "dateReserved": "2025-03-31T12:13:57.705Z",
    "dateUpdated": "2025-08-08T11:43:00.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21728 (GCVE-0-2025-21728)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`.

References

►

URL

Tags

	https://git.kernel.org/stable/c/feba1308bc5e8e04cee751d39fae8a9b407a9034
	https://git.kernel.org/stable/c/ce51eab2070e295d298f42a2f1db269cd1b56d55
	https://git.kernel.org/stable/c/e306eaaa3d78b462db5f5b11e0171f9d2b6ca3f4
	https://git.kernel.org/stable/c/be42a09fe898635b0093c0c8dac1bfabe225c240
	https://git.kernel.org/stable/c/eeef8e65041a031bd8a747a392c14b76a123a12c
	https://git.kernel.org/stable/c/78b97783496b454435639937db3303e900a24d3f
	https://git.kernel.org/stable/c/092fc76b7ab4163e008f9cde596a58dad2108260
	https://git.kernel.org/stable/c/87c544108b612512b254c8f79aa5c0a8546e2cc4

Impacted products

Vendor

Product

Version

►

Linux

Version: fd29a0242f86b2d95ad666aa9f92a3d0f7bfdab6
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 1bc7896e9ef44fd77858b3ef0b8a6840be3a4494
Version: 7930d01afb7281edd9782971e0cca6fe587c7a7b

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "feba1308bc5e8e04cee751d39fae8a9b407a9034",
              "status": "affected",
              "version": "fd29a0242f86b2d95ad666aa9f92a3d0f7bfdab6",
              "versionType": "git"
            },
            {
              "lessThan": "ce51eab2070e295d298f42a2f1db269cd1b56d55",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "e306eaaa3d78b462db5f5b11e0171f9d2b6ca3f4",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "be42a09fe898635b0093c0c8dac1bfabe225c240",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "eeef8e65041a031bd8a747a392c14b76a123a12c",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "78b97783496b454435639937db3303e900a24d3f",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "092fc76b7ab4163e008f9cde596a58dad2108260",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "lessThan": "87c544108b612512b254c8f79aa5c0a8546e2cc4",
              "status": "affected",
              "version": "1bc7896e9ef44fd77858b3ef0b8a6840be3a4494",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7930d01afb7281edd9782971e0cca6fe587c7a7b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Send signals asynchronously if !preemptible\n\nBPF programs can execute in all kinds of contexts and when a program\nrunning in a non-preemptible context uses the bpf_send_signal() kfunc,\nit will cause issues because this kfunc can sleep.\nChange `irqs_disabled()` to `!preemptible()`."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:28.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/feba1308bc5e8e04cee751d39fae8a9b407a9034"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce51eab2070e295d298f42a2f1db269cd1b56d55"
        },
        {
          "url": "https://git.kernel.org/stable/c/e306eaaa3d78b462db5f5b11e0171f9d2b6ca3f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/be42a09fe898635b0093c0c8dac1bfabe225c240"
        },
        {
          "url": "https://git.kernel.org/stable/c/eeef8e65041a031bd8a747a392c14b76a123a12c"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b97783496b454435639937db3303e900a24d3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/092fc76b7ab4163e008f9cde596a58dad2108260"
        },
        {
          "url": "https://git.kernel.org/stable/c/87c544108b612512b254c8f79aa5c0a8546e2cc4"
        }
      ],
      "title": "bpf: Send signals asynchronously if !preemptible",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21728",
    "datePublished": "2025-02-27T02:07:34.114Z",
    "dateReserved": "2024-12-29T08:45:45.755Z",
    "dateUpdated": "2025-05-04T13:06:28.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21692 (GCVE-0-2025-21692)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---

References

►

URL

Tags

	https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5
	https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa
	https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a
	https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d
	https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7
	https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0
	https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb

Impacted products

Vendor

Product

Version

►

Linux

Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33
Version: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03c56665dab1f4ac844bc156652d50d639093fa5",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "bcf0d815e728a3a304b50455b32a3170c16e1eaa",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "1332c6ed446be787f901ed1064ec6a3c694f028a",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "f4168299e553f17aa2ba4016e77a9c38da40eb1d",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "997f6ec4208b23c87daf9f044689685f091826f7",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            },
            {
              "lessThan": "d62b04fca4340a0d468d7853bd66e511935a18cb",
              "status": "affected",
              "version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ets qdisc OOB Indexing\n\nHaowei Yan \u003cg1042620637@gmail.com\u003e found that ets_class_from_arg() can\nindex an Out-Of-Bound class in ets_class_from_arg() when passed clid of\n0. The overflow may cause local privilege escalation.\n\n [   18.852298] ------------[ cut here ]------------\n [   18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20\n [   18.853743] index 18446744073709551615 is out of range for type \u0027ets_class [16]\u0027\n [   18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17\n [   18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [   18.856532] Call Trace:\n [   18.857441]  \u003cTASK\u003e\n [   18.858227]  dump_stack_lvl+0xc2/0xf0\n [   18.859607]  dump_stack+0x10/0x20\n [   18.860908]  __ubsan_handle_out_of_bounds+0xa7/0xf0\n [   18.864022]  ets_class_change+0x3d6/0x3f0\n [   18.864322]  tc_ctl_tclass+0x251/0x910\n [   18.864587]  ? lock_acquire+0x5e/0x140\n [   18.865113]  ? __mutex_lock+0x9c/0xe70\n [   18.866009]  ? __mutex_lock+0xa34/0xe70\n [   18.866401]  rtnetlink_rcv_msg+0x170/0x6f0\n [   18.866806]  ? __lock_acquire+0x578/0xc10\n [   18.867184]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n [   18.867503]  netlink_rcv_skb+0x59/0x110\n [   18.867776]  rtnetlink_rcv+0x15/0x30\n [   18.868159]  netlink_unicast+0x1c3/0x2b0\n [   18.868440]  netlink_sendmsg+0x239/0x4b0\n [   18.868721]  ____sys_sendmsg+0x3e2/0x410\n [   18.869012]  ___sys_sendmsg+0x88/0xe0\n [   18.869276]  ? rseq_ip_fixup+0x198/0x260\n [   18.869563]  ? rseq_update_cpu_node_id+0x10a/0x190\n [   18.869900]  ? trace_hardirqs_off+0x5a/0xd0\n [   18.870196]  ? syscall_exit_to_user_mode+0xcc/0x220\n [   18.870547]  ? do_syscall_64+0x93/0x150\n [   18.870821]  ? __memcg_slab_free_hook+0x69/0x290\n [   18.871157]  __sys_sendmsg+0x69/0xd0\n [   18.871416]  __x64_sys_sendmsg+0x1d/0x30\n [   18.871699]  x64_sys_call+0x9e2/0x2670\n [   18.871979]  do_syscall_64+0x87/0x150\n [   18.873280]  ? do_syscall_64+0x93/0x150\n [   18.874742]  ? lock_release+0x7b/0x160\n [   18.876157]  ? do_user_addr_fault+0x5ce/0x8f0\n [   18.877833]  ? irqentry_exit_to_user_mode+0xc2/0x210\n [   18.879608]  ? irqentry_exit+0x77/0xb0\n [   18.879808]  ? clear_bhb_loop+0x15/0x70\n [   18.880023]  ? clear_bhb_loop+0x15/0x70\n [   18.880223]  ? clear_bhb_loop+0x15/0x70\n [   18.880426]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [   18.880683] RIP: 0033:0x44a957\n [   18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10\n [   18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n [   18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957\n [   18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003\n [   18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0\n [   18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001\n [   18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001\n [   18.888395]  \u003c/TASK\u003e\n [   18.888610] ---[ end trace ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:09.132Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb"
        }
      ],
      "title": "net: sched: fix ets qdisc OOB Indexing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21692",
    "datePublished": "2025-02-10T15:58:48.087Z",
    "dateReserved": "2024-12-29T08:45:45.742Z",
    "dateUpdated": "2025-05-04T07:19:09.132Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56647 (GCVE-0-2024-56647)

Vulnerability from cvelistv5

Published

2024-12-27 15:02

Modified

2025-05-04 10:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/9545011e7b2a8fc0cbd6e387a09f12cd41d7d82f
	https://git.kernel.org/stable/c/c44daa7e3c73229f7ac74985acb8c7fb909c4e0a

Impacted products

Vendor

Product

Version

►

Linux

Version: 8b7817f3a959ed99d7443afc12f78a7e1fcc2063
Version: 8b7817f3a959ed99d7443afc12f78a7e1fcc2063

Linux

Version: 2.6.25

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9545011e7b2a8fc0cbd6e387a09f12cd41d7d82f",
              "status": "affected",
              "version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063",
              "versionType": "git"
            },
            {
              "lessThan": "c44daa7e3c73229f7ac74985acb8c7fb909c4e0a",
              "status": "affected",
              "version": "8b7817f3a959ed99d7443afc12f78a7e1fcc2063",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix icmp host relookup triggering ip_rt_bug\n\narp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:\n\nWARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20\nModules linked in:\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:ip_rt_bug+0x14/0x20\nCall Trace:\n \u003cIRQ\u003e\n ip_send_skb+0x14/0x40\n __icmp_send+0x42d/0x6a0\n ipv4_link_failure+0xe2/0x1d0\n arp_error_report+0x3c/0x50\n neigh_invalidate+0x8d/0x100\n neigh_timer_handler+0x2e1/0x330\n call_timer_fn+0x21/0x120\n __run_timer_base.part.0+0x1c9/0x270\n run_timer_softirq+0x4c/0x80\n handle_softirqs+0xac/0x280\n irq_exit_rcu+0x62/0x80\n sysvec_apic_timer_interrupt+0x77/0x90\n\nThe script below reproduces this scenario:\nip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \\\n\tdir out priority 0 ptype main flag localok icmp\nip l a veth1 type veth\nip a a 192.168.141.111/24 dev veth0\nip l s veth0 up\nping 192.168.141.155 -c 1\n\nicmp_route_lookup() create input routes for locally generated packets\nwhile xfrm relookup ICMP traffic.Then it will set input route\n(dst-\u003eout = ip_rt_bug) to skb for DESTUNREACH.\n\nFor ICMP err triggered by locally generated packets, dst-\u003edev of output\nroute is loopback. Generally, xfrm relookup verification is not required\non loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).\n\nSkip icmp relookup for locally generated packets to fix it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:58.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9545011e7b2a8fc0cbd6e387a09f12cd41d7d82f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c44daa7e3c73229f7ac74985acb8c7fb909c4e0a"
        }
      ],
      "title": "net: Fix icmp host relookup triggering ip_rt_bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56647",
    "datePublished": "2024-12-27T15:02:47.969Z",
    "dateReserved": "2024-12-27T15:00:39.840Z",
    "dateUpdated": "2025-05-04T10:00:58.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21785 (GCVE-0-2025-21785)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level).

References

►

URL

Tags

	https://git.kernel.org/stable/c/4371ac7b494e933fffee2bd6265d18d73c4f05aa
	https://git.kernel.org/stable/c/e4fde33107351ec33f1a64188612fbc6ca659284
	https://git.kernel.org/stable/c/88a3e6afaf002250220793df99404977d343db14
	https://git.kernel.org/stable/c/4ff25f0b18d1d0174c105e4620428bcdc1213860
	https://git.kernel.org/stable/c/ab90894f33c15b14c1cee6959ab6c8dcb09127f8
	https://git.kernel.org/stable/c/715eb1af64779e1b1aa0a7b2ffb81414d9f708e5
	https://git.kernel.org/stable/c/67b99a2b5811df4294c2ad50f9bff3b6a08bd618
	https://git.kernel.org/stable/c/875d742cf5327c93cba1f11e12b08d3cce7a88d2

Impacted products

Vendor

Product

Version

►

Linux

Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9
Version: 5d425c18653731af62831d30a4fa023d532657a9

Linux

Version: 4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4371ac7b494e933fffee2bd6265d18d73c4f05aa",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "e4fde33107351ec33f1a64188612fbc6ca659284",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "88a3e6afaf002250220793df99404977d343db14",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "4ff25f0b18d1d0174c105e4620428bcdc1213860",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "ab90894f33c15b14c1cee6959ab6c8dcb09127f8",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "715eb1af64779e1b1aa0a7b2ffb81414d9f708e5",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "67b99a2b5811df4294c2ad50f9bff3b6a08bd618",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            },
            {
              "lessThan": "875d742cf5327c93cba1f11e12b08d3cce7a88d2",
              "status": "affected",
              "version": "5d425c18653731af62831d30a4fa023d532657a9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array\n\nThe loop that detects/populates cache information already has a bounds\ncheck on the array size but does not account for cache levels with\nseparate data/instructions cache. Fix this by incrementing the index\nfor any populated leaf (instead of any populated level)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:12.205Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4371ac7b494e933fffee2bd6265d18d73c4f05aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4fde33107351ec33f1a64188612fbc6ca659284"
        },
        {
          "url": "https://git.kernel.org/stable/c/88a3e6afaf002250220793df99404977d343db14"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ff25f0b18d1d0174c105e4620428bcdc1213860"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab90894f33c15b14c1cee6959ab6c8dcb09127f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/715eb1af64779e1b1aa0a7b2ffb81414d9f708e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/67b99a2b5811df4294c2ad50f9bff3b6a08bd618"
        },
        {
          "url": "https://git.kernel.org/stable/c/875d742cf5327c93cba1f11e12b08d3cce7a88d2"
        }
      ],
      "title": "arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21785",
    "datePublished": "2025-02-27T02:18:25.938Z",
    "dateReserved": "2024-12-29T08:45:45.765Z",
    "dateUpdated": "2025-05-04T07:21:12.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57996 (GCVE-0-2024-57996)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-06-27 10:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961
	https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7
	https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7
	https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e
	https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4
	https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e
	https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:13.712Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
        },
        {
          "url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
        }
      ],
      "title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57996",
    "datePublished": "2025-02-27T02:07:16.765Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-06-27T10:21:13.712Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-29018 (GCVE-0-2024-29018)

Vulnerability from cvelistv5

Published

2024-03-20 20:27

Modified

2024-08-13 17:00

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-669 - Incorrect Resource Transfer Between Spheres

Summary

Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.

References

►

URL

Tags

	https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx	x_refsource_CONFIRM
	https://github.com/moby/moby/pull/46609	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	moby	moby	Version: >= 26.0.0-rc1, < 26.0.0-rc3 Version: >= 25.0.0, < 25.0.5 Version: < 23.0.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:03:51.630Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx"
          },
          {
            "name": "https://github.com/moby/moby/pull/46609",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/pull/46609"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "moby",
            "vendor": "mobyproject",
            "versions": [
              {
                "lessThan": "23.0.11",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "25.0.5",
                "status": "affected",
                "version": "25.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "26.0.0-rc3",
                "status": "affected",
                "version": "26.0.0-rc1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29018",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-28T19:09:14.709513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T17:00:25.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 26.0.0-rc1, \u003c 26.0.0-rc3"
            },
            {
              "status": "affected",
              "version": "\u003e= 25.0.0, \u003c 25.0.5"
            },
            {
              "status": "affected",
              "version": "\u003c 23.0.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby\u0027s networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\n\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\n\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\n\nIn addition to configuring the Linux kernel\u0027s various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\n\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container\u0027s network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\n\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\n\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host\u0027s configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\n\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace\u0027s normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\n\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\n\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container\u0027s network namespace."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669: Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-20T20:27:00.491Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx"
        },
        {
          "name": "https://github.com/moby/moby/pull/46609",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/pull/46609"
        }
      ],
      "source": {
        "advisory": "GHSA-mq39-4gv4-mvpx",
        "discovery": "UNKNOWN"
      },
      "title": "External DNS requests from \u0027internal\u0027 networks could lead to data exfiltration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29018",
    "datePublished": "2024-03-20T20:27:00.491Z",
    "dateReserved": "2024-03-14T16:59:47.610Z",
    "dateUpdated": "2024-08-13T17:00:25.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58019 (GCVE-0-2024-58019)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nvkm/gsp: correctly advance the read pointer of GSP message queue A GSP event message consists three parts: message header, RPC header, message body. GSP calculates the number of pages to write from the total size of a GSP message. This behavior can be observed from the movement of the write pointer. However, nvkm takes only the size of RPC header and message body as the message size when advancing the read pointer. When handling a two-page GSP message in the non rollback case, It wrongly takes the message body of the previous message as the message header of the next message. As the "message length" tends to be zero, in the calculation of size needs to be copied (0 - size of (message header)), the size needs to be copied will be "0xffffffxx". It also triggers a kernel panic due to a NULL pointer error. [ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@....... [ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ [ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................ [ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ [ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 547.669485] #PF: supervisor read access in kernel mode [ 547.674624] #PF: error_code(0x0000) - not-present page [ 547.679755] PGD 0 P4D 0 [ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1 [ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm] [ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05 [ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203 [ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f [ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010 [ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0 [ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000 [ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000 [ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000 [ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0 [ 547.793896] PKRU: 55555554 [ 547.796600] Call Trace: [ 547.799046] <TASK> [ 547.801152] ? __die+0x20/0x70 [ 547.804211] ? page_fault_oops+0x75/0x170 [ 547.808221] ? print_hex_dump+0x100/0x160 [ 547.812226] ? exc_page_fault+0x64/0x150 [ 547.816152] ? asm_exc_page_fault+0x22/0x30 [ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm] [ 547.829845] process_one_work+0x196/0x3d0 [ 547.833861] worker_thread+0x2fc/0x410 [ 547.837613] ? __pfx_worker_thread+0x10/0x10 [ 547.841885] kthread+0xdf/0x110 [ 547.845031] ? __pfx_kthread+0x10/0x10 [ 547.848775] ret_from_fork+0x30/0x50 [ 547.852354] ? __pfx_kthread+0x10/0x10 [ 547.856097] ret_from_fork_asm+0x1a/0x30 [ 547.860019] </TASK> [ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/5185e63b45ea39339ed83f269e2ddfafb07e70d9
	https://git.kernel.org/stable/c/67c9cf82f50236d9c000333b26b4f95eb2c3e1b2
	https://git.kernel.org/stable/c/8d9beb4aebc02c4bd09e1d39c9c5f1c68c786dbc

Impacted products

Vendor

Product

Version

►

Linux

Version: 176fdcbddfd288408ce8571c1760ad618d962096
Version: 176fdcbddfd288408ce8571c1760ad618d962096
Version: 176fdcbddfd288408ce8571c1760ad618d962096

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5185e63b45ea39339ed83f269e2ddfafb07e70d9",
              "status": "affected",
              "version": "176fdcbddfd288408ce8571c1760ad618d962096",
              "versionType": "git"
            },
            {
              "lessThan": "67c9cf82f50236d9c000333b26b4f95eb2c3e1b2",
              "status": "affected",
              "version": "176fdcbddfd288408ce8571c1760ad618d962096",
              "versionType": "git"
            },
            {
              "lessThan": "8d9beb4aebc02c4bd09e1d39c9c5f1c68c786dbc",
              "status": "affected",
              "version": "176fdcbddfd288408ce8571c1760ad618d962096",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm/gsp: correctly advance the read pointer of GSP message queue\n\nA GSP event message consists three parts: message header, RPC header,\nmessage body. GSP calculates the number of pages to write from the\ntotal size of a GSP message. This behavior can be observed from the\nmovement of the write pointer.\n\nHowever, nvkm takes only the size of RPC header and message body as\nthe message size when advancing the read pointer. When handling a\ntwo-page GSP message in the non rollback case, It wrongly takes the\nmessage body of the previous message as the message header of the next\nmessage. As the \"message length\" tends to be zero, in the calculation of\nsize needs to be copied (0 - size of (message header)), the size needs to\nbe copied will be \"0xffffffxx\". It also triggers a kernel panic due to a\nNULL pointer error.\n\n[  547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00  ........@.......\n[  547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00  ................\n[  547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff  ................\n[  547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff  ................\n[  547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[  547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[  547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[  547.669485] #PF: supervisor read access in kernel mode\n[  547.674624] #PF: error_code(0x0000) - not-present page\n[  547.679755] PGD 0 P4D 0\n[  547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G            E      6.9.0-rc6+ #1\n[  547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[  547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]\n[  547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[  547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 \u003c8b\u003e 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05\n[  547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203\n[  547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f\n[  547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010\n[  547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0\n[  547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000\n[  547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000\n[  547.772958] FS:  0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000\n[  547.781035] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0\n[  547.793896] PKRU: 55555554\n[  547.796600] Call Trace:\n[  547.799046]  \u003cTASK\u003e\n[  547.801152]  ? __die+0x20/0x70\n[  547.804211]  ? page_fault_oops+0x75/0x170\n[  547.808221]  ? print_hex_dump+0x100/0x160\n[  547.812226]  ? exc_page_fault+0x64/0x150\n[  547.816152]  ? asm_exc_page_fault+0x22/0x30\n[  547.820341]  ? r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[  547.825184]  r535_gsp_msgq_work+0x42/0x50 [nvkm]\n[  547.829845]  process_one_work+0x196/0x3d0\n[  547.833861]  worker_thread+0x2fc/0x410\n[  547.837613]  ? __pfx_worker_thread+0x10/0x10\n[  547.841885]  kthread+0xdf/0x110\n[  547.845031]  ? __pfx_kthread+0x10/0x10\n[  547.848775]  ret_from_fork+0x30/0x50\n[  547.852354]  ? __pfx_kthread+0x10/0x10\n[  547.856097]  ret_from_fork_asm+0x1a/0x30\n[  547.860019]  \u003c/TASK\u003e\n[  547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:35.181Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5185e63b45ea39339ed83f269e2ddfafb07e70d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/67c9cf82f50236d9c000333b26b4f95eb2c3e1b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d9beb4aebc02c4bd09e1d39c9c5f1c68c786dbc"
        }
      ],
      "title": "nvkm/gsp: correctly advance the read pointer of GSP message queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58019",
    "datePublished": "2025-02-27T02:12:10.109Z",
    "dateReserved": "2025-02-27T02:10:48.228Z",
    "dateUpdated": "2025-05-04T10:08:35.181Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21760 (GCVE-0-2025-21760)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1
	https://git.kernel.org/stable/c/4d576202b90b1b95a7c428a80b536f91b8201bcc
	https://git.kernel.org/stable/c/e24d225e4cb8cf108bde00b76594499b98f0a74d
	https://git.kernel.org/stable/c/a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d
	https://git.kernel.org/stable/c/ae38982f521621c216fc2f5182cd091f4734641d
	https://git.kernel.org/stable/c/789230e5a8c1097301afc802e242c79bc8835c67
	https://git.kernel.org/stable/c/04e05112f10354ffc3bb6cc796d553bab161594c
	https://git.kernel.org/stable/c/ed6ae1f325d3c43966ec1b62ac1459e2b8e45640

Impacted products

Vendor

Product

Version

►

Linux

Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e

Linux

Version: 2.6.26

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21760",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:40.416234Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ndisc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "4d576202b90b1b95a7c428a80b536f91b8201bcc",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "e24d225e4cb8cf108bde00b76594499b98f0a74d",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "ae38982f521621c216fc2f5182cd091f4734641d",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "789230e5a8c1097301afc802e242c79bc8835c67",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "04e05112f10354ffc3bb6cc796d553bab161594c",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            },
            {
              "lessThan": "ed6ae1f325d3c43966ec1b62ac1459e2b8e45640",
              "status": "affected",
              "version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ndisc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: extend RCU protection in ndisc_send_skb()\n\nndisc_send_skb() can be called without RTNL or RCU held.\n\nAcquire rcu_read_lock() earlier, so that we can use dev_net_rcu()\nand avoid a potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:32.521Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d576202b90b1b95a7c428a80b536f91b8201bcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/e24d225e4cb8cf108bde00b76594499b98f0a74d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae38982f521621c216fc2f5182cd091f4734641d"
        },
        {
          "url": "https://git.kernel.org/stable/c/789230e5a8c1097301afc802e242c79bc8835c67"
        },
        {
          "url": "https://git.kernel.org/stable/c/04e05112f10354ffc3bb6cc796d553bab161594c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed6ae1f325d3c43966ec1b62ac1459e2b8e45640"
        }
      ],
      "title": "ndisc: extend RCU protection in ndisc_send_skb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21760",
    "datePublished": "2025-02-27T02:18:13.496Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:32.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58057 (GCVE-0-2024-58057)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with `WQ_UNBOUND`, its work items are served by special worker-pools, whose host workers are not bound to any specific CPU. In the default configuration (i.e. when `queue_delayed_work` and friends do not specify which CPU to run the work item on), `WQ_UNBOUND` allows the work item to be executed on any CPU in the same node of the CPU it was enqueued on. While this solution potentially sacrifices locality, it avoids contention with other processes that might dominate the CPU time of the processor the work item was scheduled on. This is not just a theoretical problem: in a particular scenario misconfigured process was hogging most of the time from CPU0, leaving less than 0.5% of its CPU time to the kworker. The IDPF workqueues that were using the kworker on CPU0 suffered large completion delays as a result, causing performance degradation, timeouts and eventual system crash. * I have also run a manual test to gauge the performance improvement. The test consists of an antagonist process (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This process is run under `taskset 01` to bind it to CPU0, and its priority is changed with `chrt -pQ 9900 10000 ${pid}` and `renice -n -20 ${pid}` after start. Then, the IDPF driver is forced to prefer CPU0 by editing all calls to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0. Finally, `ktraces` for the workqueue events are collected. Without the current patch, the antagonist process can force arbitrary delays between `workqueue_queue_work` and `workqueue_execute_start`, that in my tests were as high as `30ms`. With the current patch applied, the workqueue can be migrated to another unloaded CPU in the same node, and, keeping everything else equal, the maximum delay I could see was `6us`.

References

►

URL

Tags

	https://git.kernel.org/stable/c/66bf9b3d9e1658333741f075320dc8e7cd6f8d09
	https://git.kernel.org/stable/c/868202ec3854e13de1164e4a3e25521194c5af72
	https://git.kernel.org/stable/c/9a5b021cb8186f1854bac2812bd4f396bb1e881c

Impacted products

Vendor

Product

Version

►

Linux

Version: 0fe45467a1041ea3657a7fa3a791c84c104fbd34
Version: 0fe45467a1041ea3657a7fa3a791c84c104fbd34
Version: 0fe45467a1041ea3657a7fa3a791c84c104fbd34

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "66bf9b3d9e1658333741f075320dc8e7cd6f8d09",
              "status": "affected",
              "version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
              "versionType": "git"
            },
            {
              "lessThan": "868202ec3854e13de1164e4a3e25521194c5af72",
              "status": "affected",
              "version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
              "versionType": "git"
            },
            {
              "lessThan": "9a5b021cb8186f1854bac2812bd4f396bb1e881c",
              "status": "affected",
              "version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert workqueues to unbound\n\nWhen a workqueue is created with `WQ_UNBOUND`, its work items are\nserved by special worker-pools, whose host workers are not bound to\nany specific CPU. In the default configuration (i.e. when\n`queue_delayed_work` and friends do not specify which CPU to run the\nwork item on), `WQ_UNBOUND` allows the work item to be executed on any\nCPU in the same node of the CPU it was enqueued on. While this\nsolution potentially sacrifices locality, it avoids contention with\nother processes that might dominate the CPU time of the processor the\nwork item was scheduled on.\n\nThis is not just a theoretical problem: in a particular scenario\nmisconfigured process was hogging most of the time from CPU0, leaving\nless than 0.5% of its CPU time to the kworker. The IDPF workqueues\nthat were using the kworker on CPU0 suffered large completion delays\nas a result, causing performance degradation, timeouts and eventual\nsystem crash.\n\n\n* I have also run a manual test to gauge the performance\n  improvement. The test consists of an antagonist process\n  (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This\n  process is run under `taskset 01` to bind it to CPU0, and its\n  priority is changed with `chrt -pQ 9900 10000 ${pid}` and\n  `renice -n -20 ${pid}` after start.\n\n  Then, the IDPF driver is forced to prefer CPU0 by editing all calls\n  to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.\n\n  Finally, `ktraces` for the workqueue events are collected.\n\n  Without the current patch, the antagonist process can force\n  arbitrary delays between `workqueue_queue_work` and\n  `workqueue_execute_start`, that in my tests were as high as\n  `30ms`. With the current patch applied, the workqueue can be\n  migrated to another unloaded CPU in the same node, and, keeping\n  everything else equal, the maximum delay I could see was `6us`."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:53.250Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/66bf9b3d9e1658333741f075320dc8e7cd6f8d09"
        },
        {
          "url": "https://git.kernel.org/stable/c/868202ec3854e13de1164e4a3e25521194c5af72"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a5b021cb8186f1854bac2812bd4f396bb1e881c"
        }
      ],
      "title": "idpf: convert workqueues to unbound",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58057",
    "datePublished": "2025-03-06T15:54:00.345Z",
    "dateReserved": "2025-03-06T15:52:09.179Z",
    "dateUpdated": "2025-05-04T10:08:53.250Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-46796 (GCVE-0-2024-46796)

Vulnerability from cvelistv5

Published

2024-09-18 07:12

Modified

2025-05-04 09:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

References

►

URL

Tags

	https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28
	https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638
	https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220

Impacted products

Vendor

Product

Version

►

Linux

Version: 1e60bc0e954389af82f1d9a85f13a63f6572350f
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:22:40.903539Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:22:52.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a72d1edb0843e4c927a4096f81e631031c25c28",
              "status": "affected",
              "version": "1e60bc0e954389af82f1d9a85f13a63f6572350f",
              "versionType": "git"
            },
            {
              "lessThan": "762099898309218b4a7954f3d49e985dc4dfd638",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            },
            {
              "lessThan": "f9c169b51b6ce20394594ef674d6b10efba31220",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n  CIFS: Attempting to mount //w22-fs0/scratch\n  run fstests generic/013 at 2024-09-02 19:48:59\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n  04/01/2014\n  Workqueue: cifsoplockd cifs_oplock_break [cifs]\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x5d/0x80\n   ? detach_if_pending+0xab/0x200\n   print_report+0x156/0x4d9\n   ? detach_if_pending+0xab/0x200\n   ? __virt_addr_valid+0x145/0x300\n   ? __phys_addr+0x46/0x90\n   ? detach_if_pending+0xab/0x200\n   kasan_report+0xda/0x110\n   ? detach_if_pending+0xab/0x200\n   detach_if_pending+0xab/0x200\n   timer_delete+0x96/0xe0\n   ? __pfx_timer_delete+0x10/0x10\n   ? rcu_is_watching+0x20/0x50\n   try_to_grab_pending+0x46/0x3b0\n   __cancel_work+0x89/0x1b0\n   ? __pfx___cancel_work+0x10/0x10\n   ? kasan_save_track+0x14/0x30\n   cifs_close_deferred_file+0x110/0x2c0 [cifs]\n   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n   ? __pfx_down_read+0x10/0x10\n   cifs_oplock_break+0x4c1/0xa50 [cifs]\n   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n   ? lock_is_held_type+0x85/0xf0\n   ? mark_held_locks+0x1a/0x90\n   process_one_work+0x4c6/0x9f0\n   ? find_held_lock+0x8a/0xa0\n   ? __pfx_process_one_work+0x10/0x10\n   ? lock_acquired+0x220/0x550\n   ? __list_add_valid_or_report+0x37/0x100\n   worker_thread+0x2e4/0x570\n   ? __kthread_parkme+0xd1/0xf0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x17f/0x1c0\n   ? kthread+0xda/0x1c0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x31/0x60\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 1118:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   __kasan_kmalloc+0xaa/0xb0\n   cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n   cifs_atomic_open+0x467/0x770 [cifs]\n   lookup_open.isra.0+0x665/0x8b0\n   path_openat+0x4c3/0x1380\n   do_filp_open+0x167/0x270\n   do_sys_openat2+0x129/0x160\n   __x64_sys_creat+0xad/0xe0\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Freed by task 83:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   kasan_save_free_info+0x3b/0x70\n   poison_slab_object+0xe9/0x160\n   __kasan_slab_free+0x32/0x50\n   kfree+0xf2/0x300\n   process_one_work+0x4c6/0x9f0\n   worker_thread+0x2e4/0x570\n   kthread+0x17f/0x1c0\n   ret_from_fork+0x31/0x60\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x30/0x50\n   __kasan_record_aux_stack+0xad/0xc0\n   insert_work+0x29/0xe0\n   __queue_work+0x5ea/0x760\n   queue_work_on+0x6d/0x90\n   _cifsFileInfo_put+0x3f6/0x770 [cifs]\n   smb2_compound_op+0x911/0x3940 [cifs]\n   smb2_set_path_size+0x228/0x270 [cifs]\n   cifs_set_file_size+0x197/0x460 [cifs]\n   cifs_setattr+0xd9c/0x14b0 [cifs]\n   notify_change+0x4e3/0x740\n   do_truncate+0xfa/0x180\n   vfs_truncate+0x195/0x200\n   __x64_sys_truncate+0x109/0x150\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:34:31.707Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"
        },
        {
          "url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"
        }
      ],
      "title": "smb: client: fix double put of @cfile in smb2_set_path_size()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46796",
    "datePublished": "2024-09-18T07:12:51.038Z",
    "dateReserved": "2024-09-11T15:12:18.279Z",
    "dateUpdated": "2025-05-04T09:34:31.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21719 (GCVE-0-2025-21719)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708

References

►

URL

Tags

	https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1
	https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d
	https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47
	https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5
	https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62
	https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde
	https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a
	https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd

Impacted products

Vendor

Product

Version

►

Linux

Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d
Version: cb167893f41e21e6bd283d78e53489289dc0592d

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ipmr_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "53df27fd38f84bd3cd6b004eb4ff3c4903114f1d",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "547ef7e8cbb98f966c8719a3e15d4e078aaa9b47",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "57177c5f47a8da852f8d76cf6945cf803f8bb9e5",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "b379b3162ff55a70464c6a934ae9bf0497478a62",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "a099834a51ccf9bbba3de86a251b3433539abfde",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "26bb7d991f04eeef47dfad23e533834995c26f7a",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "15a901361ec3fb1c393f91880e1cbf24ec0a88bd",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ipmr_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: do not call mr_mfc_uses_dev() for unres entries\n\nsyzbot found that calling mr_mfc_uses_dev() for unres entries\nwould crash [1], because c-\u003emfc_un.res.minvif / c-\u003emfc_un.res.maxvif\nalias to \"struct sk_buff_head unresolved\", which contain two pointers.\n\nThis code never worked, lets remove it.\n\n[1]\nUnable to handle kernel paging request at virtual address ffff5fff2d536613\nKASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]\nModules linked in:\nCPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]\n pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334\n lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]\n lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334\nCall trace:\n  mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)\n  mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)\n  mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382\n  ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648\n  rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327\n  rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791\n  netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317\n  netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973\n  sock_recvmsg_nosec net/socket.c:1033 [inline]\n  sock_recvmsg net/socket.c:1055 [inline]\n  sock_read_iter+0x2d8/0x40c net/socket.c:1125\n  new_sync_read fs/read_write.c:484 [inline]\n  vfs_read+0x740/0x970 fs/read_write.c:565\n  ksys_read+0x15c/0x26c fs/read_write.c:708"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:43.300Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47"
        },
        {
          "url": "https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62"
        },
        {
          "url": "https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde"
        },
        {
          "url": "https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd"
        }
      ],
      "title": "ipmr: do not call mr_mfc_uses_dev() for unres entries",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21719",
    "datePublished": "2025-02-27T02:07:28.573Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-05-04T07:19:43.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4802 (GCVE-0-2025-4802)

Vulnerability from cvelistv5

Published

2025-05-16 19:32

Modified

2025-07-26 03:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-426 - Untrusted Search Path

Summary

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

References

►

URL

Tags

	https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
	https://sourceware.org/bugzilla/show_bug.cgi?id=32976

Impacted products

	Vendor	Product	Version
	The GNU C Library	glibc	Version: 2.27 < 2.39

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-17T08:03:25.762Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/16/7"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/17/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-4802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-25T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-26T03:55:53.798Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "glibc",
          "vendor": "The GNU C Library",
          "versions": [
            {
              "lessThan": "2.39",
              "status": "affected",
              "version": "2.27",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-05-16T19:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
            }
          ],
          "value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-13",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-13 Subverting Environment Variable Values"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-16T19:32:50.586Z",
        "orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
        "shortName": "glibc"
      },
      "references": [
        {
          "url": "https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32976"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
    "assignerShortName": "glibc",
    "cveId": "CVE-2025-4802",
    "datePublished": "2025-05-16T19:32:50.586Z",
    "dateReserved": "2025-05-15T21:32:45.284Z",
    "dateUpdated": "2025-07-26T03:55:53.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21829 (GCVE-0-2025-21829)

Vulnerability from cvelistv5

Published

2025-03-06 16:08

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" The Call Trace is as below: " <TASK> ? show_regs.cold+0x1a/0x1f ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __warn+0x84/0xd0 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? report_bug+0x105/0x180 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __rxe_cleanup+0x124/0x170 [rdma_rxe] rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe] ib_destroy_qp_user+0x118/0x190 [ib_core] rdma_destroy_qp.cold+0x43/0x5e [rdma_cm] rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core] rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server] process_one_work+0x21d/0x3f0 worker_thread+0x4a/0x3c0 ? process_one_work+0x3f0/0x3f0 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> " When too many rdma resources are allocated, rxe needs more time to handle these rdma resources. Sometimes with the current timeout, rxe can not release the rdma resources correctly. Compared with other rdma drivers, a bigger timeout is used.

References

►

URL

Tags

	https://git.kernel.org/stable/c/720653309dd31c8a927ef5d87964578ad544980f
	https://git.kernel.org/stable/c/45e567800492088bc52c9abac35524b4d332a8f8
	https://git.kernel.org/stable/c/7a2de8126ed3801f2396720e10a03cd546a3cea1
	https://git.kernel.org/stable/c/a7d15eaecf0d6e13226db629ae2401c8c02683e5
	https://git.kernel.org/stable/c/edc4ef0e0154096d6c0cf5e06af6fc330dbad9d1

Impacted products

Vendor

Product

Version

►

Linux

Version: 215d0a755e1bcd92cbe6a71a21194ce7c82ec106
Version: 215d0a755e1bcd92cbe6a71a21194ce7c82ec106
Version: 215d0a755e1bcd92cbe6a71a21194ce7c82ec106
Version: 215d0a755e1bcd92cbe6a71a21194ce7c82ec106
Version: 215d0a755e1bcd92cbe6a71a21194ce7c82ec106

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "720653309dd31c8a927ef5d87964578ad544980f",
              "status": "affected",
              "version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
              "versionType": "git"
            },
            {
              "lessThan": "45e567800492088bc52c9abac35524b4d332a8f8",
              "status": "affected",
              "version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
              "versionType": "git"
            },
            {
              "lessThan": "7a2de8126ed3801f2396720e10a03cd546a3cea1",
              "status": "affected",
              "version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
              "versionType": "git"
            },
            {
              "lessThan": "a7d15eaecf0d6e13226db629ae2401c8c02683e5",
              "status": "affected",
              "version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
              "versionType": "git"
            },
            {
              "lessThan": "edc4ef0e0154096d6c0cf5e06af6fc330dbad9d1",
              "status": "affected",
              "version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"\n\nThe Call Trace is as below:\n\"\n  \u003cTASK\u003e\n  ? show_regs.cold+0x1a/0x1f\n  ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n  ? __warn+0x84/0xd0\n  ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n  ? report_bug+0x105/0x180\n  ? handle_bug+0x46/0x80\n  ? exc_invalid_op+0x19/0x70\n  ? asm_exc_invalid_op+0x1b/0x20\n  ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n  ? __rxe_cleanup+0x124/0x170 [rdma_rxe]\n  rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe]\n  ib_destroy_qp_user+0x118/0x190 [ib_core]\n  rdma_destroy_qp.cold+0x43/0x5e [rdma_cm]\n  rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core]\n  rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server]\n  process_one_work+0x21d/0x3f0\n  worker_thread+0x4a/0x3c0\n  ? process_one_work+0x3f0/0x3f0\n  kthread+0xf0/0x120\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x22/0x30\n  \u003c/TASK\u003e\n\"\nWhen too many rdma resources are allocated, rxe needs more time to\nhandle these rdma resources. Sometimes with the current timeout, rxe\ncan not release the rdma resources correctly.\n\nCompared with other rdma drivers, a bigger timeout is used."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:02.143Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/720653309dd31c8a927ef5d87964578ad544980f"
        },
        {
          "url": "https://git.kernel.org/stable/c/45e567800492088bc52c9abac35524b4d332a8f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a2de8126ed3801f2396720e10a03cd546a3cea1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7d15eaecf0d6e13226db629ae2401c8c02683e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/edc4ef0e0154096d6c0cf5e06af6fc330dbad9d1"
        }
      ],
      "title": "RDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21829",
    "datePublished": "2025-03-06T16:08:09.054Z",
    "dateReserved": "2024-12-29T08:45:45.776Z",
    "dateUpdated": "2025-05-04T07:22:02.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53226 (GCVE-0-2024-53226)

Vulnerability from cvelistv5

Published

2024-12-27 13:50

Modified

2025-05-04 13:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument. The driver needs to check whether it is a NULL pointer before dereferencing it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/bd715e191d444992d6ed124f15856da5c1cae2de
	https://git.kernel.org/stable/c/35f5b68f63aac61d30ce0b0c6beb09b8845a3e65
	https://git.kernel.org/stable/c/52617e76f4963644db71dc0a17e998654dc0c7f4
	https://git.kernel.org/stable/c/6b0d7d6e6883d0ec70cd7b5a02c47c003d5defe7
	https://git.kernel.org/stable/c/71becb0e9df78a8d43dfd0efcef18c830a0af477
	https://git.kernel.org/stable/c/8c269bb2cc666ca580271e1a8136c63ac9162e1e
	https://git.kernel.org/stable/c/6b526d17eed850352d880b93b9bf20b93006bd92

Impacted products

Vendor

Product

Version

►

Linux

Version: edc2dee07ab4ae2188b9780c453a64032162a5a0
Version: 3c301b8a046b57e3de14c6fc669d81dcb71bb5b5
Version: 5a13652ac34be9b60feec89835763574825a8905
Version: 4d480e45cb7fffb9d9b49924469c1f458068080a
Version: d387d4b54eb84208bd4ca13572e106851d0a0819
Version: d387d4b54eb84208bd4ca13572e106851d0a0819
Version: d387d4b54eb84208bd4ca13572e106851d0a0819
Version: ecdf900a5a3372bc0208e0701a116f112eb6039c

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bd715e191d444992d6ed124f15856da5c1cae2de",
              "status": "affected",
              "version": "edc2dee07ab4ae2188b9780c453a64032162a5a0",
              "versionType": "git"
            },
            {
              "lessThan": "35f5b68f63aac61d30ce0b0c6beb09b8845a3e65",
              "status": "affected",
              "version": "3c301b8a046b57e3de14c6fc669d81dcb71bb5b5",
              "versionType": "git"
            },
            {
              "lessThan": "52617e76f4963644db71dc0a17e998654dc0c7f4",
              "status": "affected",
              "version": "5a13652ac34be9b60feec89835763574825a8905",
              "versionType": "git"
            },
            {
              "lessThan": "6b0d7d6e6883d0ec70cd7b5a02c47c003d5defe7",
              "status": "affected",
              "version": "4d480e45cb7fffb9d9b49924469c1f458068080a",
              "versionType": "git"
            },
            {
              "lessThan": "71becb0e9df78a8d43dfd0efcef18c830a0af477",
              "status": "affected",
              "version": "d387d4b54eb84208bd4ca13572e106851d0a0819",
              "versionType": "git"
            },
            {
              "lessThan": "8c269bb2cc666ca580271e1a8136c63ac9162e1e",
              "status": "affected",
              "version": "d387d4b54eb84208bd4ca13572e106851d0a0819",
              "versionType": "git"
            },
            {
              "lessThan": "6b526d17eed850352d880b93b9bf20b93006bd92",
              "status": "affected",
              "version": "d387d4b54eb84208bd4ca13572e106851d0a0819",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ecdf900a5a3372bc0208e0701a116f112eb6039c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hns/hns_roce_mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.10.224",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.15.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "6.1.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.6.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()\n\nib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.\nThe driver needs to check whether it is a NULL pointer before\ndereferencing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:44.783Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bd715e191d444992d6ed124f15856da5c1cae2de"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f5b68f63aac61d30ce0b0c6beb09b8845a3e65"
        },
        {
          "url": "https://git.kernel.org/stable/c/52617e76f4963644db71dc0a17e998654dc0c7f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b0d7d6e6883d0ec70cd7b5a02c47c003d5defe7"
        },
        {
          "url": "https://git.kernel.org/stable/c/71becb0e9df78a8d43dfd0efcef18c830a0af477"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c269bb2cc666ca580271e1a8136c63ac9162e1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b526d17eed850352d880b93b9bf20b93006bd92"
        }
      ],
      "title": "RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53226",
    "datePublished": "2024-12-27T13:50:15.488Z",
    "dateReserved": "2024-11-19T17:17:25.025Z",
    "dateUpdated": "2025-05-04T13:00:44.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26810 (GCVE-0-2024-26810)

Vulnerability from cvelistv5

Published

2024-04-05 08:24

Modified

2025-05-04 08:57

Severity ?

4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Lock external INTx masking ops Mask operations through config space changes to DisINTx may race INTx configuration changes via ioctl. Create wrappers that add locking for paths outside of the core interrupt code. In particular, irq_type is updated holding igate, therefore testing is_intx() requires holding igate. For example clearing DisINTx from config space can otherwise race changes of the interrupt configuration. This aligns interfaces which may trigger the INTx eventfd into two camps, one side serialized by igate and the other only enabled while INTx is configured. A subsequent patch introduces synchronization for the latter flows.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42
	https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3
	https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6
	https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5
	https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651
	https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40
	https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf
	https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7

Impacted products

Vendor

Product

Version

►

Linux

Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Version: 89e1f7d4c66d85f42c3d52ea3866eb10cadf6153

Linux

Version: 3.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26810",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-05T17:23:22.081964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T20:03:53.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.648Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/vfio_pci_intrs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e71b6449d55179170efc8dee8664510bb813b42",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "3dd9be6cb55e0f47544e7cdda486413f7134e3b3",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "ec73e079729258a05452356cf6d098bf1504d5a6",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "3fe0ac10bd117df847c93408a9d428a453cd60e5",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "04a4a017b9ffd7b0f427b8c376688d14cb614651",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "6fe478d855b20ac1eb5da724afe16af5a2aaaa40",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "03505e3344b0576fd619416793a31eae9c5b73bf",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            },
            {
              "lessThan": "810cd4bb53456d0503cc4e7934e063835152c1b7",
              "status": "affected",
              "version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/pci/vfio_pci_intrs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.274",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.215",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.154",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.84",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.24",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.12",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.3",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:57:05.248Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42"
        },
        {
          "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40"
        },
        {
          "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7"
        }
      ],
      "title": "vfio/pci: Lock external INTx masking ops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26810",
    "datePublished": "2024-04-05T08:24:41.987Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2025-05-04T08:57:05.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21736 (GCVE-0-2025-21736)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix possible int overflows in nilfs_fiemap() Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unlikely to occur, play it safe and cast right hand expression to wider type to mitigate the issue. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7649937987fed51ed09985da4019d50189fc534e
	https://git.kernel.org/stable/c/58b1c6881081f5ddfb9a14dc241a74732c0f855c
	https://git.kernel.org/stable/c/8f41df5fd4c11d26e929a85f7239799641f92da7
	https://git.kernel.org/stable/c/f3d80f34f58445355fa27b9579a449fb186aa64e
	https://git.kernel.org/stable/c/f2bd0f1ab47822fe5bd699c8458b896c4b2edea1
	https://git.kernel.org/stable/c/b9495a9109abc31d3170f7aad7d48aa64610a1a2
	https://git.kernel.org/stable/c/250423300b4b0335918be187ef3cade248c06e6a
	https://git.kernel.org/stable/c/6438ef381c183444f7f9d1de18f22661cba1e946

Impacted products

Vendor

Product

Version

►

Linux

Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92

Linux

Version: 2.6.38

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7649937987fed51ed09985da4019d50189fc534e",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "58b1c6881081f5ddfb9a14dc241a74732c0f855c",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "8f41df5fd4c11d26e929a85f7239799641f92da7",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "f3d80f34f58445355fa27b9579a449fb186aa64e",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "f2bd0f1ab47822fe5bd699c8458b896c4b2edea1",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "b9495a9109abc31d3170f7aad7d48aa64610a1a2",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "250423300b4b0335918be187ef3cade248c06e6a",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            },
            {
              "lessThan": "6438ef381c183444f7f9d1de18f22661cba1e946",
              "status": "affected",
              "version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix possible int overflows in nilfs_fiemap()\n\nSince nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result\nby being prepared to go through potentially maxblocks == INT_MAX blocks,\nthe value in n may experience an overflow caused by left shift of blkbits.\n\nWhile it is extremely unlikely to occur, play it safe and cast right hand\nexpression to wider type to mitigate the issue.\n\nFound by Linux Verification Center (linuxtesting.org) with static analysis\ntool SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:03.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7649937987fed51ed09985da4019d50189fc534e"
        },
        {
          "url": "https://git.kernel.org/stable/c/58b1c6881081f5ddfb9a14dc241a74732c0f855c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f41df5fd4c11d26e929a85f7239799641f92da7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3d80f34f58445355fa27b9579a449fb186aa64e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2bd0f1ab47822fe5bd699c8458b896c4b2edea1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9495a9109abc31d3170f7aad7d48aa64610a1a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/250423300b4b0335918be187ef3cade248c06e6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6438ef381c183444f7f9d1de18f22661cba1e946"
        }
      ],
      "title": "nilfs2: fix possible int overflows in nilfs_fiemap()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21736",
    "datePublished": "2025-02-27T02:12:12.871Z",
    "dateReserved": "2024-12-29T08:45:45.756Z",
    "dateUpdated": "2025-05-04T07:20:03.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21775 (GCVE-0-2025-21775)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: can: ctucanfd: handle skb allocation failure If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place. Add the missed NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.

References

►

URL

Tags

	https://git.kernel.org/stable/c/84b9ac59978a6a4e0812d1c938fad97306272cef
	https://git.kernel.org/stable/c/e505b83b9ee6aa0ae2f4395f573a66579ae403fb
	https://git.kernel.org/stable/c/b0e592dd46a0a952b41c3bf6c963afdd6a42b526
	https://git.kernel.org/stable/c/e7e2e2318b1f085044126ba553a4e619842fc36d
	https://git.kernel.org/stable/c/9bd24927e3eeb85642c7baa3b28be8bea6c2a078

Impacted products

Vendor

Product

Version

►

Linux

Version: 2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7
Version: 2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7
Version: 2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7
Version: 2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7
Version: 2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/ctucanfd/ctucanfd_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "84b9ac59978a6a4e0812d1c938fad97306272cef",
              "status": "affected",
              "version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
              "versionType": "git"
            },
            {
              "lessThan": "e505b83b9ee6aa0ae2f4395f573a66579ae403fb",
              "status": "affected",
              "version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
              "versionType": "git"
            },
            {
              "lessThan": "b0e592dd46a0a952b41c3bf6c963afdd6a42b526",
              "status": "affected",
              "version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
              "versionType": "git"
            },
            {
              "lessThan": "e7e2e2318b1f085044126ba553a4e619842fc36d",
              "status": "affected",
              "version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
              "versionType": "git"
            },
            {
              "lessThan": "9bd24927e3eeb85642c7baa3b28be8bea6c2a078",
              "status": "affected",
              "version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/ctucanfd/ctucanfd_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ctucanfd: handle skb allocation failure\n\nIf skb allocation fails, the pointer to struct can_frame is NULL. This\nis actually handled everywhere inside ctucan_err_interrupt() except for\nthe only place.\n\nAdd the missed NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:55.375Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/84b9ac59978a6a4e0812d1c938fad97306272cef"
        },
        {
          "url": "https://git.kernel.org/stable/c/e505b83b9ee6aa0ae2f4395f573a66579ae403fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0e592dd46a0a952b41c3bf6c963afdd6a42b526"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7e2e2318b1f085044126ba553a4e619842fc36d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bd24927e3eeb85642c7baa3b28be8bea6c2a078"
        }
      ],
      "title": "can: ctucanfd: handle skb allocation failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21775",
    "datePublished": "2025-02-27T02:18:21.019Z",
    "dateReserved": "2024-12-29T08:45:45.763Z",
    "dateUpdated": "2025-05-04T07:20:55.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21780 (GCVE-0-2025-21780)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table().

References

►

URL

Tags

	https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a
	https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab
	https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084
	https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de
	https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699

Impacted products

Vendor

Product

Version

►

Linux

Version: 137d63abbf6a0859e79b662e81d21170ecb75e59
Version: 137d63abbf6a0859e79b662e81d21170ecb75e59
Version: 137d63abbf6a0859e79b662e81d21170ecb75e59
Version: 137d63abbf6a0859e79b662e81d21170ecb75e59
Version: 137d63abbf6a0859e79b662e81d21170ecb75e59

Linux

Version: 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3484ea33157bc7334f57e64826ec5a4bf992151a",
              "status": "affected",
              "version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
              "versionType": "git"
            },
            {
              "lessThan": "e43a8b9c4d700ffec819c5043a48769b3e7d9cab",
              "status": "affected",
              "version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
              "versionType": "git"
            },
            {
              "lessThan": "2498d2db1d35e88a2060ea191ae75dce853dd084",
              "status": "affected",
              "version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
              "versionType": "git"
            },
            {
              "lessThan": "231075c5a8ea54f34b7c4794687baa980814e6de",
              "status": "affected",
              "version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
              "versionType": "git"
            },
            {
              "lessThan": "1abb2648698bf10783d2236a6b4a7ca5e8021699",
              "status": "affected",
              "version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:06.464Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab"
        },
        {
          "url": "https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084"
        },
        {
          "url": "https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de"
        },
        {
          "url": "https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699"
        }
      ],
      "title": "drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21780",
    "datePublished": "2025-02-27T02:18:23.543Z",
    "dateReserved": "2024-12-29T08:45:45.764Z",
    "dateUpdated": "2025-05-04T07:21:06.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21883 (GCVE-0-2025-21883)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself).

References

►

URL

Tags

	https://git.kernel.org/stable/c/3c01102bec9592928e6b155da41cfcd5d25a2066
	https://git.kernel.org/stable/c/a4880583f88deba63504ce1c8287a70d39c01378
	https://git.kernel.org/stable/c/34393fd78d7183a007eaf0090966ebedcc29bd57
	https://git.kernel.org/stable/c/79990cf5e7aded76d0c092c9f5ed31eb1c75e02c

Impacted products

Vendor

Product

Version

►

Linux

Version: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e
Version: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e
Version: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e
Version: 8cd8a6b17d275a45e3722d0215f6115b687c8c3e

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_sriov.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c01102bec9592928e6b155da41cfcd5d25a2066",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "a4880583f88deba63504ce1c8287a70d39c01378",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "34393fd78d7183a007eaf0090966ebedcc29bd57",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            },
            {
              "lessThan": "79990cf5e7aded76d0c092c9f5ed31eb1c75e02c",
              "status": "affected",
              "version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_sriov.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib.c",
            "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix deinitializing VF in error path\n\nIf ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees\nall VFs without removing them from snapshot PF-VF mailbox list, leading\nto list corruption.\n\nReproducer:\n  devlink dev eswitch set $PF1_PCI mode switchdev\n  ip l s $PF1 up\n  ip l s $PF1 promisc on\n  sleep 1\n  echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n  sleep 1\n  echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n\nTrace (minimized):\n  list_add corruption. next-\u003eprev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).\n  kernel BUG at lib/list_debug.c:29!\n  RIP: 0010:__list_add_valid_or_report+0xa6/0x100\n   ice_mbx_init_vf_info+0xa7/0x180 [ice]\n   ice_initialize_vf_entry+0x1fa/0x250 [ice]\n   ice_sriov_configure+0x8d7/0x1520 [ice]\n   ? __percpu_ref_switch_mode+0x1b1/0x5d0\n   ? __pfx_ice_sriov_configure+0x10/0x10 [ice]\n\nSometimes a KASAN report can be seen instead with a similar stack trace:\n  BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100\n\nVFs are added to this list in ice_mbx_init_vf_info(), but only removed\nin ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is\nalso being called in other places where VFs are being removed (including\nice_free_vfs() itself)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:16.768Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c01102bec9592928e6b155da41cfcd5d25a2066"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4880583f88deba63504ce1c8287a70d39c01378"
        },
        {
          "url": "https://git.kernel.org/stable/c/34393fd78d7183a007eaf0090966ebedcc29bd57"
        },
        {
          "url": "https://git.kernel.org/stable/c/79990cf5e7aded76d0c092c9f5ed31eb1c75e02c"
        }
      ],
      "title": "ice: Fix deinitializing VF in error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21883",
    "datePublished": "2025-03-27T14:57:11.766Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:16.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58005 (GCVE-0-2024-58005)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tpm: Change to kvalloc() in eventlog/acpi.c The following failure was reported on HPE ProLiant D320: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 The above transcript shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by moving from devm_kmalloc() to devm_add_action() and kvmalloc() and devm_add_action().

References

►

URL

Tags

	https://git.kernel.org/stable/c/a676c0401de59548a5bc1b7aaf98f556ae8ea6db
	https://git.kernel.org/stable/c/0621d2599d6e02d05c85d6bbd58eaea2f15b3503
	https://git.kernel.org/stable/c/77779d1258a287f2c5c2c6aeae203e0996209c77
	https://git.kernel.org/stable/c/50365a6304a57266e8f4d3078060743c3b7a1e0d
	https://git.kernel.org/stable/c/422d7f4e8d817be467986589c7968d3ea402f7da
	https://git.kernel.org/stable/c/4c8bfe643bbd00b04ee8f9545ef33bf6a68c38db
	https://git.kernel.org/stable/c/a3a860bc0fd6c07332e4911cf9a238d20de90173

Impacted products

Vendor

Product

Version

►

Linux

Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988

Linux

Version: 2.6.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/eventlog/acpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a676c0401de59548a5bc1b7aaf98f556ae8ea6db",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "0621d2599d6e02d05c85d6bbd58eaea2f15b3503",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "77779d1258a287f2c5c2c6aeae203e0996209c77",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "50365a6304a57266e8f4d3078060743c3b7a1e0d",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "422d7f4e8d817be467986589c7968d3ea402f7da",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "4c8bfe643bbd00b04ee8f9545ef33bf6a68c38db",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            },
            {
              "lessThan": "a3a860bc0fd6c07332e4911cf9a238d20de90173",
              "status": "affected",
              "version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/tpm/eventlog/acpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.16"
            },
            {
              "lessThan": "2.6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Change to kvalloc() in eventlog/acpi.c\n\nThe following failure was reported on HPE ProLiant D320:\n\n[   10.693310][    T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)\n[   10.848132][    T1] ------------[ cut here ]------------\n[   10.853559][    T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330\n[   10.862827][    T1] Modules linked in:\n[   10.866671][    T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375\n[   10.882741][    T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024\n[   10.892170][    T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330\n[   10.898103][    T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 \u003c0f\u003e 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1\n[   10.917750][    T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246\n[   10.923777][    T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000\n[   10.931727][    T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0\n\nThe above transcript shows that ACPI pointed a 16 MiB buffer for the log\nevents because RSI maps to the \u0027order\u0027 parameter of __alloc_pages_noprof().\nAddress the bug by moving from devm_kmalloc() to devm_add_action() and\nkvmalloc() and devm_add_action()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:13.946Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a676c0401de59548a5bc1b7aaf98f556ae8ea6db"
        },
        {
          "url": "https://git.kernel.org/stable/c/0621d2599d6e02d05c85d6bbd58eaea2f15b3503"
        },
        {
          "url": "https://git.kernel.org/stable/c/77779d1258a287f2c5c2c6aeae203e0996209c77"
        },
        {
          "url": "https://git.kernel.org/stable/c/50365a6304a57266e8f4d3078060743c3b7a1e0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/422d7f4e8d817be467986589c7968d3ea402f7da"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c8bfe643bbd00b04ee8f9545ef33bf6a68c38db"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3a860bc0fd6c07332e4911cf9a238d20de90173"
        }
      ],
      "title": "tpm: Change to kvalloc() in eventlog/acpi.c",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58005",
    "datePublished": "2025-02-27T02:12:02.232Z",
    "dateReserved": "2025-02-27T02:10:48.226Z",
    "dateUpdated": "2025-05-04T10:08:13.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58058 (GCVE-0-2024-58058)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference.

References

►

URL

Tags

	https://git.kernel.org/stable/c/428aff8f7cfb0d9a8854477648022cef96bcab28
	https://git.kernel.org/stable/c/6211c11fc20424bbc6d79c835c7c212b553ae898
	https://git.kernel.org/stable/c/1787cd67bb94b106555ffe64f887f6aa24b47010
	https://git.kernel.org/stable/c/e01b55f261ccc96e347eba4931e4429d080d879d
	https://git.kernel.org/stable/c/40e25a3c0063935763717877bb2a814c081509ff
	https://git.kernel.org/stable/c/77e5266e3d3faa6bdcf20d9c68a8972f6aa06522
	https://git.kernel.org/stable/c/2a987950df825d0144370e700dc5fb337684ffba
	https://git.kernel.org/stable/c/bdb0ca39e0acccf6771db49c3f94ed787d05f2d7

Impacted products

Vendor

Product

Version

►

Linux

Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d

Linux

Version: 2.6.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ubifs/debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "428aff8f7cfb0d9a8854477648022cef96bcab28",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "6211c11fc20424bbc6d79c835c7c212b553ae898",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "1787cd67bb94b106555ffe64f887f6aa24b47010",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "e01b55f261ccc96e347eba4931e4429d080d879d",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "40e25a3c0063935763717877bb2a814c081509ff",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "77e5266e3d3faa6bdcf20d9c68a8972f6aa06522",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "2a987950df825d0144370e700dc5fb337684ffba",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "bdb0ca39e0acccf6771db49c3f94ed787d05f2d7",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ubifs/debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: skip dumping tnc tree when zroot is null\n\nClearing slab cache will free all znode in memory and make\nc-\u003ezroot.znode = NULL, then dumping tnc tree will access\nc-\u003ezroot.znode which cause null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:59.629Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/428aff8f7cfb0d9a8854477648022cef96bcab28"
        },
        {
          "url": "https://git.kernel.org/stable/c/6211c11fc20424bbc6d79c835c7c212b553ae898"
        },
        {
          "url": "https://git.kernel.org/stable/c/1787cd67bb94b106555ffe64f887f6aa24b47010"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01b55f261ccc96e347eba4931e4429d080d879d"
        },
        {
          "url": "https://git.kernel.org/stable/c/40e25a3c0063935763717877bb2a814c081509ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/77e5266e3d3faa6bdcf20d9c68a8972f6aa06522"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a987950df825d0144370e700dc5fb337684ffba"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdb0ca39e0acccf6771db49c3f94ed787d05f2d7"
        }
      ],
      "title": "ubifs: skip dumping tnc tree when zroot is null",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58058",
    "datePublished": "2025-03-06T15:54:01.033Z",
    "dateReserved": "2025-03-06T15:52:09.179Z",
    "dateUpdated": "2025-05-04T10:08:59.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21869 (GCVE-0-2025-21869)

Vulnerability from cvelistv5

Published

2025-03-27 13:38

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0
	https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84
	https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee

Impacted products

Vendor

Product

Version

►

Linux

Version: 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2
Version: 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2
Version: 465cabc97b42405eb89380ea6ba8d8b03e4ae1a2

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5980d4456dd66d1b6505d5ec15048bd87e8775e0",
              "status": "affected",
              "version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
              "versionType": "git"
            },
            {
              "lessThan": "ea291447a4031f3dac5c23d55bc83fe833820d84",
              "status": "affected",
              "version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
              "versionType": "git"
            },
            {
              "lessThan": "dc9c5166c3cb044f8a001e397195242fd6796eee",
              "status": "affected",
              "version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[   12.028126] ==================================================================\n[   12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[   12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.13.0-P9-dirty #3\n[   12.028408] Tainted: [T]=RANDSTRUCT\n[   12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[   12.028500] Call Trace:\n[   12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[   12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[   12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[   12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[   12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[   12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[   12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[   12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[   12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[   12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[   12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[   12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[   12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[   12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[   12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[   12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[   12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[   12.029608] NIP:  00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[   12.029660] REGS: c000000008dbfe80 TRAP: 3000   Tainted: G                T   (6.13.0-P9-dirty)\n[   12.029735] MSR:  900000000280f032 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 42004848  XER: 00000000\n[   12.029855] IRQMASK: 0\n               GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n               GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n               GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n               GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n               GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n               GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n               GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n               GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[   12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030405] --- interrupt: 3000\n[   12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn\u0027t disable\nKASAN reports during patching. This wasn\u0027t a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:53.274Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee"
        }
      ],
      "title": "powerpc/code-patching: Disable KASAN report during patching via temporary mm",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21869",
    "datePublished": "2025-03-27T13:38:22.229Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:53.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58002 (GCVE-0-2024-58002)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b
	https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c
	https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50
	https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927
	https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971
	https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac
	https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c
	https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb

Impacted products

Vendor

Product

Version

►

Linux

Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366
Version: e5225c820c057537dc780244760e2e24c7d27366

Linux

Version: 4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_ctrl.c",
            "drivers/media/usb/uvc/uvc_v4l2.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a29413ace64627e178fd422dd8a5d95219a2c0b",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "653993f46861f2971e95e9a0e36a34b49dec542c",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "ac18d781466252cd35a3e311e0a4b264260fd927",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "4dbaa738c583a0e947803c69e8996e88cf98d971",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "438bda062b2c40ddd7df23b932e29ffe0a448cac",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "9edc7d25f7e49c33a1ce7a5ffadea2222065516c",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            },
            {
              "lessThan": "221cd51efe4565501a3dbf04cc011b537dcce7fb",
              "status": "affected",
              "version": "e5225c820c057537dc780244760e2e24c7d27366",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_ctrl.c",
            "drivers/media/usb/uvc/uvc_v4l2.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:09.163Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c"
        },
        {
          "url": "https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971"
        },
        {
          "url": "https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac"
        },
        {
          "url": "https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c"
        },
        {
          "url": "https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb"
        }
      ],
      "title": "media: uvcvideo: Remove dangling pointers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58002",
    "datePublished": "2025-02-27T02:12:00.223Z",
    "dateReserved": "2025-02-27T02:04:28.915Z",
    "dateUpdated": "2025-05-04T10:08:09.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21671 (GCVE-0-2025-21671)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 07:18

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device.

References

►

URL

Tags

	https://git.kernel.org/stable/c/fe3de867f94819ba0f28e035c0b0182150147d95
	https://git.kernel.org/stable/c/571d3f6045cd3a6d9f6aec33b678f3ffe97582ef
	https://git.kernel.org/stable/c/902ef8f16d5ca77edc77c30656be54186c1e99b7
	https://git.kernel.org/stable/c/212fe1c0df4a150fb6298db2cfff267ceaba5402

Impacted products

Vendor

Product

Version

►

Linux

Version: ac3b5366b9b7c9d97b606532ceab43d2329a22f3
Version: 0b5b0b65561b34e6e360de317e4bcd031bfabf42
Version: 6fb92e9a52e3feae309a213950f21dfcd1eb0b40
Version: 74363ec674cb172d8856de25776c8f3103f05e2f

Linux

Version: 6.1.122   ≤
Version: 6.6.68   ≤
Version: 6.12.7   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21671",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:11:50.678589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:05.639Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/zram/zram_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fe3de867f94819ba0f28e035c0b0182150147d95",
              "status": "affected",
              "version": "ac3b5366b9b7c9d97b606532ceab43d2329a22f3",
              "versionType": "git"
            },
            {
              "lessThan": "571d3f6045cd3a6d9f6aec33b678f3ffe97582ef",
              "status": "affected",
              "version": "0b5b0b65561b34e6e360de317e4bcd031bfabf42",
              "versionType": "git"
            },
            {
              "lessThan": "902ef8f16d5ca77edc77c30656be54186c1e99b7",
              "status": "affected",
              "version": "6fb92e9a52e3feae309a213950f21dfcd1eb0b40",
              "versionType": "git"
            },
            {
              "lessThan": "212fe1c0df4a150fb6298db2cfff267ceaba5402",
              "status": "affected",
              "version": "74363ec674cb172d8856de25776c8f3103f05e2f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/zram/zram_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.1.127",
              "status": "affected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.74",
              "status": "affected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.11",
              "status": "affected",
              "version": "6.12.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "6.1.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "6.6.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "6.12.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix potential UAF of zram table\n\nIf zram_meta_alloc failed early, it frees allocated zram-\u003etable without\nsetting it NULL.  Which will potentially cause zram_meta_free to access\nthe table if user reset an failed and uninitialized device."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:44.513Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fe3de867f94819ba0f28e035c0b0182150147d95"
        },
        {
          "url": "https://git.kernel.org/stable/c/571d3f6045cd3a6d9f6aec33b678f3ffe97582ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/902ef8f16d5ca77edc77c30656be54186c1e99b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/212fe1c0df4a150fb6298db2cfff267ceaba5402"
        }
      ],
      "title": "zram: fix potential UAF of zram table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21671",
    "datePublished": "2025-01-31T11:25:34.546Z",
    "dateReserved": "2024-12-29T08:45:45.735Z",
    "dateUpdated": "2025-05-04T07:18:44.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21688 (GCVE-0-2025-21688)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d
	https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6
	https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada
	https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a
	https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3
	https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd
	https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014
	https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412

Impacted products

Vendor

Product

Version

►

Linux

Version: 1bd6303d08c85072ce40ac01a767ab67195105bd
Version: a34050f70e7955a359874dff1a912a748724a140
Version: 14e0a874488e79086340ba8e2d238cb9596b68a8
Version: 2a1c88f7ca5c12dff6fa6787492ac910bb9e4407
Version: 63195bae1cbf78f1d392b1bc9ae4b03c82d0ebf3
Version: b22467b1ae104073dcb11aa78562a331cd7fb0e0
Version: e4b5ccd392b92300a2b341705cc4805681094e49
Version: e4b5ccd392b92300a2b341705cc4805681094e49

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9793206fbf5293534c3a79d78f196e2cbb48c22d",
              "status": "affected",
              "version": "1bd6303d08c85072ce40ac01a767ab67195105bd",
              "versionType": "git"
            },
            {
              "lessThan": "1f66a3a1a516e4d545906916b3f3c8d1c5e909e6",
              "status": "affected",
              "version": "a34050f70e7955a359874dff1a912a748724a140",
              "versionType": "git"
            },
            {
              "lessThan": "6cfafcad46e95351c477da0ae7e3acb8f7550ada",
              "status": "affected",
              "version": "14e0a874488e79086340ba8e2d238cb9596b68a8",
              "versionType": "git"
            },
            {
              "lessThan": "a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a",
              "status": "affected",
              "version": "2a1c88f7ca5c12dff6fa6787492ac910bb9e4407",
              "versionType": "git"
            },
            {
              "lessThan": "431fb709db434565b5e7cee82a11bd681a794fd3",
              "status": "affected",
              "version": "63195bae1cbf78f1d392b1bc9ae4b03c82d0ebf3",
              "versionType": "git"
            },
            {
              "lessThan": "01a7e3a43ee2e6607169a75889412344c10b37fd",
              "status": "affected",
              "version": "b22467b1ae104073dcb11aa78562a331cd7fb0e0",
              "versionType": "git"
            },
            {
              "lessThan": "3059e7aaa280daea57bb069fbc65225e1bb95014",
              "status": "affected",
              "version": "e4b5ccd392b92300a2b341705cc4805681094e49",
              "versionType": "git"
            },
            {
              "lessThan": "6e64d6b3a3c39655de56682ec83e894978d23412",
              "status": "affected",
              "version": "e4b5ccd392b92300a2b341705cc4805681094e49",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "5.15.177",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "6.1.127",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "6.6.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Assign job pointer to NULL before signaling the fence\n\nIn commit e4b5ccd392b9 (\"drm/v3d: Ensure job pointer is set to NULL\nafter job completion\"), we introduced a change to assign the job pointer\nto NULL after completing a job, indicating job completion.\n\nHowever, this approach created a race condition between the DRM\nscheduler workqueue and the IRQ execution thread. As soon as the fence is\nsignaled in the IRQ execution thread, a new job starts to be executed.\nThis results in a race condition where the IRQ execution thread sets the\njob pointer to NULL simultaneously as the `run_job()` function assigns\na new job to the pointer.\n\nThis race condition can lead to a NULL pointer dereference if the IRQ\nexecution thread sets the job pointer to NULL after `run_job()` assigns\nit to the new job. When the new job completes and the GPU emits an\ninterrupt, `v3d_irq()` is triggered, potentially causing a crash.\n\n[  466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n[  466.318928] Mem abort info:\n[  466.321723]   ESR = 0x0000000096000005\n[  466.325479]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  466.330807]   SET = 0, FnV = 0\n[  466.333864]   EA = 0, S1PTW = 0\n[  466.337010]   FSC = 0x05: level 1 translation fault\n[  466.341900] Data abort info:\n[  466.344783]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[  466.350285]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  466.355350]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000\n[  466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[  466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[  466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6\n[  466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G         C         6.13.0-v8+ #18\n[  466.467336] Tainted: [C]=CRAP\n[  466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)\n[  466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  466.483143] pc : v3d_irq+0x118/0x2e0 [v3d]\n[  466.487258] lr : __handle_irq_event_percpu+0x60/0x228\n[  466.492327] sp : ffffffc080003ea0\n[  466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000\n[  466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200\n[  466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000\n[  466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000\n[  466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000\n[  466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[  466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0\n[  466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n[  466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70\n[  466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000\n[  466.567263] Call trace:\n[  466.569711]  v3d_irq+0x118/0x2e0 [v3d] (P)\n[  466.\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:04.899Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412"
        }
      ],
      "title": "drm/v3d: Assign job pointer to NULL before signaling the fence",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21688",
    "datePublished": "2025-02-10T15:58:44.717Z",
    "dateReserved": "2024-12-29T08:45:45.741Z",
    "dateUpdated": "2025-05-04T07:19:04.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45009 (GCVE-0-2024-45009)

Vulnerability from cvelistv5

Published

2024-09-11 15:13

Modified

2025-05-04 09:30

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning ... WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) ... before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest. Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That's not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR.

References

►

URL

Tags

	https://git.kernel.org/stable/c/35b31f5549ede4070566b949781e83495906b43d
	https://git.kernel.org/stable/c/85b866e4c4e63a1d7afb58f1e24273caad03d0b7
	https://git.kernel.org/stable/c/d20bf2c96d7ffd171299b32f562f70e5bf5dc608
	https://git.kernel.org/stable/c/2060f1efab370b496c4903b840844ecaff324c3c
	https://git.kernel.org/stable/c/1c1f721375989579e46741f59523e39ec9b2a9bd

Impacted products

Vendor

Product

Version

►

Linux

Version: d0876b2284cf8b34dd214b2d0aa21071c345da59
Version: d0876b2284cf8b34dd214b2d0aa21071c345da59
Version: d0876b2284cf8b34dd214b2d0aa21071c345da59
Version: d0876b2284cf8b34dd214b2d0aa21071c345da59
Version: d0876b2284cf8b34dd214b2d0aa21071c345da59

Linux

Version: 5.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45009",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T15:51:12.192901Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T15:51:26.527Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35b31f5549ede4070566b949781e83495906b43d",
              "status": "affected",
              "version": "d0876b2284cf8b34dd214b2d0aa21071c345da59",
              "versionType": "git"
            },
            {
              "lessThan": "85b866e4c4e63a1d7afb58f1e24273caad03d0b7",
              "status": "affected",
              "version": "d0876b2284cf8b34dd214b2d0aa21071c345da59",
              "versionType": "git"
            },
            {
              "lessThan": "d20bf2c96d7ffd171299b32f562f70e5bf5dc608",
              "status": "affected",
              "version": "d0876b2284cf8b34dd214b2d0aa21071c345da59",
              "versionType": "git"
            },
            {
              "lessThan": "2060f1efab370b496c4903b840844ecaff324c3c",
              "status": "affected",
              "version": "d0876b2284cf8b34dd214b2d0aa21071c345da59",
              "versionType": "git"
            },
            {
              "lessThan": "1c1f721375989579e46741f59523e39ec9b2a9bd",
              "status": "affected",
              "version": "d0876b2284cf8b34dd214b2d0aa21071c345da59",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.107",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.167",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.107",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.48",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only decrement add_addr_accepted for MPJ req\n\nAdding the following warning ...\n\n  WARN_ON_ONCE(msk-\u003epm.add_addr_accepted == 0)\n\n... before decrementing the add_addr_accepted counter helped to find a\nbug when running the \"remove single subflow\" subtest from the\nmptcp_join.sh selftest.\n\nRemoving a \u0027subflow\u0027 endpoint will first trigger a RM_ADDR, then the\nsubflow closure. Before this patch, and upon the reception of the\nRM_ADDR, the other peer will then try to decrement this\nadd_addr_accepted. That\u0027s not correct because the attached subflows have\nnot been created upon the reception of an ADD_ADDR.\n\nA way to solve that is to decrement the counter only if the attached\nsubflow was an MP_JOIN to a remote id that was not 0, and initiated by\nthe host receiving the RM_ADDR."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:30:56.375Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35b31f5549ede4070566b949781e83495906b43d"
        },
        {
          "url": "https://git.kernel.org/stable/c/85b866e4c4e63a1d7afb58f1e24273caad03d0b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d20bf2c96d7ffd171299b32f562f70e5bf5dc608"
        },
        {
          "url": "https://git.kernel.org/stable/c/2060f1efab370b496c4903b840844ecaff324c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c1f721375989579e46741f59523e39ec9b2a9bd"
        }
      ],
      "title": "mptcp: pm: only decrement add_addr_accepted for MPJ req",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-45009",
    "datePublished": "2024-09-11T15:13:47.719Z",
    "dateReserved": "2024-08-21T05:34:56.679Z",
    "dateUpdated": "2025-05-04T09:30:56.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53680 (GCVE-0-2024-53680)

Vulnerability from cvelistv5

Published

2025-01-11 12:25

Modified

2025-05-04 09:56

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB.

References

►

URL

Tags

	https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f101a679243abb42a313ee88a
	https://git.kernel.org/stable/c/0b2cbed82b7c6504a8a0fbd181f92dd56b432c12
	https://git.kernel.org/stable/c/d6e1776f51c95827142f1d7064118e255e2deec1
	https://git.kernel.org/stable/c/664d0feab92495b6a27edc3d1119e232c0fe8b2b
	https://git.kernel.org/stable/c/124834133b32f9386bb2d8581d9ab92f65e951e4
	https://git.kernel.org/stable/c/48130002e64fd191b7d18efeb4d253fcc23e4688
	https://git.kernel.org/stable/c/146b6f1112eb30a19776d6c323c994e9d67790db

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_proto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31d1ddc1ce8e8d3f101a679243abb42a313ee88a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0b2cbed82b7c6504a8a0fbd181f92dd56b432c12",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d6e1776f51c95827142f1d7064118e255e2deec1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "664d0feab92495b6a27edc3d1119e232c0fe8b2b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "124834133b32f9386bb2d8581d9ab92f65e951e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "48130002e64fd191b7d18efeb4d253fcc23e4688",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "146b6f1112eb30a19776d6c323c994e9d67790db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_proto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()\n\nUnder certain kernel configurations when building with Clang/LLVM, the\ncompiler does not generate a return or jump as the terminator\ninstruction for ip_vs_protocol_init(), triggering the following objtool\nwarning during build time:\n\n  vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()\n\nAt runtime, this either causes an oops when trying to load the ipvs\nmodule or a boot-time panic if ipvs is built-in. This same issue has\nbeen reported by the Intel kernel test robot previously.\n\nDigging deeper into both LLVM and the kernel code reveals this to be a\nundefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer\nof 64 chars to store the registered protocol names and leaves it\nuninitialized after definition. The function calls strnlen() when\nconcatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE\nstrnlen() performs an extra step to check whether the last byte of the\ninput char buffer is a null character (commit 3009f891bb9f (\"fortify:\nAllow strlen() and strnlen() to pass compile-time known lengths\")).\nThis, together with possibly other configurations, cause the following\nIR to be generated:\n\n  define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section \".init.text\" align 16 !kcfi_type !29 {\n    %1 = alloca [64 x i8], align 16\n    ...\n\n  14:                                               ; preds = %11\n    %15 = getelementptr inbounds i8, ptr %1, i64 63\n    %16 = load i8, ptr %15, align 1\n    %17 = tail call i1 @llvm.is.constant.i8(i8 %16)\n    %18 = icmp eq i8 %16, 0\n    %19 = select i1 %17, i1 %18, i1 false\n    br i1 %19, label %20, label %23\n\n  20:                                               ; preds = %14\n    %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23\n    ...\n\n  23:                                               ; preds = %14, %11, %20\n    %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24\n    ...\n  }\n\nThe above code calculates the address of the last char in the buffer\n(value %15) and then loads from it (value %16). Because the buffer is\nnever initialized, the LLVM GVN pass marks value %16 as undefined:\n\n  %13 = getelementptr inbounds i8, ptr %1, i64 63\n  br i1 undef, label %14, label %17\n\nThis gives later passes (SCCP, in particular) more DCE opportunities by\npropagating the undef value further, and eventually removes everything\nafter the load on the uninitialized stack location:\n\n  define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section \".init.text\" align 16 !kcfi_type !11 {\n    %1 = alloca [64 x i8], align 16\n    ...\n\n  12:                                               ; preds = %11\n    %13 = getelementptr inbounds i8, ptr %1, i64 63\n    unreachable\n  }\n\nIn this way, the generated native code will just fall through to the\nnext function, as LLVM does not generate any code for the unreachable IR\ninstruction and leaves the function without a terminator.\n\nZero the on-stack buffer to avoid this possible UB."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:56:50.317Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f101a679243abb42a313ee88a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b2cbed82b7c6504a8a0fbd181f92dd56b432c12"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6e1776f51c95827142f1d7064118e255e2deec1"
        },
        {
          "url": "https://git.kernel.org/stable/c/664d0feab92495b6a27edc3d1119e232c0fe8b2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/124834133b32f9386bb2d8581d9ab92f65e951e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/48130002e64fd191b7d18efeb4d253fcc23e4688"
        },
        {
          "url": "https://git.kernel.org/stable/c/146b6f1112eb30a19776d6c323c994e9d67790db"
        }
      ],
      "title": "ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53680",
    "datePublished": "2025-01-11T12:25:21.794Z",
    "dateReserved": "2025-01-09T09:49:29.723Z",
    "dateUpdated": "2025-05-04T09:56:50.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21739 (GCVE-0-2025-21739)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup

References

►

URL

Tags

	https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207
	https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d
	https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada

Impacted products

Vendor

Product

Version

►

Linux

Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350
Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350
Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350

Linux

Version: 5.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21739",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:30.354249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.857Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c",
            "drivers/ufs/host/ufshcd-pci.c",
            "drivers/ufs/host/ufshcd-pltfrm.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c77c0d754fe83cb154715fcfec6c3faef94f207",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            },
            {
              "lessThan": "9c185beae09a3eb85f54777edafa227f7e03075d",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            },
            {
              "lessThan": "f8fb2403ddebb5eea0033d90d9daae4c88749ada",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c",
            "drivers/ufs/host/ufshcd-pci.c",
            "drivers/ufs/host/ufshcd-pltfrm.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix use-after free in init error and remove paths\n\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\nthe associated (platform-) device is being released. For UFS, the\ncrypto private data and pointers are stored as part of the ufs_hba\u0027s\ndata structure \u0027struct ufs_hba::crypto_profile\u0027. This structure is\nallocated as part of the underlying ufshcd and therefore Scsi_host\nallocation.\n\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\nthis structure is released as part of ufshcd_dealloc_host() before the\n(platform-) device associated with the crypto call above is released.\nOnce this device is released, the crypto cleanup code will run, using\nthe just-released \u0027struct ufs_hba::crypto_profile\u0027. This causes a\nuse-after-free situation:\n\n  Call trace:\n   kfree+0x60/0x2d8 (P)\n   kvfree+0x44/0x60\n   blk_crypto_profile_destroy_callback+0x28/0x70\n   devm_action_release+0x1c/0x30\n   release_nodes+0x6c/0x108\n   devres_release_all+0x98/0x100\n   device_unbind_cleanup+0x20/0x70\n   really_probe+0x218/0x2d0\n\nIn other words, the initialisation code flow is:\n\n  platform-device probe\n    ufshcd_pltfrm_init()\n      ufshcd_alloc_host()\n        scsi_host_alloc()\n          allocation of struct ufs_hba\n          creation of scsi-host devices\n    devm_blk_crypto_profile_init()\n      devm registration of cleanup handler using platform-device\n\nand during error handling of ufshcd_pltfrm_init() or during driver\nremoval:\n\n  ufshcd_dealloc_host()\n    scsi_host_put()\n      put_device(scsi-host)\n        release of struct ufs_hba\n  put_device(platform-device)\n    crypto cleanup handler\n\nTo fix this use-after free, change ufshcd_alloc_host() to register a\ndevres action to automatically cleanup the underlying SCSI device on\nufshcd destruction, without requiring explicit calls to\nufshcd_dealloc_host(). This way:\n\n    * the crypto profile and all other ufs_hba-owned resources are\n      destroyed before SCSI (as they\u0027ve been registered after)\n    * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\n      side-effect\n    * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\n      it\u0027s not needed anymore\n    * no future drivers using ufshcd_alloc_host() could ever forget\n      adding the cleanup"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:07.040Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada"
        }
      ],
      "title": "scsi: ufs: core: Fix use-after free in init error and remove paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21739",
    "datePublished": "2025-02-27T02:12:14.581Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:07.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57979 (GCVE-0-2024-57979)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:01

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1

References

►

URL

Tags

	https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e
	https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62
	https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7
	https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6
	https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64
	https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49
	https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870
	https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe

Impacted products

Vendor

Product

Version

►

Linux

Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6
Version: 77327a71f9841b7dfa708195d1cb133d4ef4a989
Version: cd59fb14918a6b20c1ac8be121fa6397b97b00cb
Version: 49626fbb0360332e40fd76a48cb2ba876d6134ad

Linux

Version: 3.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:45.747533Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:30.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pps/clients/pps-gpio.c",
            "drivers/pps/clients/pps-ktimer.c",
            "drivers/pps/clients/pps-ldisc.c",
            "drivers/pps/clients/pps_parport.c",
            "drivers/pps/kapi.c",
            "drivers/pps/kc.c",
            "drivers/pps/pps.c",
            "drivers/ptp/ptp_ocp.c",
            "include/linux/pps_kernel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "1a7735ab2cb9747518a7416fb5929e85442dec62",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "91932db1d96b2952299ce30c1c693d834d10ace6",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "85241f7de216f8298f6e48540ea13d7dcd100870",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "77327a71f9841b7dfa708195d1cb133d4ef4a989",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cd59fb14918a6b20c1ac8be121fa6397b97b00cb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "49626fbb0360332e40fd76a48cb2ba876d6134ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pps/clients/pps-gpio.c",
            "drivers/pps/clients/pps-ktimer.c",
            "drivers/pps/clients/pps-ldisc.c",
            "drivers/pps/clients/pps_parport.c",
            "drivers/pps/kapi.c",
            "drivers/pps/kc.c",
            "drivers/pps/pps.c",
            "drivers/ptp/ptp_ocp.c",
            "include/linux/pps_kernel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.40",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.87",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.8.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I\u0027m seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n    pps pps1: removed\n    ------------[ cut here ]------------\n    kobject: \u0027(null)\u0027 (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : kobject_put+0x120/0x150\n    lr : kobject_put+0x120/0x150\n    sp : ffffffc0803d3ae0\n    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n    Call trace:\n     kobject_put+0x120/0x150\n     cdev_put+0x20/0x3c\n     __fput+0x2c4/0x2d8\n     ____fput+0x1c/0x38\n     task_work_run+0x70/0xfc\n     do_exit+0x2a0/0x924\n     do_group_exit+0x34/0x90\n     get_signal+0x7fc/0x8c0\n     do_signal+0x128/0x13b4\n     do_notify_resume+0xdc/0x160\n     el0_svc+0xd4/0xf8\n     el0t_64_sync_handler+0x140/0x14c\n     el0t_64_sync+0x190/0x194\n    ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n    refcount_t: underflow; use-after-free.\n    kernel BUG at lib/list_debug.c:62!\n    Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can\u0027t explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I\u0027ve\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can\u0027t reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n    pps_core: source serial1 got cdev (251:1)\n    \u003c...\u003e\n    pps pps1: removed\n    pps_core: unregistering pps1\n    pps_core: deallocating pps1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:47.796Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49"
        },
        {
          "url": "https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870"
        },
        {
          "url": "https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"
        }
      ],
      "title": "pps: Fix a use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57979",
    "datePublished": "2025-02-27T02:07:06.168Z",
    "dateReserved": "2025-02-27T02:04:28.912Z",
    "dateUpdated": "2025-05-04T13:01:47.796Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58076 (GCVE-0-2024-58076)

Vulnerability from cvelistv5

Published

2025-03-06 16:13

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for two clocks where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together.

References

►

URL

Tags

	https://git.kernel.org/stable/c/175af15551ed5aa6af16ff97aff75cfffb42da21
	https://git.kernel.org/stable/c/39336edd14a59dc086fb19957655e0f340bb28e8
	https://git.kernel.org/stable/c/08b77ed7cfaac62bba51ac7a0487409ec9fcbc84
	https://git.kernel.org/stable/c/b6fe13566bf5676b1e3b72d2a06d875733e93ee6
	https://git.kernel.org/stable/c/3e567032233a240b903dc11c9f18eeb3faa10ffa
	https://git.kernel.org/stable/c/96fe1a7ee477d701cfc98ab9d3c730c35d966861

Impacted products

Vendor

Product

Version

►

Linux

Version: 131abae905df99f63d825e47b4df100d34f518ce
Version: 131abae905df99f63d825e47b4df100d34f518ce
Version: 131abae905df99f63d825e47b4df100d34f518ce
Version: 131abae905df99f63d825e47b4df100d34f518ce
Version: 131abae905df99f63d825e47b4df100d34f518ce
Version: 131abae905df99f63d825e47b4df100d34f518ce

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/qcom/gcc-sm6350.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "175af15551ed5aa6af16ff97aff75cfffb42da21",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            },
            {
              "lessThan": "39336edd14a59dc086fb19957655e0f340bb28e8",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            },
            {
              "lessThan": "08b77ed7cfaac62bba51ac7a0487409ec9fcbc84",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            },
            {
              "lessThan": "b6fe13566bf5676b1e3b72d2a06d875733e93ee6",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            },
            {
              "lessThan": "3e567032233a240b903dc11c9f18eeb3faa10ffa",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            },
            {
              "lessThan": "96fe1a7ee477d701cfc98ab9d3c730c35d966861",
              "status": "affected",
              "version": "131abae905df99f63d825e47b4df100d34f518ce",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/qcom/gcc-sm6350.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-sm6350: Add missing parent_map for two clocks\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we\u0027ll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n  [    3.388105] Call trace:\n  [    3.390664]  qcom_find_src_index+0x3c/0x70 (P)\n  [    3.395301]  qcom_find_src_index+0x1c/0x70 (L)\n  [    3.399934]  _freq_tbl_determine_rate+0x48/0x100\n  [    3.404753]  clk_rcg2_determine_rate+0x1c/0x28\n  [    3.409387]  clk_core_determine_round_nolock+0x58/0xe4\n  [    3.421414]  clk_core_round_rate_nolock+0x48/0xfc\n  [    3.432974]  clk_core_round_rate_nolock+0xd0/0xfc\n  [    3.444483]  clk_core_set_rate_nolock+0x8c/0x300\n  [    3.455886]  clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for two clocks where it\u0027s missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:26.165Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/175af15551ed5aa6af16ff97aff75cfffb42da21"
        },
        {
          "url": "https://git.kernel.org/stable/c/39336edd14a59dc086fb19957655e0f340bb28e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/08b77ed7cfaac62bba51ac7a0487409ec9fcbc84"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6fe13566bf5676b1e3b72d2a06d875733e93ee6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e567032233a240b903dc11c9f18eeb3faa10ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/96fe1a7ee477d701cfc98ab9d3c730c35d966861"
        }
      ],
      "title": "clk: qcom: gcc-sm6350: Add missing parent_map for two clocks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58076",
    "datePublished": "2025-03-06T16:13:40.307Z",
    "dateReserved": "2025-03-06T15:52:09.182Z",
    "dateUpdated": "2025-05-04T10:09:26.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1094 (GCVE-0-2025-1094)

Vulnerability from cvelistv5

Published

2025-02-13 13:00

Modified

2025-03-14 03:55

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-149 - Improper Neutralization of Quoting Syntax

Summary

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

References

►

URL

Tags

https://www.postgresql.org/support/security/CVE-2025-1094/

Impacted products

	Vendor	Product	Version
	n/a	PostgreSQL	Version: 17 < 17.3 Version: 16 < 16.7 Version: 15 < 15.11 Version: 14 < 14.16 Version: 0 < 13.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1094",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T03:55:17.849Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-21T18:03:35.235Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/02/16/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/02/20/1"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250221-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "17.3",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.7",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.11",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.16",
              "status": "affected",
              "version": "14",
              "versionType": "rpm"
            },
            {
              "lessThan": "13.19",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns.  Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal.  Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL.  Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-149",
              "description": "Improper Neutralization of Quoting Syntax",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-13T13:00:02.061Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2025-1094/"
        }
      ],
      "title": "PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Confirm input passes encoding validation before quoting it."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2025-1094",
    "datePublished": "2025-02-13T13:00:02.061Z",
    "dateReserved": "2025-02-06T20:43:07.911Z",
    "dateUpdated": "2025-03-14T03:55:17.849Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22868 (GCVE-0-2025-22868)

Vulnerability from cvelistv5

Published

2025-02-26 03:07

Modified

2025-02-26 14:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286: Improper Validation of Syntactic Correctness of Input

Summary

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

References

►

URL

Tags

	https://go.dev/cl/652155
	https://go.dev/issue/71490
	https://pkg.go.dev/vuln/GO-2025-3488

Impacted products

	Vendor	Product	Version
	golang.org/x/oauth2	golang.org/x/oauth2/jws	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22868",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T14:45:27.246610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1286",
                "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T14:46:20.671Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/oauth2/jws",
          "product": "golang.org/x/oauth2/jws",
          "programRoutines": [
            {
              "name": "Verify"
            }
          ],
          "vendor": "golang.org/x/oauth2",
          "versions": [
            {
              "lessThan": "0.27.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-26T03:07:49.012Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/652155"
        },
        {
          "url": "https://go.dev/issue/71490"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "title": "Unexpected memory consumption during token parsing in golang.org/x/oauth2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22868",
    "datePublished": "2025-02-26T03:07:49.012Z",
    "dateReserved": "2025-01-08T19:11:42.834Z",
    "dateUpdated": "2025-02-26T14:46:20.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57993 (GCVE-0-2024-57993)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622

References

►

URL

Tags

	https://git.kernel.org/stable/c/220883fba32549a34f0734e4859d07f4dcd56992
	https://git.kernel.org/stable/c/ae730deded66150204c494282969bfa98dc3ae67
	https://git.kernel.org/stable/c/e5bcae4212a6a4b4204f46a1b8bcba08909d2007
	https://git.kernel.org/stable/c/816e84602900f7f951458d743fa12769635ebfd5
	https://git.kernel.org/stable/c/50420d7c79c37a3efe4010ff9b1bb14bc61ebccf

Impacted products

Vendor

Product

Version

►

Linux

Version: c49c33637802a2c6957a78119eb8be3b055dd9e9
Version: c49c33637802a2c6957a78119eb8be3b055dd9e9
Version: c49c33637802a2c6957a78119eb8be3b055dd9e9
Version: c49c33637802a2c6957a78119eb8be3b055dd9e9
Version: c49c33637802a2c6957a78119eb8be3b055dd9e9

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "220883fba32549a34f0734e4859d07f4dcd56992",
              "status": "affected",
              "version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
              "versionType": "git"
            },
            {
              "lessThan": "ae730deded66150204c494282969bfa98dc3ae67",
              "status": "affected",
              "version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
              "versionType": "git"
            },
            {
              "lessThan": "e5bcae4212a6a4b4204f46a1b8bcba08909d2007",
              "status": "affected",
              "version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
              "versionType": "git"
            },
            {
              "lessThan": "816e84602900f7f951458d743fa12769635ebfd5",
              "status": "affected",
              "version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
              "versionType": "git"
            },
            {
              "lessThan": "50420d7c79c37a3efe4010ff9b1bb14bc61ebccf",
              "status": "affected",
              "version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check\n\nsyzbot has found a type mismatch between a USB pipe and the transfer\nendpoint, which is triggered by the hid-thrustmaster driver[1].\nThere is a number of similar, already fixed issues [2].\nIn this case as in others, implementing check for endpoint type fixes the issue.\n\n[1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470\n[2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:55.416Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/220883fba32549a34f0734e4859d07f4dcd56992"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae730deded66150204c494282969bfa98dc3ae67"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5bcae4212a6a4b4204f46a1b8bcba08909d2007"
        },
        {
          "url": "https://git.kernel.org/stable/c/816e84602900f7f951458d743fa12769635ebfd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/50420d7c79c37a3efe4010ff9b1bb14bc61ebccf"
        }
      ],
      "title": "HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57993",
    "datePublished": "2025-02-27T02:07:14.953Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-05-04T10:07:55.416Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21745 (GCVE-0-2025-21745)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit().

References

►

URL

Tags

	https://git.kernel.org/stable/c/ffb494f1e7a047bd7a41b13796fcfb08fe5beafb
	https://git.kernel.org/stable/c/38287f779b34dfe959b4b681e909f2d3d52b88be
	https://git.kernel.org/stable/c/431b6ef2714be4d5babb802114987541a88b43b0
	https://git.kernel.org/stable/c/993121481b5a87829f1e8163f47158b72679f309
	https://git.kernel.org/stable/c/2ce09aabe009453d641a2ceb79e6461a2d4f3876
	https://git.kernel.org/stable/c/67c7f213e052b1aa6caba4a7e25e303bc6997126
	https://git.kernel.org/stable/c/d1248436cbef1f924c04255367ff4845ccd9025e

Impacted products

Vendor

Product

Version

►

Linux

Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac
Version: ef45fe470e1e5410db4af87abc5d5055427945ac

Linux

Version: 5.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ffb494f1e7a047bd7a41b13796fcfb08fe5beafb",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "38287f779b34dfe959b4b681e909f2d3d52b88be",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "431b6ef2714be4d5babb802114987541a88b43b0",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "993121481b5a87829f1e8163f47158b72679f309",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "2ce09aabe009453d641a2ceb79e6461a2d4f3876",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "67c7f213e052b1aa6caba4a7e25e303bc6997126",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            },
            {
              "lessThan": "d1248436cbef1f924c04255367ff4845ccd9025e",
              "status": "affected",
              "version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix class @block_class\u0027s subsystem refcount leakage\n\nblkcg_fill_root_iostats() iterates over @block_class\u0027s devices by\nclass_dev_iter_(init|next)(), but does not end iterating with\nclass_dev_iter_exit(), so causes the class\u0027s subsystem refcount leakage.\n\nFix by ending the iterating with class_dev_iter_exit()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:12.950Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ffb494f1e7a047bd7a41b13796fcfb08fe5beafb"
        },
        {
          "url": "https://git.kernel.org/stable/c/38287f779b34dfe959b4b681e909f2d3d52b88be"
        },
        {
          "url": "https://git.kernel.org/stable/c/431b6ef2714be4d5babb802114987541a88b43b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/993121481b5a87829f1e8163f47158b72679f309"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ce09aabe009453d641a2ceb79e6461a2d4f3876"
        },
        {
          "url": "https://git.kernel.org/stable/c/67c7f213e052b1aa6caba4a7e25e303bc6997126"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1248436cbef1f924c04255367ff4845ccd9025e"
        }
      ],
      "title": "blk-cgroup: Fix class @block_class\u0027s subsystem refcount leakage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21745",
    "datePublished": "2025-02-27T02:12:17.853Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:12.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57978 (GCVE-0-2024-57978)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() The proble is on the first line: if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) If jpeg->pd_dev[i] is an error pointer, then passing it to pm_runtime_suspended() will lead to an Oops. The other conditions check for both error pointers and NULL, but it would be more clear to use the IS_ERR_OR_NULL() check for that.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a32ba399a030853f2db45a90ba5474fdd3494aad
	https://git.kernel.org/stable/c/fde89fe11b44500bfcb2d405825b69a5df805d19
	https://git.kernel.org/stable/c/1b2af918bb714937a8be6cb637f528585461cd98
	https://git.kernel.org/stable/c/6e601a64f7777e2f78c02db1a8b5ba3b7c5e9e31
	https://git.kernel.org/stable/c/f0b8535a7885ed4fd0b11625addb5476cae0f845
	https://git.kernel.org/stable/c/1378ffec30367233152b7dbf4fa6a25ee98585d1

Impacted products

Vendor

Product

Version

►

Linux

Version: f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5
Version: 12914fd765ba4f9d6a9a50439e8dd2e9f91423f2
Version: b7a830bbc25da0f641e3ef2bac3b1766b2777a8b
Version: 2f86d104539fab9181ea7b5721f40e7b92a8bf67
Version: fd0af4cd35da0eb550ef682b71cda70a4e36f6b9
Version: fd0af4cd35da0eb550ef682b71cda70a4e36f6b9

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a32ba399a030853f2db45a90ba5474fdd3494aad",
              "status": "affected",
              "version": "f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5",
              "versionType": "git"
            },
            {
              "lessThan": "fde89fe11b44500bfcb2d405825b69a5df805d19",
              "status": "affected",
              "version": "12914fd765ba4f9d6a9a50439e8dd2e9f91423f2",
              "versionType": "git"
            },
            {
              "lessThan": "1b2af918bb714937a8be6cb637f528585461cd98",
              "status": "affected",
              "version": "b7a830bbc25da0f641e3ef2bac3b1766b2777a8b",
              "versionType": "git"
            },
            {
              "lessThan": "6e601a64f7777e2f78c02db1a8b5ba3b7c5e9e31",
              "status": "affected",
              "version": "2f86d104539fab9181ea7b5721f40e7b92a8bf67",
              "versionType": "git"
            },
            {
              "lessThan": "f0b8535a7885ed4fd0b11625addb5476cae0f845",
              "status": "affected",
              "version": "fd0af4cd35da0eb550ef682b71cda70a4e36f6b9",
              "versionType": "git"
            },
            {
              "lessThan": "1378ffec30367233152b7dbf4fa6a25ee98585d1",
              "status": "affected",
              "version": "fd0af4cd35da0eb550ef682b71cda70a4e36f6b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.174",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.12.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Fix potential error pointer dereference in detach_pm()\n\nThe proble is on the first line:\n\n\tif (jpeg-\u003epd_dev[i] \u0026\u0026 !pm_runtime_suspended(jpeg-\u003epd_dev[i]))\n\nIf jpeg-\u003epd_dev[i] is an error pointer, then passing it to\npm_runtime_suspended() will lead to an Oops.  The other conditions\ncheck for both error pointers and NULL, but it would be more clear to\nuse the IS_ERR_OR_NULL() check for that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:34.839Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a32ba399a030853f2db45a90ba5474fdd3494aad"
        },
        {
          "url": "https://git.kernel.org/stable/c/fde89fe11b44500bfcb2d405825b69a5df805d19"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b2af918bb714937a8be6cb637f528585461cd98"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e601a64f7777e2f78c02db1a8b5ba3b7c5e9e31"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0b8535a7885ed4fd0b11625addb5476cae0f845"
        },
        {
          "url": "https://git.kernel.org/stable/c/1378ffec30367233152b7dbf4fa6a25ee98585d1"
        }
      ],
      "title": "media: imx-jpeg: Fix potential error pointer dereference in detach_pm()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57978",
    "datePublished": "2025-02-27T02:07:05.593Z",
    "dateReserved": "2025-02-27T02:04:28.912Z",
    "dateUpdated": "2025-05-04T10:07:34.839Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-35910 (GCVE-0-2024-35910)

Vulnerability from cvelistv5

Published

2024-05-19 08:35

Modified

2025-05-04 09:08

Severity ?

5.8 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed, we call inet_csk_clear_xmit_timers() to 'stop' the timers. inet_csk_clear_xmit_timers() can be called from any context, including when socket lock is held. This is the reason it uses sk_stop_timer(), aka del_timer(). This means that ongoing timers might finish much later. For user sockets, this is fine because each running timer holds a reference on the socket, and the user socket holds a reference on the netns. For kernel sockets, we risk that the netns is freed before timer can complete, because kernel sockets do not hold reference on the netns. This patch adds inet_csk_clear_xmit_timers_sync() function that using sk_stop_timer_sync() to make sure all timers are terminated before the kernel socket is released. Modules using kernel sockets close them in their netns exit() handler. Also add sock_not_owned_by_me() helper to get LOCKDEP support : inet_csk_clear_xmit_timers_sync() must not be called while socket lock is held. It is very possible we can revert in the future commit 3a58f13a881e ("net: rds: acquire refcount on TCP sockets") which attempted to solve the issue in rds only. (net/smc/af_smc.c and net/mptcp/subflow.c have similar code) We probably can remove the check_net() tests from tcp_out_of_resources() and __tcp_close() in the future.

References

►

URL

Tags

	https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50
	https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f
	https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810
	https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4
	https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de
	https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87
	https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a
	https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada

Impacted products

Vendor

Product

Version

►

Linux

Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe

Linux

Version: 4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35910",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:25:39.390284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-29T19:44:27.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.925Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/inet_connection_sock.h",
            "include/net/sock.h",
            "net/ipv4/inet_connection_sock.c",
            "net/ipv4/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "93f0133b9d589cc6e865f254ad9be3e9d8133f50",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "44e62f5d35678686734afd47c6a421ad30772e7f",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "e3e27d2b446deb1f643758a0c4731f5c22492810",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "91b243de910a9ac8476d40238ab3dbfeedd5b7de",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "c1ae4d1e76eacddaacb958b67cd942082f800c87",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "899265c1389fe022802aae73dbf13ee08837a35a",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            },
            {
              "lessThan": "151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada",
              "status": "affected",
              "version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/inet_connection_sock.h",
            "include/net/sock.h",
            "net/ipv4/inet_connection_sock.c",
            "net/ipv4/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.312",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.312",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.274",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.215",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.154",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.85",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.26",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto \u0027stop\u0027 the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:08:11.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"
        },
        {
          "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"
        },
        {
          "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"
        },
        {
          "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"
        }
      ],
      "title": "tcp: properly terminate timers for kernel sockets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35910",
    "datePublished": "2024-05-19T08:35:03.287Z",
    "dateReserved": "2024-05-17T13:50:33.121Z",
    "dateUpdated": "2025-05-04T09:08:11.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21765 (GCVE-0-2025-21765)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear.

References

►

URL

Tags

	https://git.kernel.org/stable/c/78ad057472d8c76e0602402269222f9f9c698790
	https://git.kernel.org/stable/c/d02f30d220ef9511568a48dba8a9004c65f8d904
	https://git.kernel.org/stable/c/28de355b63ad42309ed5a03ee7c436c90512265b
	https://git.kernel.org/stable/c/84212387caadb211cd9dadd6fd5563bd37dc1f5e
	https://git.kernel.org/stable/c/4176a68b0db8fc74ac14fcd00ba8231371051dc2
	https://git.kernel.org/stable/c/713a40c892f40300d63691d9f85b2a23b48fe1e8
	https://git.kernel.org/stable/c/550ed693f47370502a71b85382e7f9e6417300b8
	https://git.kernel.org/stable/c/3c8ffcd248da34fc41e52a46e51505900115fc2a

Impacted products

Vendor

Product

Version

►

Linux

Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e

Linux

Version: 2.6.26

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78ad057472d8c76e0602402269222f9f9c698790",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "d02f30d220ef9511568a48dba8a9004c65f8d904",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "28de355b63ad42309ed5a03ee7c436c90512265b",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "84212387caadb211cd9dadd6fd5563bd37dc1f5e",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "4176a68b0db8fc74ac14fcd00ba8231371051dc2",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "713a40c892f40300d63691d9f85b2a23b48fe1e8",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "550ed693f47370502a71b85382e7f9e6417300b8",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            },
            {
              "lessThan": "3c8ffcd248da34fc41e52a46e51505900115fc2a",
              "status": "affected",
              "version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU protection in ip6_default_advmss()\n\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:38.487Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78ad057472d8c76e0602402269222f9f9c698790"
        },
        {
          "url": "https://git.kernel.org/stable/c/d02f30d220ef9511568a48dba8a9004c65f8d904"
        },
        {
          "url": "https://git.kernel.org/stable/c/28de355b63ad42309ed5a03ee7c436c90512265b"
        },
        {
          "url": "https://git.kernel.org/stable/c/84212387caadb211cd9dadd6fd5563bd37dc1f5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4176a68b0db8fc74ac14fcd00ba8231371051dc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/713a40c892f40300d63691d9f85b2a23b48fe1e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/550ed693f47370502a71b85382e7f9e6417300b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c8ffcd248da34fc41e52a46e51505900115fc2a"
        }
      ],
      "title": "ipv6: use RCU protection in ip6_default_advmss()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21765",
    "datePublished": "2025-02-27T02:18:16.078Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:38.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-24014 (GCVE-0-2025-24014)

Vulnerability from cvelistv5

Published

2025-01-20 22:53

Modified

2025-03-14 10:03

Severity ?

4.2 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-787 - Out-of-bounds Write

Summary

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

References

►

URL

Tags

	https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: < 9.1.1043

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-14T10:03:09.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/20/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/21/1"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250314-0005/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24014",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-21T14:42:41.237005Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-21T14:42:50.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.1.1043"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn\u0027t show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn\u0027t been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-20T22:53:14.325Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955"
        },
        {
          "name": "https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919"
        }
      ],
      "source": {
        "advisory": "GHSA-j3g9-wg22-v955",
        "discovery": "UNKNOWN"
      },
      "title": "segmentation fault in win_line() in Vim \u003c 9.1.1043"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24014",
    "datePublished": "2025-01-20T22:53:14.325Z",
    "dateReserved": "2025-01-16T17:31:06.458Z",
    "dateUpdated": "2025-03-14T10:03:09.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58079 (GCVE-0-2024-58079)

Vulnerability from cvelistv5

Published

2025-03-06 16:13

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix crash during unbind if gpio unit is in use We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions may be called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error.

References

►

URL

Tags

	https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298
	https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3
	https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9
	https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e
	https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d
	https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5

Impacted products

Vendor

Product

Version

►

Linux

Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28

Linux

Version: 5.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0fdd7cc593385e46e92e180b71e264fc9c195298",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "3c00e94d00ca079bef7906d6f39d1091bccfedd3",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "0b5e0445bc8384c18bd35cb9fe87f6258c6271d9",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "d2eac8b14ac690aa73052aa6d4ba69005715367e",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix crash during unbind if gpio unit is in use\n\nWe used the wrong device for the device managed functions. We used the\nusb device, when we should be using the interface device.\n\nIf we unbind the driver from the usb interface, the cleanup functions\nare never called. In our case, the IRQ is never disabled.\n\nIf an IRQ is triggered, it will try to access memory sections that are\nalready free, causing an OOPS.\n\nWe cannot use the function devm_request_threaded_irq here. The devm_*\nclean functions may be called after the main structure is released by\nuvc_delete.\n\nLuckily this bug has small impact, as it is only affected by devices\nwith gpio units and the user has to unbind the device, a disconnect will\nnot trigger this error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:30.587Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5"
        }
      ],
      "title": "media: uvcvideo: Fix crash during unbind if gpio unit is in use",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58079",
    "datePublished": "2025-03-06T16:13:42.640Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-05-04T10:09:30.587Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57973 (GCVE-0-2024-57973)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2b759f78b83221f4a1cae3aeb20b500e375f3ee6
	https://git.kernel.org/stable/c/d64148a10a85952352de6091ceed99fb9ce2d3ee
	https://git.kernel.org/stable/c/e53ca458f543aa352d09b484550de173cb9085c2
	https://git.kernel.org/stable/c/4422f452d028850b9cc4fd8f1cf45a8ff91855eb
	https://git.kernel.org/stable/c/de8d88b68d0cfd41152a7a63d6aec0ed3e1b837a
	https://git.kernel.org/stable/c/dd352107f22bfbecbbf3b74bde14f3f932296309
	https://git.kernel.org/stable/c/aeb814484387811b3579d5c78ad4eb301e3bf1c8
	https://git.kernel.org/stable/c/bd96a3935e89486304461a21752f824fc25e0f0b

Impacted products

Vendor

Product

Version

►

Linux

Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53
Version: 1cab775c3e75f1250c965feafd061d696df36e53

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/cxgb4/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b759f78b83221f4a1cae3aeb20b500e375f3ee6",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "d64148a10a85952352de6091ceed99fb9ce2d3ee",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "e53ca458f543aa352d09b484550de173cb9085c2",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "4422f452d028850b9cc4fd8f1cf45a8ff91855eb",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "de8d88b68d0cfd41152a7a63d6aec0ed3e1b837a",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "dd352107f22bfbecbbf3b74bde14f3f932296309",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "aeb814484387811b3579d5c78ad4eb301e3bf1c8",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            },
            {
              "lessThan": "bd96a3935e89486304461a21752f824fc25e0f0b",
              "status": "affected",
              "version": "1cab775c3e75f1250c965feafd061d696df36e53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/cxgb4/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrdma/cxgb4: Prevent potential integer overflow on 32bit\n\nThe \"gl-\u003etot_len\" variable is controlled by the user.  It comes from\nprocess_responses().  On 32bit systems, the \"gl-\u003etot_len + sizeof(struct\ncpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an\ninteger wrapping bug.  Use size_add() to prevent this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:27.876Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b759f78b83221f4a1cae3aeb20b500e375f3ee6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d64148a10a85952352de6091ceed99fb9ce2d3ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/e53ca458f543aa352d09b484550de173cb9085c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4422f452d028850b9cc4fd8f1cf45a8ff91855eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/de8d88b68d0cfd41152a7a63d6aec0ed3e1b837a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd352107f22bfbecbbf3b74bde14f3f932296309"
        },
        {
          "url": "https://git.kernel.org/stable/c/aeb814484387811b3579d5c78ad4eb301e3bf1c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd96a3935e89486304461a21752f824fc25e0f0b"
        }
      ],
      "title": "rdma/cxgb4: Prevent potential integer overflow on 32bit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57973",
    "datePublished": "2025-02-27T02:07:02.342Z",
    "dateReserved": "2025-02-27T02:04:28.911Z",
    "dateUpdated": "2025-05-04T10:07:27.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21665 (GCVE-0-2025-21665)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem.

References

►

URL

Tags

	https://git.kernel.org/stable/c/64e5fd96330df2ad278d1c4edcca581f26e5f76e
	https://git.kernel.org/stable/c/80fc836f3ebe2f2d2d2c80c698b7667974285a04
	https://git.kernel.org/stable/c/09528bb1a4123e2a234eac2bc45a0e51e78dab43
	https://git.kernel.org/stable/c/280f1fb89afc01e7376f59ae611d54ca69e9f967
	https://git.kernel.org/stable/c/f505e6c91e7a22d10316665a86d79f84d9f0ba76

Impacted products

Vendor

Product

Version

►

Linux

Version: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d
Version: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d
Version: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d
Version: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d
Version: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d

Linux

Version: 5.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64e5fd96330df2ad278d1c4edcca581f26e5f76e",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "80fc836f3ebe2f2d2d2c80c698b7667974285a04",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "09528bb1a4123e2a234eac2bc45a0e51e78dab43",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "280f1fb89afc01e7376f59ae611d54ca69e9f967",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "f505e6c91e7a22d10316665a86d79f84d9f0ba76",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: avoid truncating 64-bit offset to 32 bits\n\nOn 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a\n64-bit value to 32 bits, leading to a possible infinite loop when writing\nto an xfs filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:31.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64e5fd96330df2ad278d1c4edcca581f26e5f76e"
        },
        {
          "url": "https://git.kernel.org/stable/c/80fc836f3ebe2f2d2d2c80c698b7667974285a04"
        },
        {
          "url": "https://git.kernel.org/stable/c/09528bb1a4123e2a234eac2bc45a0e51e78dab43"
        },
        {
          "url": "https://git.kernel.org/stable/c/280f1fb89afc01e7376f59ae611d54ca69e9f967"
        },
        {
          "url": "https://git.kernel.org/stable/c/f505e6c91e7a22d10316665a86d79f84d9f0ba76"
        }
      ],
      "title": "filemap: avoid truncating 64-bit offset to 32 bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21665",
    "datePublished": "2025-01-31T11:25:30.468Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-05-04T07:18:31.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21750 (GCVE-0-2025-21750)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this: BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions violation PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025 Oops: Oops: 0001 [#1] SMP PTI CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1 Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024 RIP: 0010:strlen+0x4/0x30 Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202 RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001 RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379 RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8 R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30 FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x149/0x4c0 ? raw_spin_rq_lock_nested+0xe/0x20 ? sched_balance_newidle+0x22b/0x3c0 ? update_load_avg+0x78/0x770 ? exc_page_fault+0x6f/0x150 ? asm_exc_page_fault+0x26/0x30 ? __pfx_pci_conf1_write+0x10/0x10 ? strlen+0x4/0x30 devm_kstrdup+0x25/0x70 brcmf_of_probe+0x273/0x350 [brcmfmac]

References

►

URL

Tags

	https://git.kernel.org/stable/c/af525a8b2ab85291617e79a5bb18bcdcb529e80c
	https://git.kernel.org/stable/c/c9480e9f2d10135476101619bcbd1c49c15d595f
	https://git.kernel.org/stable/c/7ef2ea1429684d5cef207519bdf6ce45e50e8ac5
	https://git.kernel.org/stable/c/bb8e35e33e79eb8e44396adbc8cb6c8c5f16b731
	https://git.kernel.org/stable/c/082d9e263af8de68f0c34f67b251818205160f6e

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "af525a8b2ab85291617e79a5bb18bcdcb529e80c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9480e9f2d10135476101619bcbd1c49c15d595f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7ef2ea1429684d5cef207519bdf6ce45e50e8ac5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bb8e35e33e79eb8e44396adbc8cb6c8c5f16b731",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "082d9e263af8de68f0c34f67b251818205160f6e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the return value of of_property_read_string_index()\n\nSomewhen between 6.10 and 6.11 the driver started to crash on my\nMacBookPro14,3. The property doesn\u0027t exist and \u0027tmp\u0027 remains\nuninitialized, so we pass a random pointer to devm_kstrdup().\n\nThe crash I am getting looks like this:\n\nBUG: unable to handle page fault for address: 00007f033c669379\nPF: supervisor read access in kernel mode\nPF: error_code(0x0001) - permissions violation\nPGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025\nOops: Oops: 0001 [#1] SMP PTI\nCPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1\nHardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024\nRIP: 0010:strlen+0x4/0x30\nCode: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa \u003c80\u003e 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc\nRSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202\nRAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001\nRDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379\nRBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a\nR10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8\nR13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30\nFS:  00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x149/0x4c0\n ? raw_spin_rq_lock_nested+0xe/0x20\n ? sched_balance_newidle+0x22b/0x3c0\n ? update_load_avg+0x78/0x770\n ? exc_page_fault+0x6f/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_pci_conf1_write+0x10/0x10\n ? strlen+0x4/0x30\n devm_kstrdup+0x25/0x70\n brcmf_of_probe+0x273/0x350 [brcmfmac]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:18.364Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/af525a8b2ab85291617e79a5bb18bcdcb529e80c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9480e9f2d10135476101619bcbd1c49c15d595f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ef2ea1429684d5cef207519bdf6ce45e50e8ac5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb8e35e33e79eb8e44396adbc8cb6c8c5f16b731"
        },
        {
          "url": "https://git.kernel.org/stable/c/082d9e263af8de68f0c34f67b251818205160f6e"
        }
      ],
      "title": "wifi: brcmfmac: Check the return value of of_property_read_string_index()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21750",
    "datePublished": "2025-02-27T02:12:21.155Z",
    "dateReserved": "2024-12-29T08:45:45.758Z",
    "dateUpdated": "2025-05-04T07:20:18.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21823 (GCVE-0-2025-21823)

Vulnerability from cvelistv5

Published

2025-02-27 20:06

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held)

References

►

URL

Tags

	https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631
	https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66
	https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6
	https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff
	https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264
	https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24
	https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e
	https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d

Impacted products

Vendor

Product

Version

►

Linux

Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v.c",
            "net/batman-adv/bat_v_elp.c",
            "net/batman-adv/bat_v_elp.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c334629176c2d644befc31a20d4bf75542f7631",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "a0019971f340ae02ba54cf1861f72da7e03e6b66",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "781a06fd265a8151f7601122d9c2e985663828ff",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "a7aa2317285806640c844acd4cd2cd768e395264",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "0fdc3c166ac17b26014313fa2b93696354511b24",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "8c8ecc98f5c65947b0070a24bac11e12e47cc65d",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v.c",
            "net/batman-adv/bat_v_elp.c",
            "net/batman-adv/bat_v_elp.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Drop unmanaged ELP metric worker\n\nThe ELP worker needs to calculate new metric values for all neighbors\n\"reachable\" over an interface. Some of the used metric sources require\nlocks which might need to sleep. This sleep is incompatible with the RCU\nlist iterator used for the recorded neighbors. The initial approach to work\naround of this problem was to queue another work item per neighbor and then\nrun this in a new context.\n\nEven when this solved the RCU vs might_sleep() conflict, it has a major\nproblems: Nothing was stopping the work item in case it is not needed\nanymore - for example because one of the related interfaces was removed or\nthe batman-adv module was unloaded - resulting in potential invalid memory\naccesses.\n\nDirectly canceling the metric worker also has various problems:\n\n* cancel_work_sync for a to-be-deactivated interface is called with\n  rtnl_lock held. But the code in the ELP metric worker also tries to use\n  rtnl_lock() - which will never return in this case. This also means that\n  cancel_work_sync would never return because it is waiting for the worker\n  to finish.\n* iterating over the neighbor list for the to-be-deactivated interface is\n  currently done using the RCU specific methods. Which means that it is\n  possible to miss items when iterating over it without the associated\n  spinlock - a behaviour which is acceptable for a periodic metric check\n  but not for a cleanup routine (which must \"stop\" all still running\n  workers)\n\nThe better approch is to get rid of the per interface neighbor metric\nworker and handle everything in the interface worker. The original problems\nare solved by:\n\n* creating a list of neighbors which require new metric information inside\n  the RCU protected context, gathering the metric according to the new list\n  outside the RCU protected context\n* only use rcu_trylock inside metric gathering code to avoid a deadlock\n  when the cancel_delayed_work_sync is called in the interface removal code\n  (which is called with the rtnl_lock held)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:54.473Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24"
        },
        {
          "url": "https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d"
        }
      ],
      "title": "batman-adv: Drop unmanaged ELP metric worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21823",
    "datePublished": "2025-02-27T20:06:14.074Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:54.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21835 (GCVE-0-2025-21835)

Vulnerability from cvelistv5

Published

2025-03-07 09:09

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. This does not matter when the numbers of in and out ports are equal, but when they differ the host will receive broken descriptors with uninitialized stack memory leaking into the descriptor for whichever value is smaller. The precise meaning of "in" and "out" in the port counts is not clearly defined and can be confusing. But elsewhere the driver consistently uses this to match the USB meaning of IN and OUT viewed from the host, so that "in" ports send data to the host and "out" ports receive data from it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3a983390d14e8498f303fc5cb23ab7d696b815db
	https://git.kernel.org/stable/c/9f36a89dcb78cb7e37f487b04a16396ac18c0636
	https://git.kernel.org/stable/c/d8e86700c8a8cf415e300a0921acd6a8f9b494f8
	https://git.kernel.org/stable/c/9f6860a9c11301b052225ca8825f8d2b1a5825bf
	https://git.kernel.org/stable/c/6ae6dee9f005a2f3b739b85abb6f14a0935699e0
	https://git.kernel.org/stable/c/6b16761a928796e4b49e89a0b1ac284155172726
	https://git.kernel.org/stable/c/a2d0694e1f111379c1efdf439dadd3cfd959fe9d
	https://git.kernel.org/stable/c/da1668997052ed1cb00322e1f3b63702615c9429

Impacted products

Vendor

Product

Version

►

Linux

Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97
Version: c8933c3f79568263c90a46f06cf80419e6c63c97

Linux

Version: 3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3a983390d14e8498f303fc5cb23ab7d696b815db",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "9f36a89dcb78cb7e37f487b04a16396ac18c0636",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "d8e86700c8a8cf415e300a0921acd6a8f9b494f8",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "9f6860a9c11301b052225ca8825f8d2b1a5825bf",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "6ae6dee9f005a2f3b739b85abb6f14a0935699e0",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "6b16761a928796e4b49e89a0b1ac284155172726",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "a2d0694e1f111379c1efdf439dadd3cfd959fe9d",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            },
            {
              "lessThan": "da1668997052ed1cb00322e1f3b63702615c9429",
              "status": "affected",
              "version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_midi: fix MIDI Streaming descriptor lengths\n\nWhile the MIDI jacks are configured correctly, and the MIDIStreaming\nendpoint descriptors are filled with the correct information,\nbNumEmbMIDIJack and bLength are set incorrectly in these descriptors.\n\nThis does not matter when the numbers of in and out ports are equal, but\nwhen they differ the host will receive broken descriptors with\nuninitialized stack memory leaking into the descriptor for whichever\nvalue is smaller.\n\nThe precise meaning of \"in\" and \"out\" in the port counts is not clearly\ndefined and can be confusing.  But elsewhere the driver consistently\nuses this to match the USB meaning of IN and OUT viewed from the host,\nso that \"in\" ports send data to the host and \"out\" ports receive data\nfrom it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:08.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3a983390d14e8498f303fc5cb23ab7d696b815db"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f36a89dcb78cb7e37f487b04a16396ac18c0636"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8e86700c8a8cf415e300a0921acd6a8f9b494f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f6860a9c11301b052225ca8825f8d2b1a5825bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ae6dee9f005a2f3b739b85abb6f14a0935699e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b16761a928796e4b49e89a0b1ac284155172726"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2d0694e1f111379c1efdf439dadd3cfd959fe9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/da1668997052ed1cb00322e1f3b63702615c9429"
        }
      ],
      "title": "usb: gadget: f_midi: fix MIDI Streaming descriptor lengths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21835",
    "datePublished": "2025-03-07T09:09:55.320Z",
    "dateReserved": "2024-12-29T08:45:45.777Z",
    "dateUpdated": "2025-05-04T07:22:08.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22247 (GCVE-0-2025-22247)

Vulnerability from cvelistv5

Published

2025-05-12 10:46

Modified

2025-05-14 17:02

Severity ?

6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Summary

VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.

References

►

URL

Tags

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683

Impacted products

	Vendor	Product	Version
	n/a	VMware Tools	Version: 12.x.x, 11.x.x < 12.5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22247",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T12:14:29.606843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T12:15:20.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-14T17:02:52.798Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/12/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/13/2"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "VMware Tools",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "12.5.2",
              "status": "affected",
              "version": "12.x.x, 11.x.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-05-12T04:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVMware Tools contains an insecure file handling vulnerability.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "VMware Tools contains an insecure file handling vulnerability.\u00a0A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T17:51:21.733Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insecure file handling vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2025-22247",
    "datePublished": "2025-05-12T10:46:36.155Z",
    "dateReserved": "2025-01-02T04:30:19.929Z",
    "dateUpdated": "2025-05-14T17:02:52.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58069 (GCVE-0-2024-58069)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value.

References

►

URL

Tags

	https://git.kernel.org/stable/c/21cd59fcb9952eb7505da2bdfc1eb9c619df3ff4
	https://git.kernel.org/stable/c/6f2a8ca9a0a38589f52a7f0fb9425b9ba987ae7c
	https://git.kernel.org/stable/c/e5536677da803ed54a29a446515c28dce7d3d574
	https://git.kernel.org/stable/c/c72b7a474d3f445bf0c5bcf8ffed332c78eb28a1
	https://git.kernel.org/stable/c/9adefa7b9559d0f21034a5d5ec1b55840c9348b9
	https://git.kernel.org/stable/c/e5e06455760f2995b16a176033909347929d1128
	https://git.kernel.org/stable/c/517aedb365f2c94e2d7e0b908ac7127df76203a1
	https://git.kernel.org/stable/c/3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c

Impacted products

Vendor

Product

Version

►

Linux

Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9

Linux

Version: 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/rtc/rtc-pcf85063.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "21cd59fcb9952eb7505da2bdfc1eb9c619df3ff4",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "6f2a8ca9a0a38589f52a7f0fb9425b9ba987ae7c",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "e5536677da803ed54a29a446515c28dce7d3d574",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "c72b7a474d3f445bf0c5bcf8ffed332c78eb28a1",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "9adefa7b9559d0f21034a5d5ec1b55840c9348b9",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "e5e06455760f2995b16a176033909347929d1128",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "517aedb365f2c94e2d7e0b908ac7127df76203a1",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            },
            {
              "lessThan": "3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c",
              "status": "affected",
              "version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/rtc/rtc-pcf85063.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read\n\nThe nvmem interface supports variable buffer sizes, while the regmap\ninterface operates with fixed-size storage. If an nvmem client uses a\nbuffer size less than 4 bytes, regmap_read will write out of bounds\nas it expects the buffer to point at an unsigned int.\n\nFix this by using an intermediary unsigned int to hold the value."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:16.308Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/21cd59fcb9952eb7505da2bdfc1eb9c619df3ff4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f2a8ca9a0a38589f52a7f0fb9425b9ba987ae7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5536677da803ed54a29a446515c28dce7d3d574"
        },
        {
          "url": "https://git.kernel.org/stable/c/c72b7a474d3f445bf0c5bcf8ffed332c78eb28a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9adefa7b9559d0f21034a5d5ec1b55840c9348b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5e06455760f2995b16a176033909347929d1128"
        },
        {
          "url": "https://git.kernel.org/stable/c/517aedb365f2c94e2d7e0b908ac7127df76203a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c"
        }
      ],
      "title": "rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58069",
    "datePublished": "2025-03-06T15:54:09.480Z",
    "dateReserved": "2025-03-06T15:52:09.181Z",
    "dateUpdated": "2025-05-04T10:09:16.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-35826 (GCVE-0-2024-35826)

Vulnerability from cvelistv5

Published

2024-05-17 13:27

Modified

2025-05-04 12:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: block: Fix page refcounts for unaligned buffers in __bio_release_pages() Fix an incorrect number of pages being released for buffers that do not start at the beginning of a page.

References

►

URL

Tags

	https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367
	https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65
	https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35
	https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2
	https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6

Impacted products

Vendor

Product

Version

►

Linux

Version: 9025ee1079291fac79c7fcc20086e9f0015f86f4
Version: 8955324cc9f93304efe163120038b38c36c09fba
Version: d198c15d181cc9d580f0f2c25150b077d1d49c1a
Version: 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55
Version: 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55
Version: d2d0b95ca1b5fefa3deed444a803c9f809db66cf
Version: 3f4e660144edb053886fc80f587a71ad7afc2ad6
Version: bfc0647791d7a8f3e178a896a26c4ef7794876b7
Version: 0f2dca516541032fe47a1236c852f58edc662795

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.370Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35826",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:42:25.762308Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:21.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "242006996d15f5ca62e22f8c7de077d9c4a8f367",
              "status": "affected",
              "version": "9025ee1079291fac79c7fcc20086e9f0015f86f4",
              "versionType": "git"
            },
            {
              "lessThan": "7d3765550374f71248c55e6206ea1d6fd4537e65",
              "status": "affected",
              "version": "8955324cc9f93304efe163120038b38c36c09fba",
              "versionType": "git"
            },
            {
              "lessThan": "ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35",
              "status": "affected",
              "version": "d198c15d181cc9d580f0f2c25150b077d1d49c1a",
              "versionType": "git"
            },
            {
              "lessThan": "c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2",
              "status": "affected",
              "version": "1b151e2435fc3a9b10c8946c6aebe9f3e1938c55",
              "versionType": "git"
            },
            {
              "lessThan": "38b43539d64b2fa020b3b9a752a986769f87f7a6",
              "status": "affected",
              "version": "1b151e2435fc3a9b10c8946c6aebe9f3e1938c55",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d2d0b95ca1b5fefa3deed444a803c9f809db66cf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3f4e660144edb053886fc80f587a71ad7afc2ad6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bfc0647791d7a8f3e178a896a26c4ef7794876b7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0f2dca516541032fe47a1236c852f58edc662795",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.84",
                  "versionStartIncluding": "6.1.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.24",
                  "versionStartIncluding": "6.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.12",
                  "versionStartIncluding": "6.7.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.307",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.210",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.148",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:55:52.035Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6"
        }
      ],
      "title": "block: Fix page refcounts for unaligned buffers in __bio_release_pages()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35826",
    "datePublished": "2024-05-17T13:27:32.383Z",
    "dateReserved": "2024-05-17T12:19:12.347Z",
    "dateUpdated": "2025-05-04T12:55:52.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21631 (GCVE-0-2025-21631)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 13:05

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Our syzkaller report a following UAF for v6.6: BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 hlist_add_head include/linux/list.h:1023 [inline] bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Allocated by task 232719: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:768 [inline] slab_alloc_node mm/slub.c:3492 [inline] kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4_lookup_entry fs/ext4/namei.c:1774 [inline] ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 __lookup_slow+0x257/0x480 fs/namei.c:1696 lookup_slow fs/namei.c:1713 [inline] walk_component+0x454/0x5c0 fs/namei.c:2004 link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 link_path_walk fs/namei.c:3826 [inline] path_openat+0x1b9/0x520 fs/namei.c:3826 do_filp_open+0x1b7/0x400 fs/namei.c:3857 do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x148/0x200 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_6 ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/f587c1ac68956c4703857d650d9b1cd7bb2ac4d7
	https://git.kernel.org/stable/c/2550149fcdf2934155ff625d76ad4e3d4b25bbc6
	https://git.kernel.org/stable/c/be3eed59ac01f429ac10aaa46e26f653bcf581ab
	https://git.kernel.org/stable/c/bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed
	https://git.kernel.org/stable/c/fcede1f0a043ccefe9bc6ad57f12718e42f63f1d

Impacted products

Vendor

Product

Version

►

Linux

Version: 63a07379fdb6c72450cb05294461c6016b8b7726
Version: de0456460f2abf921e356ed2bd8da87a376680bd
Version: 0780451f03bf518bc032a7c584de8f92e2d39d7f
Version: 1ba0403ac6447f2d63914fb760c44a3b19c44eaf
Version: 1ba0403ac6447f2d63914fb760c44a3b19c44eaf
Version: 0b8bda0ff17156cd3f60944527c9d8c9f99f1583
Version: cae58d19121a70329cf971359e2518c93fec04fe

Linux

Version: 6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21631",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:11:59.322368Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:21:05.990Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f587c1ac68956c4703857d650d9b1cd7bb2ac4d7",
              "status": "affected",
              "version": "63a07379fdb6c72450cb05294461c6016b8b7726",
              "versionType": "git"
            },
            {
              "lessThan": "2550149fcdf2934155ff625d76ad4e3d4b25bbc6",
              "status": "affected",
              "version": "de0456460f2abf921e356ed2bd8da87a376680bd",
              "versionType": "git"
            },
            {
              "lessThan": "be3eed59ac01f429ac10aaa46e26f653bcf581ab",
              "status": "affected",
              "version": "0780451f03bf518bc032a7c584de8f92e2d39d7f",
              "versionType": "git"
            },
            {
              "lessThan": "bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed",
              "status": "affected",
              "version": "1ba0403ac6447f2d63914fb760c44a3b19c44eaf",
              "versionType": "git"
            },
            {
              "lessThan": "fcede1f0a043ccefe9bc6ad57f12718e42f63f1d",
              "status": "affected",
              "version": "1ba0403ac6447f2d63914fb760c44a3b19c44eaf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0b8bda0ff17156cd3f60944527c9d8c9f99f1583",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cae58d19121a70329cf971359e2518c93fec04fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.15.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix waker_bfqq UAF after bfq_split_bfqq()\n\nOur syzkaller report a following UAF for v6.6:\n\nBUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\nRead of size 8 at addr ffff8881b57147d8 by task fsstress/232726\n\nCPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\n print_report+0x3e/0x70 mm/kasan/report.c:475\n kasan_report+0xb8/0xf0 mm/kasan/report.c:588\n hlist_add_head include/linux/list.h:1023 [inline]\n bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230\n __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567\n ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947\n ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182\n ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660\n ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569\n iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91\n iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80\n ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051\n ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220\n do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811\n __do_sys_ioctl fs/ioctl.c:869 [inline]\n __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nAllocated by task 232719:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:768 [inline]\n slab_alloc_node mm/slub.c:3492 [inline]\n kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537\n bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869\n bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776\n bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217\n ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242\n ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958\n __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671\n ext4_lookup_entry fs/ext4/namei.c:1774 [inline]\n ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842\n ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839\n __lookup_slow+0x257/0x480 fs/namei.c:1696\n lookup_slow fs/namei.c:1713 [inline]\n walk_component+0x454/0x5c0 fs/namei.c:2004\n link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331\n link_path_walk fs/namei.c:3826 [inline]\n path_openat+0x1b9/0x520 fs/namei.c:3826\n do_filp_open+0x1b7/0x400 fs/namei.c:3857\n do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428\n do_sys_open fs/open.c:1443 [inline]\n __do_sys_openat fs/open.c:1459 [inline]\n __se_sys_openat fs/open.c:1454 [inline]\n __x64_sys_openat+0x148/0x200 fs/open.c:1454\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_6\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:05:59.494Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f587c1ac68956c4703857d650d9b1cd7bb2ac4d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2550149fcdf2934155ff625d76ad4e3d4b25bbc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/be3eed59ac01f429ac10aaa46e26f653bcf581ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcede1f0a043ccefe9bc6ad57f12718e42f63f1d"
        }
      ],
      "title": "block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21631",
    "datePublished": "2025-01-19T10:17:49.439Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-05-04T13:05:59.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21647 (GCVE-0-2025-21647)

Vulnerability from cvelistv5

Published

2025-01-19 10:18

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour.

References

►

URL

Tags

	https://git.kernel.org/stable/c/44fe1efb4961c1a5ccab16bb579dfc6b308ad58b
	https://git.kernel.org/stable/c/b1a1743aaa4906c41c426eda97e2e2586f79246d
	https://git.kernel.org/stable/c/bb0245fa72b783cb23a9949c5048781341e91423
	https://git.kernel.org/stable/c/a777e06dfc72bed73c05dcb437d7c27ad5f90f3f
	https://git.kernel.org/stable/c/27202e2e8721c3b23831563c36ed5ac7818641ba
	https://git.kernel.org/stable/c/91bb18950b88f955838ec0c1d97f74d135756dc7
	https://git.kernel.org/stable/c/737d4d91d35b5f7fa5bb442651472277318b0bfd

Impacted products

Vendor

Product

Version

►

Linux

Version: 4a4eeefa514db570be025ab46d779af180e2c9bb
Version: 7725152b54d295b7da5e34c2f419539b30d017bd
Version: cde71a5677971f4f1b69b25e854891dbe78066a4
Version: 549e407569e08459d16122341d332cb508024094
Version: d4a9039a7b3d8005b90c7b1a55a306444f0e5447
Version: 546ea84d07e3e324644025e2aae2d12ea4c5896e
Version: 546ea84d07e3e324644025e2aae2d12ea4c5896e
Version: d7c01c0714c04431b5e18cf17a9ea68a553d1c3c

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44fe1efb4961c1a5ccab16bb579dfc6b308ad58b",
              "status": "affected",
              "version": "4a4eeefa514db570be025ab46d779af180e2c9bb",
              "versionType": "git"
            },
            {
              "lessThan": "b1a1743aaa4906c41c426eda97e2e2586f79246d",
              "status": "affected",
              "version": "7725152b54d295b7da5e34c2f419539b30d017bd",
              "versionType": "git"
            },
            {
              "lessThan": "bb0245fa72b783cb23a9949c5048781341e91423",
              "status": "affected",
              "version": "cde71a5677971f4f1b69b25e854891dbe78066a4",
              "versionType": "git"
            },
            {
              "lessThan": "a777e06dfc72bed73c05dcb437d7c27ad5f90f3f",
              "status": "affected",
              "version": "549e407569e08459d16122341d332cb508024094",
              "versionType": "git"
            },
            {
              "lessThan": "27202e2e8721c3b23831563c36ed5ac7818641ba",
              "status": "affected",
              "version": "d4a9039a7b3d8005b90c7b1a55a306444f0e5447",
              "versionType": "git"
            },
            {
              "lessThan": "91bb18950b88f955838ec0c1d97f74d135756dc7",
              "status": "affected",
              "version": "546ea84d07e3e324644025e2aae2d12ea4c5896e",
              "versionType": "git"
            },
            {
              "lessThan": "737d4d91d35b5f7fa5bb442651472277318b0bfd",
              "status": "affected",
              "version": "546ea84d07e3e324644025e2aae2d12ea4c5896e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d7c01c0714c04431b5e18cf17a9ea68a553d1c3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.284",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.226",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.167",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "6.1.110",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "6.6.51",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: add bounds checks to host bulk flow fairness counts\n\nEven though we fixed a logic error in the commit cited below, syzbot\nstill managed to trigger an underflow of the per-host bulk flow\ncounters, leading to an out of bounds memory access.\n\nTo avoid any such logic errors causing out of bounds memory accesses,\nthis commit factors out all accesses to the per-host bulk flow counters\nto a series of helpers that perform bounds-checking before any\nincrements and decrements. This also has the benefit of improving\nreadability by moving the conditional checks for the flow mode into\nthese helpers, instead of having them spread out throughout the\ncode (which was the cause of the original logic error).\n\nAs part of this change, the flow quantum calculation is consolidated\ninto a helper function, which means that the dithering applied to the\nost load scaling is now applied both in the DRR rotation and when a\nsparse flow\u0027s quantum is first initiated. The only user-visible effect\nof this is that the maximum packet size that can be sent while a flow\nstays sparse will now vary with +/- one byte in some cases. This should\nnot make a noticeable difference in practice, and thus it\u0027s not worth\ncomplicating the code to preserve the old behaviour."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:10.192Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44fe1efb4961c1a5ccab16bb579dfc6b308ad58b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1a1743aaa4906c41c426eda97e2e2586f79246d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb0245fa72b783cb23a9949c5048781341e91423"
        },
        {
          "url": "https://git.kernel.org/stable/c/a777e06dfc72bed73c05dcb437d7c27ad5f90f3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/27202e2e8721c3b23831563c36ed5ac7818641ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/91bb18950b88f955838ec0c1d97f74d135756dc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/737d4d91d35b5f7fa5bb442651472277318b0bfd"
        }
      ],
      "title": "sched: sch_cake: add bounds checks to host bulk flow fairness counts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21647",
    "datePublished": "2025-01-19T10:18:04.415Z",
    "dateReserved": "2024-12-29T08:45:45.728Z",
    "dateUpdated": "2025-05-04T13:06:10.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-4016 (GCVE-0-2023-4016)

Vulnerability from cvelistv5

Published

2023-08-02 04:20

Modified

2025-02-13 17:03

Severity ?

2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

References

►

URL

Tags

	https://gitlab.com/procps-ng/procps
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/

Impacted products

	Vendor	Product	Version
	Linux	Linux Kernal	Version: 3.3.0 (might be earlier) - latest

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:17:10.954Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.com/procps-ng/procps"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Linux Kernal",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3.0 (might be earlier) - latest"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Michael Berlin, BGU"
        },
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Prof. Oded Margalit, BGU and Trellix"
        },
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Prof. Gera Weiss, BGU"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Under some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap."
            }
          ],
          "value": "Under some circumstances, this weakness allows a user who has access to run the \u201cps\u201d utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-9",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-9 Buffer Overflow in Local Command-Line Utilities"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 2.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-21T02:06:11.188Z",
        "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
        "shortName": "trellix"
      },
      "references": [
        {
          "url": "https://gitlab.com/procps-ng/procps"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
    "assignerShortName": "trellix",
    "cveId": "CVE-2023-4016",
    "datePublished": "2023-08-02T04:20:20.645Z",
    "dateReserved": "2023-07-31T10:40:24.737Z",
    "dateUpdated": "2025-02-13T17:03:24.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52924 (GCVE-0-2023-52924)

Vulnerability from cvelistv5

Published

2025-02-05 09:07

Modified

2025-05-04 07:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors.

References

►

URL

Tags

	https://git.kernel.org/stable/c/94313a196b44184b5b52c1876da6a537701b425a
	https://git.kernel.org/stable/c/1da4874d05da1526b11b82fc7f3c7ac38749ddf8
	https://git.kernel.org/stable/c/b15ea4017af82011dd55225ce77cce3d4dfc169c
	https://git.kernel.org/stable/c/7c7e658a36f8b1522bd3586d8137e5f93a25ddc5
	https://git.kernel.org/stable/c/59dab3bf0b8fc08eb802721c0532f13dd89209b8
	https://git.kernel.org/stable/c/bd156ce9553dcaf2d6ee2c825d1a5a1718e86524
	https://git.kernel.org/stable/c/24138933b97b055d486e8064b4a1721702442a9b

Impacted products

Vendor

Product

Version

►

Linux

Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434
Version: 9d0982927e79049675cb6c6c04a0ebb3dad5a434

Linux

Version: 4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c",
            "net/netfilter/nft_set_hash.c",
            "net/netfilter/nft_set_pipapo.c",
            "net/netfilter/nft_set_rbtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94313a196b44184b5b52c1876da6a537701b425a",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "1da4874d05da1526b11b82fc7f3c7ac38749ddf8",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "b15ea4017af82011dd55225ce77cce3d4dfc169c",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "7c7e658a36f8b1522bd3586d8137e5f93a25ddc5",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "59dab3bf0b8fc08eb802721c0532f13dd89209b8",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "bd156ce9553dcaf2d6ee2c825d1a5a1718e86524",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            },
            {
              "lessThan": "24138933b97b055d486e8064b4a1721702442a9b",
              "status": "affected",
              "version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c",
            "net/netfilter/nft_set_hash.c",
            "net/netfilter/nft_set_pipapo.c",
            "net/netfilter/nft_set_rbtree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.316",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.262",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.198",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.134",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.56",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.11",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don\u0027t skip expired elements during walk\n\nThere is an asymmetry between commit/abort and preparation phase if the\nfollowing conditions are met:\n\n1. set is a verdict map (\"1.2.3.4 : jump foo\")\n2. timeouts are enabled\n\nIn this case, following sequence is problematic:\n\n1. element E in set S refers to chain C\n2. userspace requests removal of set S\n3. kernel does a set walk to decrement chain-\u003euse count for all elements\n   from preparation phase\n4. kernel does another set walk to remove elements from the commit phase\n   (or another walk to do a chain-\u003euse increment for all elements from\n    abort phase)\n\nIf E has already expired in 1), it will be ignored during list walk, so its use count\nwon\u0027t have been changed.\n\nThen, when set is culled, -\u003edestroy callback will zap the element via\nnf_tables_set_elem_destroy(), but this function is only safe for\nelements that have been deactivated earlier from the preparation phase:\nlack of earlier deactivate removes the element but leaks the chain use\ncount, which results in a WARN splat when the chain gets removed later,\nplus a leak of the nft_chain structure.\n\nUpdate pipapo_get() not to skip expired elements, otherwise flush\ncommand reports bogus ENOENT errors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:46:06.745Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94313a196b44184b5b52c1876da6a537701b425a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1da4874d05da1526b11b82fc7f3c7ac38749ddf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b15ea4017af82011dd55225ce77cce3d4dfc169c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c7e658a36f8b1522bd3586d8137e5f93a25ddc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/59dab3bf0b8fc08eb802721c0532f13dd89209b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd156ce9553dcaf2d6ee2c825d1a5a1718e86524"
        },
        {
          "url": "https://git.kernel.org/stable/c/24138933b97b055d486e8064b4a1721702442a9b"
        }
      ],
      "title": "netfilter: nf_tables: don\u0027t skip expired elements during walk",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52924",
    "datePublished": "2025-02-05T09:07:55.418Z",
    "dateReserved": "2024-08-21T06:07:11.018Z",
    "dateUpdated": "2025-05-04T07:46:06.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-46736 (GCVE-0-2024-46736)

Vulnerability from cvelistv5

Published

2024-09-18 07:11

Modified

2025-05-04 09:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_rename_path() If smb2_set_path_attr() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() again as the reference of @cfile was already dropped by previous smb2_compound_op() call.

References

►

URL

Tags

	https://git.kernel.org/stable/c/b27ea9c96efd2c252a981fb00d0f001b86c90f3e
	https://git.kernel.org/stable/c/1a46c7f6546b73cbf36f5a618a1a6bbb45391eb3
	https://git.kernel.org/stable/c/3523a3df03c6f04f7ea9c2e7050102657e331a4f

Impacted products

Vendor

Product

Version

►

Linux

Version: 1e60bc0e954389af82f1d9a85f13a63f6572350f
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d
Version: 71f15c90e785d1de4bcd65a279e7256684c25c0d

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46736",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:52:47.842995Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:53:02.091Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b27ea9c96efd2c252a981fb00d0f001b86c90f3e",
              "status": "affected",
              "version": "1e60bc0e954389af82f1d9a85f13a63f6572350f",
              "versionType": "git"
            },
            {
              "lessThan": "1a46c7f6546b73cbf36f5a618a1a6bbb45391eb3",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            },
            {
              "lessThan": "3523a3df03c6f04f7ea9c2e7050102657e331a4f",
              "status": "affected",
              "version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_rename_path()\n\nIf smb2_set_path_attr() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() again as the\nreference of @cfile was already dropped by previous smb2_compound_op()\ncall."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:33:03.991Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b27ea9c96efd2c252a981fb00d0f001b86c90f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a46c7f6546b73cbf36f5a618a1a6bbb45391eb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3523a3df03c6f04f7ea9c2e7050102657e331a4f"
        }
      ],
      "title": "smb: client: fix double put of @cfile in smb2_rename_path()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46736",
    "datePublished": "2024-09-18T07:11:58.499Z",
    "dateReserved": "2024-09-11T15:12:18.257Z",
    "dateUpdated": "2025-05-04T09:33:03.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21832 (GCVE-0-2025-21832)

Vulnerability from cvelistv5

Published

2025-03-06 16:22

Modified

2025-05-10 16:48

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: block: don't revert iter for -EIOCBQUEUED blkdev_read_iter() has a few odd checks, like gating the position and count adjustment on whether or not the result is bigger-than-or-equal to zero (where bigger than makes more sense), and not checking the return value of blkdev_direct_IO() before doing an iov_iter_revert(). The latter can lead to attempting to revert with a negative value, which when passed to iov_iter_revert() as an unsigned value will lead to throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT. Be sane and don't revert for -EIOCBQUEUED, like what is done in other spots.

References

►

URL

Tags

	https://git.kernel.org/stable/c/6c26619effb1b4cb7d20b4e666ab8f71f6a53ccb
	https://git.kernel.org/stable/c/84671b0630ccb46ae9f1f99a45c7d63ffcd6a474
	https://git.kernel.org/stable/c/68f16d3034a06661245ecd22f0d586a8b4e7c473
	https://git.kernel.org/stable/c/a58f136bad29f9ae721a29d98c042fddbee22f77
	https://git.kernel.org/stable/c/b13ee668e8280ca5b07f8ce2846b9957a8a10853

Impacted products

Vendor

Product

Version

►

Linux

Version: 3e1f941dd9f33776b3df4e30f741fe445ff773f3
Version: 3e1f941dd9f33776b3df4e30f741fe445ff773f3
Version: 3e1f941dd9f33776b3df4e30f741fe445ff773f3
Version: 3e1f941dd9f33776b3df4e30f741fe445ff773f3
Version: 3e1f941dd9f33776b3df4e30f741fe445ff773f3

Linux

Version: 5.17

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6c26619effb1b4cb7d20b4e666ab8f71f6a53ccb",
              "status": "affected",
              "version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
              "versionType": "git"
            },
            {
              "lessThan": "84671b0630ccb46ae9f1f99a45c7d63ffcd6a474",
              "status": "affected",
              "version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
              "versionType": "git"
            },
            {
              "lessThan": "68f16d3034a06661245ecd22f0d586a8b4e7c473",
              "status": "affected",
              "version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
              "versionType": "git"
            },
            {
              "lessThan": "a58f136bad29f9ae721a29d98c042fddbee22f77",
              "status": "affected",
              "version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
              "versionType": "git"
            },
            {
              "lessThan": "b13ee668e8280ca5b07f8ce2846b9957a8a10853",
              "status": "affected",
              "version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don\u0027t revert iter for -EIOCBQUEUED\n\nblkdev_read_iter() has a few odd checks, like gating the position and\ncount adjustment on whether or not the result is bigger-than-or-equal to\nzero (where bigger than makes more sense), and not checking the return\nvalue of blkdev_direct_IO() before doing an iov_iter_revert(). The\nlatter can lead to attempting to revert with a negative value, which\nwhen passed to iov_iter_revert() as an unsigned value will lead to\nthrowing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.\n\nBe sane and don\u0027t revert for -EIOCBQUEUED, like what is done in other\nspots."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T16:48:42.602Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6c26619effb1b4cb7d20b4e666ab8f71f6a53ccb"
        },
        {
          "url": "https://git.kernel.org/stable/c/84671b0630ccb46ae9f1f99a45c7d63ffcd6a474"
        },
        {
          "url": "https://git.kernel.org/stable/c/68f16d3034a06661245ecd22f0d586a8b4e7c473"
        },
        {
          "url": "https://git.kernel.org/stable/c/a58f136bad29f9ae721a29d98c042fddbee22f77"
        },
        {
          "url": "https://git.kernel.org/stable/c/b13ee668e8280ca5b07f8ce2846b9957a8a10853"
        }
      ],
      "title": "block: don\u0027t revert iter for -EIOCBQUEUED",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21832",
    "datePublished": "2025-03-06T16:22:34.125Z",
    "dateReserved": "2024-12-29T08:45:45.777Z",
    "dateUpdated": "2025-05-10T16:48:42.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57994 (GCVE-0-2024-57994)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550

References

►

URL

Tags

	https://git.kernel.org/stable/c/3257dac521d0ac6653108c755141dce634bb8ff2
	https://git.kernel.org/stable/c/e74801b7628dc52b17471aec729bc675479ddc73
	https://git.kernel.org/stable/c/a126061c80d5efb4baef4bcf346094139cd81df6

Impacted products

Vendor

Product

Version

►

Linux

Version: ff4e538c8c3e675a15e1e49509c55951832e0451
Version: ff4e538c8c3e675a15e1e49509c55951832e0451
Version: ff4e538c8c3e675a15e1e49509c55951832e0451

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tap.c",
            "drivers/net/tun.c",
            "include/linux/ptr_ring.h",
            "include/linux/skb_array.h",
            "net/sched/sch_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3257dac521d0ac6653108c755141dce634bb8ff2",
              "status": "affected",
              "version": "ff4e538c8c3e675a15e1e49509c55951832e0451",
              "versionType": "git"
            },
            {
              "lessThan": "e74801b7628dc52b17471aec729bc675479ddc73",
              "status": "affected",
              "version": "ff4e538c8c3e675a15e1e49509c55951832e0451",
              "versionType": "git"
            },
            {
              "lessThan": "a126061c80d5efb4baef4bcf346094139cd81df6",
              "status": "affected",
              "version": "ff4e538c8c3e675a15e1e49509c55951832e0451",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/tap.c",
            "drivers/net/tun.c",
            "include/linux/ptr_ring.h",
            "include/linux/skb_array.h",
            "net/sched/sch_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptr_ring: do not block hard interrupts in ptr_ring_resize_multiple()\n\nJakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page()\nto increase test coverage.\n\nsyzbot found a splat caused by hard irq blocking in\nptr_ring_resize_multiple() [1]\n\nAs current users of ptr_ring_resize_multiple() do not require\nhard irqs being masked, replace it to only block BH.\n\nRename helpers to better reflect they are safe against BH only.\n\n- ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh()\n- skb_array_resize_multiple() to skb_array_resize_multiple_bh()\n\n[1]\n\nWARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline]\nWARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780\nModules linked in:\nCPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline]\nRIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780\nCode: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 \u003c0f\u003e 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85\nRSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083\nRAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000\nRDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843\nRBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d\nR10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040\nR13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff\nFS:  00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tun_ptr_free drivers/net/tun.c:617 [inline]\n __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline]\n ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline]\n tun_queue_resize drivers/net/tun.c:3694 [inline]\n tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714\n notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93\n call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]\n call_netdevice_notifiers net/core/dev.c:2046 [inline]\n dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024\n do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923\n rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201\n rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:56.662Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3257dac521d0ac6653108c755141dce634bb8ff2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e74801b7628dc52b17471aec729bc675479ddc73"
        },
        {
          "url": "https://git.kernel.org/stable/c/a126061c80d5efb4baef4bcf346094139cd81df6"
        }
      ],
      "title": "ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57994",
    "datePublished": "2025-02-27T02:07:15.568Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-05-04T10:07:56.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21830 (GCVE-0-2025-21830)

Vulnerability from cvelistv5

Published

2025-03-06 16:08

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a1fccf6b72b56343dd4f2d96b008147f9951eebd
	https://git.kernel.org/stable/c/7d6121228959ddf44a4b9b6a177384ac7854e2f9
	https://git.kernel.org/stable/c/39bb3d56f1c351e76bb18895d0e73796e653d5c1
	https://git.kernel.org/stable/c/2569e65d2eb6ac1afe6cb6dfae476afee8b6771a
	https://git.kernel.org/stable/c/0fde195a373ab1267e60baa9e1a703a97e7464cd
	https://git.kernel.org/stable/c/49440290a0935f428a1e43a5ac8dc275a647ff80

Impacted products

Vendor

Product

Version

►

Linux

Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a1fccf6b72b56343dd4f2d96b008147f9951eebd",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "7d6121228959ddf44a4b9b6a177384ac7854e2f9",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "39bb3d56f1c351e76bb18895d0e73796e653d5c1",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "2569e65d2eb6ac1afe6cb6dfae476afee8b6771a",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "0fde195a373ab1267e60baa9e1a703a97e7464cd",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "49440290a0935f428a1e43a5ac8dc275a647ff80",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Handle weird files\n\nA corrupted filesystem (e.g. bcachefs) might return weird files.\nInstead of throwing a warning and allowing access to such file, treat\nthem as regular files."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:03.240Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a1fccf6b72b56343dd4f2d96b008147f9951eebd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d6121228959ddf44a4b9b6a177384ac7854e2f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/39bb3d56f1c351e76bb18895d0e73796e653d5c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2569e65d2eb6ac1afe6cb6dfae476afee8b6771a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fde195a373ab1267e60baa9e1a703a97e7464cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/49440290a0935f428a1e43a5ac8dc275a647ff80"
        }
      ],
      "title": "landlock: Handle weird files",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21830",
    "datePublished": "2025-03-06T16:08:09.894Z",
    "dateReserved": "2024-12-29T08:45:45.776Z",
    "dateUpdated": "2025-05-04T07:22:03.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49940 (GCVE-0-2024-49940)

Vulnerability from cvelistv5

Published

2024-10-21 18:01

Modified

2025-05-04 09:41

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: l2tp: prevent possible tunnel refcount underflow When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped. Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel. If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02
	https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49940",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:37:52.827630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:38:50.656Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_core.c",
            "net/l2tp/l2tp_core.h",
            "net/l2tp/l2tp_netlink.c",
            "net/l2tp/l2tp_ppp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f7415e60c25a6108cd7955a20b2e66b6251ffe02",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "24256415d18695b46da06c93135f5b51c548b950",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/l2tp/l2tp_core.c",
            "net/l2tp/l2tp_core.h",
            "net/l2tp/l2tp_netlink.c",
            "net/l2tp/l2tp_ppp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: prevent possible tunnel refcount underflow\n\nWhen a session is created, it sets a backpointer to its tunnel. When\nthe session refcount drops to 0, l2tp_session_free drops the tunnel\nrefcount if session-\u003etunnel is non-NULL. However, session-\u003etunnel is\nset in l2tp_session_create, before the tunnel refcount is incremented\nby l2tp_session_register, which leaves a small window where\nsession-\u003etunnel is non-NULL when the tunnel refcount hasn\u0027t been\nbumped.\n\nMoving the assignment to l2tp_session_register is trivial but\nl2tp_session_create calls l2tp_session_set_header_len which uses\nsession-\u003etunnel to get the tunnel\u0027s encap. Add an encap arg to\nl2tp_session_set_header_len to avoid using session-\u003etunnel.\n\nIf l2tpv3 sessions have colliding IDs, it is possible for\nl2tp_v3_session_get to race with l2tp_session_register and fetch a\nsession which doesn\u0027t yet have session-\u003etunnel set. Add a check for\nthis case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:41:55.265Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02"
        },
        {
          "url": "https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950"
        }
      ],
      "title": "l2tp: prevent possible tunnel refcount underflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49940",
    "datePublished": "2024-10-21T18:01:59.668Z",
    "dateReserved": "2024-10-21T12:17:06.043Z",
    "dateUpdated": "2025-05-04T09:41:55.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57981 (GCVE-0-2024-57981)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.

References

►

URL

Tags

	https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653
	https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485
	https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4
	https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
	https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
	https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
	https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
	https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073

Impacted products

Vendor

Product

Version

►

Linux

Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249
Version: c311e391a7efd101250c0e123286709b7e736249

Linux

Version: 3.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd8bfaeba4a85b14427899adec0efb3954300653",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "b44253956407046e5907d4d72c8fa5b93ae94485",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "cf30300a216a4f8dce94e11781a866a09d4b50d4",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "4ff18870af793ce2034a6ad746e91d0a3d985b88",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "b649f0d5bc256f691c7d234c3986685d54053de1",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "0ce5c0dac768be14afe2426101b568a0f66bfc4d",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            },
            {
              "lessThan": "1e0a19912adb68a4b2b74fd77001c96cd83eb073",
              "status": "affected",
              "version": "c311e391a7efd101250c0e123286709b7e736249",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon\u0027t attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it\u0027s harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:39.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653"
        },
        {
          "url": "https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073"
        }
      ],
      "title": "usb: xhci: Fix NULL pointer dereference on certain command aborts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57981",
    "datePublished": "2025-02-27T02:07:07.489Z",
    "dateReserved": "2025-02-27T02:04:28.913Z",
    "dateUpdated": "2025-05-04T10:07:39.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21866 (GCVE-0-2025-21866)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.

References

►

URL

Tags

	https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b
	https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e
	https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c
	https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0
	https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065
	https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8
	https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3
	https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54

Impacted products

Vendor

Product

Version

►

Linux

Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1

Linux

Version: 4.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97de5852058a299ba447cd9782fe96488d30108b",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "f8d4c5b653c1bc0df56e15658bbf64fc359adc4e",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "c905a3053518212a1017e50bd2be3bee59305bb0",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2d542f13d26344e3452eee77613026ce9b653065",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "8d06e9208184b2851fa79a3a39d6860320c8bdf8",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2e6c80423f201405fd65254e52decd21663896f3",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "d262a192d38e527faa5984629aabda2e0d1c4f54",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n\nErhard reported the following KASAN hit while booting his PowerMac G4\nwith a KASAN-enabled kernel 6.13-rc6:\n\n  BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8\n  Write of size 8 at addr f1000000 by task chronyd/1293\n\n  CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2\n  Tainted: [W]=WARN\n  Hardware name: PowerMac3,6 7455 0x80010303 PowerMac\n  Call Trace:\n  [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)\n  [c24375b0] [c0504998] print_report+0xdc/0x504\n  [c2437610] [c050475c] kasan_report+0xf8/0x108\n  [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c\n  [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8\n  [c24376c0] [c004c014] patch_instructions+0x15c/0x16c\n  [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c\n  [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac\n  [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec\n  [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478\n  [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14\n  [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4\n  [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890\n  [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420\n  [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c\n  --- interrupt: c00 at 0x5a1274\n  NIP:  005a1274 LR: 006a3b3c CTR: 005296c8\n  REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)\n  MSR:  0200f932 \u003cVEC,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 24004422  XER: 00000000\n\n  GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932\n  GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57\n  GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002\n  GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001\n  NIP [005a1274] 0x5a1274\n  LR [006a3b3c] 0x6a3b3c\n  --- interrupt: c00\n\n  The buggy address belongs to the virtual mapping at\n   [f1000000, f1002000) created by:\n   text_area_cpu_up+0x20/0x190\n\n  The buggy address belongs to the physical page:\n  page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30\n  flags: 0x80000000(zone=2)\n  raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001\n  raw: 00000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  \u003ef1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n             ^\n   f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n   f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ==================================================================\n\nf8 corresponds to KASAN_VMALLOC_INVALID which means the area is not\ninitialised hence not supposed to be used yet.\n\nPowerpc text patching infrastructure allocates a virtual memory area\nusing get_vm_area() and flags it as VM_ALLOC. But that flag is meant\nto be used for vmalloc() and vmalloc() allocated memory is not\nsupposed to be used before a call to __vmalloc_node_range() which is\nnever called for that area.\n\nThat went undetected until commit e4137f08816b (\"mm, kasan, kmsan:\ninstrument copy_from/to_kernel_nofault\")\n\nThe area allocated by text_area_cpu_up() is not vmalloc memory, it is\nmapped directly on demand when needed by map_kernel_page(). There is\nno VM flag corresponding to such usage, so just pass no flag. That way\nthe area will be unpoisonned and usable immediately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:49.560Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54"
        }
      ],
      "title": "powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21866",
    "datePublished": "2025-03-12T09:42:22.587Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:49.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57997 (GCVE-0-2024-57997)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: wcn36xx: fix channel survey memory allocation size KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel.

References

►

URL

Tags

	https://git.kernel.org/stable/c/ae68efdff7a7a42ab251cac79d8713de6f0dbaa0
	https://git.kernel.org/stable/c/e95f9c408ff8311f75eeabc8acf34a66670d8815
	https://git.kernel.org/stable/c/64c4dcaeac1dc1030e47883b04a617ca9a4f164e
	https://git.kernel.org/stable/c/34cd2817708aec51ef1a6c007e0d6d5342a025d7
	https://git.kernel.org/stable/c/6200d947f050efdba4090dfefd8a01981363d954

Impacted products

Vendor

Product

Version

►

Linux

Version: 29696e0aa413b9d56558731aae3806d7cff48d36
Version: 29696e0aa413b9d56558731aae3806d7cff48d36
Version: 29696e0aa413b9d56558731aae3806d7cff48d36
Version: 29696e0aa413b9d56558731aae3806d7cff48d36
Version: 29696e0aa413b9d56558731aae3806d7cff48d36

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/wcn36xx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae68efdff7a7a42ab251cac79d8713de6f0dbaa0",
              "status": "affected",
              "version": "29696e0aa413b9d56558731aae3806d7cff48d36",
              "versionType": "git"
            },
            {
              "lessThan": "e95f9c408ff8311f75eeabc8acf34a66670d8815",
              "status": "affected",
              "version": "29696e0aa413b9d56558731aae3806d7cff48d36",
              "versionType": "git"
            },
            {
              "lessThan": "64c4dcaeac1dc1030e47883b04a617ca9a4f164e",
              "status": "affected",
              "version": "29696e0aa413b9d56558731aae3806d7cff48d36",
              "versionType": "git"
            },
            {
              "lessThan": "34cd2817708aec51ef1a6c007e0d6d5342a025d7",
              "status": "affected",
              "version": "29696e0aa413b9d56558731aae3806d7cff48d36",
              "versionType": "git"
            },
            {
              "lessThan": "6200d947f050efdba4090dfefd8a01981363d954",
              "status": "affected",
              "version": "29696e0aa413b9d56558731aae3806d7cff48d36",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/wcn36xx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wcn36xx: fix channel survey memory allocation size\n\nKASAN reported a memory allocation issue in wcn-\u003echan_survey\ndue to incorrect size calculation.\nThis commit uses kcalloc to allocate memory for wcn-\u003echan_survey,\nensuring proper initialization and preventing the use of uninitialized\nvalues when there are no frames on the channel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:02.198Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae68efdff7a7a42ab251cac79d8713de6f0dbaa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e95f9c408ff8311f75eeabc8acf34a66670d8815"
        },
        {
          "url": "https://git.kernel.org/stable/c/64c4dcaeac1dc1030e47883b04a617ca9a4f164e"
        },
        {
          "url": "https://git.kernel.org/stable/c/34cd2817708aec51ef1a6c007e0d6d5342a025d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6200d947f050efdba4090dfefd8a01981363d954"
        }
      ],
      "title": "wifi: wcn36xx: fix channel survey memory allocation size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57997",
    "datePublished": "2025-02-27T02:07:17.371Z",
    "dateReserved": "2025-02-27T02:04:28.915Z",
    "dateUpdated": "2025-05-04T10:08:02.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21856 (GCVE-0-2025-21856)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set.

References

►

URL

Tags

	https://git.kernel.org/stable/c/940d15254d2216b585558bcf36312da50074e711
	https://git.kernel.org/stable/c/0505ff2936f166405d81d0d454a81d9c14124344
	https://git.kernel.org/stable/c/e26e8ac27351f457091459a0a355bacd06d5bb2b
	https://git.kernel.org/stable/c/915e34d5ad35a6a9e56113f852ade4a730fb88f0

Impacted products

Vendor

Product

Version

►

Linux

Version: 8c81ba20349daf9f7e58bb05a0c12f4b71813a30
Version: 8c81ba20349daf9f7e58bb05a0c12f4b71813a30
Version: 8c81ba20349daf9f7e58bb05a0c12f4b71813a30
Version: 8c81ba20349daf9f7e58bb05a0c12f4b71813a30

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/net/ism_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "940d15254d2216b585558bcf36312da50074e711",
              "status": "affected",
              "version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
              "versionType": "git"
            },
            {
              "lessThan": "0505ff2936f166405d81d0d454a81d9c14124344",
              "status": "affected",
              "version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
              "versionType": "git"
            },
            {
              "lessThan": "e26e8ac27351f457091459a0a355bacd06d5bb2b",
              "status": "affected",
              "version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
              "versionType": "git"
            },
            {
              "lessThan": "915e34d5ad35a6a9e56113f852ade4a730fb88f0",
              "status": "affected",
              "version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/net/ism_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ism: add release function for struct device\n\nAccording to device_release() in /drivers/base/core.c,\na device without a release function is a broken device\nand must be fixed.\n\nThe current code directly frees the device after calling device_add()\nwithout waiting for other kernel parts to release their references.\nThus, a reference could still be held to a struct device,\ne.g., by sysfs, leading to potential use-after-free\nissues if a proper release function is not set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:38.537Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/940d15254d2216b585558bcf36312da50074e711"
        },
        {
          "url": "https://git.kernel.org/stable/c/0505ff2936f166405d81d0d454a81d9c14124344"
        },
        {
          "url": "https://git.kernel.org/stable/c/e26e8ac27351f457091459a0a355bacd06d5bb2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/915e34d5ad35a6a9e56113f852ade4a730fb88f0"
        }
      ],
      "title": "s390/ism: add release function for struct device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21856",
    "datePublished": "2025-03-12T09:42:09.929Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:38.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21878 (GCVE-0-2025-21878)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds..

References

►

URL

Tags

	https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33
	https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8
	https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60
	https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9
	https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260
	https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93
	https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2

Impacted products

Vendor

Product

Version

►

Linux

Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2

Linux

Version: 5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-npcm7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f32d7b4dc6e791523c70e83049645dcba2a2aa33",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "e3aea1dba97d31eceed7b622000af0406988b9c8",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "545b563eb00d0576775da4011b3f7ffefc9e8c60",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "12d0e39916705b68d2d8ba20a8e35d1d27afc260",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "846e371631c57365eeb89e5db1ab0f344169af93",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            },
            {
              "lessThan": "dd1998e243f5fa25d348a384ba0b6c84d980f2b2",
              "status": "affected",
              "version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-npcm7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[   28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[   28.183351] Modules linked in:\n[   28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[   28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   28.208128] pc : __do_softirq+0xb0/0x368\n[   28.212055] lr : __do_softirq+0x70/0x368\n[   28.215972] sp : ffffff8035ebca00\n[   28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[   28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[   28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[   28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[   28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[   28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[   28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[   28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[   28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[   28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[   28.290611] Call trace:\n[   28.293052]  __do_softirq+0xb0/0x368\n[   28.296625]  __irq_exit_rcu+0xe0/0x100\n[   28.300374]  irq_exit+0x14/0x20\n[   28.303513]  handle_domain_irq+0x68/0x90\n[   28.307440]  gic_handle_irq+0x78/0xb0\n[   28.311098]  call_on_irq_stack+0x20/0x38\n[   28.315019]  do_interrupt_handler+0x54/0x5c\n[   28.319199]  el1_interrupt+0x2c/0x4c\n[   28.322777]  el1h_64_irq_handler+0x14/0x20\n[   28.326872]  el1h_64_irq+0x74/0x78\n[   28.330269]  __setup_irq+0x454/0x780\n[   28.333841]  request_threaded_irq+0xd0/0x1b4\n[   28.338107]  devm_request_threaded_irq+0x84/0x100\n[   28.342809]  npcm_i2c_probe_bus+0x188/0x3d0\n[   28.346990]  platform_probe+0x6c/0xc4\n[   28.350653]  really_probe+0xcc/0x45c\n[   28.354227]  __driver_probe_device+0x8c/0x160\n[   28.358578]  driver_probe_device+0x44/0xe0\n[   28.362670]  __driver_attach+0x124/0x1d0\n[   28.366589]  bus_for_each_dev+0x7c/0xe0\n[   28.370426]  driver_attach+0x28/0x30\n[   28.373997]  bus_add_driver+0x124/0x240\n[   28.377830]  driver_register+0x7c/0x124\n[   28.381662]  __platform_driver_register+0x2c/0x34\n[   28.386362]  npcm_i2c_init+0x3c/0x5c\n[   28.389937]  do_one_initcall+0x74/0x230\n[   28.393768]  kernel_init_freeable+0x24c/0x2b4\n[   28.398126]  kernel_init+0x28/0x130\n[   28.401614]  ret_from_fork+0x10/0x20\n[   28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[   28.411011] SMP: stopping secondary CPUs\n[   28.414933] Kernel Offset: disabled\n[   28.418412] CPU features: 0x00000000,00000802\n[   28.427644] Rebooting in 20 seconds.."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:10.371Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260"
        },
        {
          "url": "https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2"
        }
      ],
      "title": "i2c: npcm: disable interrupt enable bit before devm_request_irq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21878",
    "datePublished": "2025-03-27T14:57:08.155Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:10.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21886 (GCVE-0-2025-21886)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP hang on parent deregistration Fix the destroy_unused_implicit_child_mr() to prevent hanging during parent deregistration as of below [1]. Upon entering destroy_unused_implicit_child_mr(), the reference count for the implicit MR parent is incremented using: refcount_inc_not_zero(). A corresponding decrement must be performed if free_implicit_child_mr_work() is not called. The code has been updated to properly manage the reference count that was incremented. [1] INFO: task python3:2157 blocked for more than 120 seconds. Not tainted 6.12.0-rc7+ #1633 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 __mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib] ? __pfx_autoremove_wake_function+0x10/0x10 ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 ? kmem_cache_free+0x221/0x400 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f20f21f017b RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60 R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890 R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/cb96ae783e7249e8e5a50c22952c0bb2983133df
	https://git.kernel.org/stable/c/a095ede2daca49d15e74d66d014883f2fa8bb924
	https://git.kernel.org/stable/c/3d8c6f26893d55fab218ad086719de1fc9bb86ba

Impacted products

Vendor

Product

Version

►

Linux

Version: 7cc8f681f6d4ae4478ae0f60485fc768f2b450da
Version: edfb65dbb9ffd3102f3ff4dd21316158e56f1976
Version: d3d930411ce390e532470194296658a960887773

Linux

Version: 6.12.13 ≤
Version: 6.13.2 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb96ae783e7249e8e5a50c22952c0bb2983133df",
              "status": "affected",
              "version": "7cc8f681f6d4ae4478ae0f60485fc768f2b450da",
              "versionType": "git"
            },
            {
              "lessThan": "a095ede2daca49d15e74d66d014883f2fa8bb924",
              "status": "affected",
              "version": "edfb65dbb9ffd3102f3ff4dd21316158e56f1976",
              "versionType": "git"
            },
            {
              "lessThan": "3d8c6f26893d55fab218ad086719de1fc9bb86ba",
              "status": "affected",
              "version": "d3d930411ce390e532470194296658a960887773",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.12.18",
              "status": "affected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThan": "6.13.6",
              "status": "affected",
              "version": "6.13.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP hang on parent deregistration\n\nFix the destroy_unused_implicit_child_mr() to prevent hanging during\nparent deregistration as of below [1].\n\nUpon entering destroy_unused_implicit_child_mr(), the reference count\nfor the implicit MR parent is incremented using:\nrefcount_inc_not_zero().\n\nA corresponding decrement must be performed if\nfree_implicit_child_mr_work() is not called.\n\nThe code has been updated to properly manage the reference count that\nwas incremented.\n\n[1]\nINFO: task python3:2157 blocked for more than 120 seconds.\nNot tainted 6.12.0-rc7+ #1633\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:python3         state:D stack:0     pid:2157 tgid:2157  ppid:1685   flags:0x00000000\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\n__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]\n? __pfx_autoremove_wake_function+0x10/0x10\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n __x64_sys_ioctl+0x1b0/0xa70\n? kmem_cache_free+0x221/0x400\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f20f21f017b\nRSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b\nRDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60\nR10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890\nR13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0\n\u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:20.708Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb96ae783e7249e8e5a50c22952c0bb2983133df"
        },
        {
          "url": "https://git.kernel.org/stable/c/a095ede2daca49d15e74d66d014883f2fa8bb924"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d8c6f26893d55fab218ad086719de1fc9bb86ba"
        }
      ],
      "title": "RDMA/mlx5: Fix implicit ODP hang on parent deregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21886",
    "datePublished": "2025-03-27T14:57:13.923Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:20.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48734 (GCVE-0-2025-48734)

Vulnerability from cvelistv5

Published

2025-05-28 13:32

Modified

2025-05-29 03:55

Severity ?

CWE

CWE-284 - Improper Access Control

Summary

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

References

►

URL

Tags

https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9

vendor-advisory

Impacted products

Vendor

Product

Version

►

Apache Software Foundation

Apache Commons BeanUtils 1.x

Version: 1.0

Apache Software Foundation

Apache Commons BeanUtils 2.x

Version: 2.0.0-M1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-29T03:55:47.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-28T18:03:42.763Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/28/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "commons-beanutils:commons-beanutils",
          "product": "Apache Commons BeanUtils 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.11.0",
              "status": "affected",
              "version": "1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.commons:commons-beanutils2",
          "product": "Apache Commons BeanUtils 2.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.0-M2",
              "status": "affected",
              "version": "2.0.0-M1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Raj (mailto:denesh.raj@zohocorp.com)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Muthukumar Marikani (mailto:muthukumar.marikani@zohocorp.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Access Control vulnerability in Apache Commons.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eA special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003eReleases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum\u2019s class loader via the \u201cdeclaredClass\u201d property available on all Java \u201cenum\u201d objects. Accessing the enum\u2019s \u201cdeclaredClass\u201d allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().\u003cbr\u003eStarting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the \u201cdeclaredClass\u201d property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user\u0027s guide and the unit tests.\u003cp\u003e\u003c/p\u003eThis issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.\u003cp\u003eUsers of the artifact commons-beanutils:commons-beanutils\n\n 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.\u003c/p\u003e\u003cp\u003e\nUsers of the artifact org.apache.commons:commons-beanutils2\n\n 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.\n\n\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Improper Access Control vulnerability in Apache Commons.\n\n\n\nA special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.\n\n\n\n\n\nReleases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum\u2019s class loader via the \u201cdeclaredClass\u201d property available on all Java \u201cenum\u201d objects. Accessing the enum\u2019s \u201cdeclaredClass\u201d allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().\nStarting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the \u201cdeclaredClass\u201d property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user\u0027s guide and the unit tests.\n\nThis issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils\n\n 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.\n\n\nUsers of the artifact org.apache.commons:commons-beanutils2\n\n 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-28T13:32:08.300Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-48734",
    "datePublished": "2025-05-28T13:32:08.300Z",
    "dateReserved": "2025-05-23T12:30:32.006Z",
    "dateUpdated": "2025-05-29T03:55:47.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58061 (GCVE-0-2024-58061)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly.

References

►

URL

Tags

	https://git.kernel.org/stable/c/dfe9a043300261afe5eadc07b867a6810c4e999a
	https://git.kernel.org/stable/c/d36e48a4d81c647df8a76cc58fd4d2442ba10744
	https://git.kernel.org/stable/c/270ad6776e7cf1be3b769e0447070f9d0e8269db
	https://git.kernel.org/stable/c/18100796c11dfdea9101fdc95d2428b2093477ee
	https://git.kernel.org/stable/c/7553477cbfd784b128297f9ed43751688415bbaa

Impacted products

Vendor

Product

Version

►

Linux

Version: 3d901102922723eedce6ef10ebd03315a7abb8a5
Version: 3d901102922723eedce6ef10ebd03315a7abb8a5
Version: 3d901102922723eedce6ef10ebd03315a7abb8a5
Version: 3d901102922723eedce6ef10ebd03315a7abb8a5
Version: 3d901102922723eedce6ef10ebd03315a7abb8a5

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/debugfs_netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfe9a043300261afe5eadc07b867a6810c4e999a",
              "status": "affected",
              "version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
              "versionType": "git"
            },
            {
              "lessThan": "d36e48a4d81c647df8a76cc58fd4d2442ba10744",
              "status": "affected",
              "version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
              "versionType": "git"
            },
            {
              "lessThan": "270ad6776e7cf1be3b769e0447070f9d0e8269db",
              "status": "affected",
              "version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
              "versionType": "git"
            },
            {
              "lessThan": "18100796c11dfdea9101fdc95d2428b2093477ee",
              "status": "affected",
              "version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
              "versionType": "git"
            },
            {
              "lessThan": "7553477cbfd784b128297f9ed43751688415bbaa",
              "status": "affected",
              "version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/debugfs_netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: prohibit deactivating all links\n\nIn the internal API this calls this is a WARN_ON, but that\nshould remain since internally we want to know about bugs\nthat may cause this. Prevent deactivating all links in the\ndebugfs write directly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:04.037Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfe9a043300261afe5eadc07b867a6810c4e999a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d36e48a4d81c647df8a76cc58fd4d2442ba10744"
        },
        {
          "url": "https://git.kernel.org/stable/c/270ad6776e7cf1be3b769e0447070f9d0e8269db"
        },
        {
          "url": "https://git.kernel.org/stable/c/18100796c11dfdea9101fdc95d2428b2093477ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/7553477cbfd784b128297f9ed43751688415bbaa"
        }
      ],
      "title": "wifi: mac80211: prohibit deactivating all links",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58061",
    "datePublished": "2025-03-06T15:54:03.924Z",
    "dateReserved": "2025-03-06T15:52:09.179Z",
    "dateUpdated": "2025-05-04T10:09:04.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21885 (GCVE-0-2025-21885)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799] <TASK> [ 566.393807] ? __die_body+0x1a/0x60 [ 566.393823] ? die+0x38/0x60 [ 566.393835] ? do_trap+0xe4/0x110 [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393881] ? do_error_trap+0x7c/0x120 [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393911] ? exc_divide_error+0x34/0x50 [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393939] ? asm_exc_divide_error+0x16/0x20 [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re] [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re] [ 566.394057] ? srso_return_thunk+0x5/0x5f [ 566.394068] ? __init_swait_queue_head+0x4a/0x60 [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core] [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma] [ 566.394174] ? lock_release+0x22c/0x3f0 [ 566.394187] ? srso_return_thunk+0x5/0x5f Page size and shift info is set only for the user space SRQs. Set page size and page shift for kernel space SRQs also.

References

►

URL

Tags

	https://git.kernel.org/stable/c/722c3db62bf60cd23acbdc8c4f445bfedae4498e
	https://git.kernel.org/stable/c/2cf8e6b52aecb8fbb71c41fe5add3212814031a2
	https://git.kernel.org/stable/c/b66535356a4834a234f99e16a97eb51f2c6c5a7d

Impacted products

Vendor

Product

Version

►

Linux

Version: 0c4dcd602817502bb3dced7a834a13ef717d65a4
Version: 0c4dcd602817502bb3dced7a834a13ef717d65a4
Version: 0c4dcd602817502bb3dced7a834a13ef717d65a4

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/ib_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "722c3db62bf60cd23acbdc8c4f445bfedae4498e",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "2cf8e6b52aecb8fbb71c41fe5add3212814031a2",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "b66535356a4834a234f99e16a97eb51f2c6c5a7d",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/ib_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix the page details for the srq created by kernel consumers\n\nWhile using nvme target with use_srq on, below kernel panic is noticed.\n\n[  549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)\n[  566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n..\n[  566.393799]  \u003cTASK\u003e\n[  566.393807]  ? __die_body+0x1a/0x60\n[  566.393823]  ? die+0x38/0x60\n[  566.393835]  ? do_trap+0xe4/0x110\n[  566.393847]  ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[  566.393867]  ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[  566.393881]  ? do_error_trap+0x7c/0x120\n[  566.393890]  ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[  566.393911]  ? exc_divide_error+0x34/0x50\n[  566.393923]  ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[  566.393939]  ? asm_exc_divide_error+0x16/0x20\n[  566.393966]  ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[  566.393997]  bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]\n[  566.394040]  bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]\n[  566.394057]  ? srso_return_thunk+0x5/0x5f\n[  566.394068]  ? __init_swait_queue_head+0x4a/0x60\n[  566.394090]  ib_create_srq_user+0xa7/0x150 [ib_core]\n[  566.394147]  nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]\n[  566.394174]  ? lock_release+0x22c/0x3f0\n[  566.394187]  ? srso_return_thunk+0x5/0x5f\n\nPage size and shift info is set only for the user space SRQs.\nSet page size and page shift for kernel space SRQs also."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:19.467Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/722c3db62bf60cd23acbdc8c4f445bfedae4498e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cf8e6b52aecb8fbb71c41fe5add3212814031a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b66535356a4834a234f99e16a97eb51f2c6c5a7d"
        }
      ],
      "title": "RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21885",
    "datePublished": "2025-03-27T14:57:13.219Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:19.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21846 (GCVE-0-2025-21846)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though.

References

►

URL

Tags

	https://git.kernel.org/stable/c/8acbf4a88c6a98c8ed00afd1a7d1abcca9b4735e
	https://git.kernel.org/stable/c/b03782ae707cc45e65242c7cddd8e28f1c22cde5
	https://git.kernel.org/stable/c/5d5b936cfa4b0d5670ca7420ef165a074bc008eb
	https://git.kernel.org/stable/c/5ee8da9bea70dda492d61f075658939af33d8410
	https://git.kernel.org/stable/c/5c928e14a2ccd99462f2351ead627b58075bb736
	https://git.kernel.org/stable/c/5a59ced8ffc71973d42c82484a719c8f6ac8f7f7
	https://git.kernel.org/stable/c/a8136afca090412a36429cb6c2543c714d9c0f84
	https://git.kernel.org/stable/c/56d5f3eba3f5de0efdd556de4ef381e109b973a9

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/acct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8acbf4a88c6a98c8ed00afd1a7d1abcca9b4735e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b03782ae707cc45e65242c7cddd8e28f1c22cde5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5d5b936cfa4b0d5670ca7420ef165a074bc008eb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5ee8da9bea70dda492d61f075658939af33d8410",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5c928e14a2ccd99462f2351ead627b58075bb736",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5a59ced8ffc71973d42c82484a719c8f6ac8f7f7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a8136afca090412a36429cb6c2543c714d9c0f84",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "56d5f3eba3f5de0efdd556de4ef381e109b973a9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/acct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: perform last write from workqueue\n\nIn [1] it was reported that the acct(2) system call can be used to\ntrigger NULL deref in cases where it is set to write to a file that\ntriggers an internal lookup. This can e.g., happen when pointing acc(2)\nto /sys/power/resume. At the point the where the write to this file\nhappens the calling task has already exited and called exit_fs(). A\nlookup will thus trigger a NULL-deref when accessing current-\u003efs.\n\nReorganize the code so that the the final write happens from the\nworkqueue but with the caller\u0027s credentials. This preserves the\n(strange) permission model and has almost no regression risk.\n\nThis api should stop to exist though."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:26.364Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8acbf4a88c6a98c8ed00afd1a7d1abcca9b4735e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b03782ae707cc45e65242c7cddd8e28f1c22cde5"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d5b936cfa4b0d5670ca7420ef165a074bc008eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ee8da9bea70dda492d61f075658939af33d8410"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c928e14a2ccd99462f2351ead627b58075bb736"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a59ced8ffc71973d42c82484a719c8f6ac8f7f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8136afca090412a36429cb6c2543c714d9c0f84"
        },
        {
          "url": "https://git.kernel.org/stable/c/56d5f3eba3f5de0efdd556de4ef381e109b973a9"
        }
      ],
      "title": "acct: perform last write from workqueue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21846",
    "datePublished": "2025-03-12T09:42:02.635Z",
    "dateReserved": "2024-12-29T08:45:45.778Z",
    "dateUpdated": "2025-05-04T07:22:26.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58012 (GCVE-0-2024-58012)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e012a77e4d7632cf615ba9625b1600ed8985c3b5
	https://git.kernel.org/stable/c/789a2fbf0900982788408d3b0034e0e3f914fb3b
	https://git.kernel.org/stable/c/569922b82ca660f8b24e705f6cf674e6b1f99cc7

Impacted products

Vendor

Product

Version

►

Linux

Version: 4c414da93a4642d02c67fbe82f1834be7bf586b7
Version: 4c414da93a4642d02c67fbe82f1834be7bf586b7
Version: 4c414da93a4642d02c67fbe82f1834be7bf586b7

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda-dai.c",
            "sound/soc/sof/intel/hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e012a77e4d7632cf615ba9625b1600ed8985c3b5",
              "status": "affected",
              "version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
              "versionType": "git"
            },
            {
              "lessThan": "789a2fbf0900982788408d3b0034e0e3f914fb3b",
              "status": "affected",
              "version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
              "versionType": "git"
            },
            {
              "lessThan": "569922b82ca660f8b24e705f6cf674e6b1f99cc7",
              "status": "affected",
              "version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/intel/hda-dai.c",
            "sound/soc/sof/intel/hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params\n\nEach cpu DAI should associate with a widget. However, the topology might\nnot create the right number of DAI widgets for aggregated amps. And it\nwill cause NULL pointer deference.\nCheck that the DAI widget associated with the CPU DAI is valid to prevent\nNULL pointer deference due to missing DAI widgets in topologies with\naggregated amps."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:24.874Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e012a77e4d7632cf615ba9625b1600ed8985c3b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/789a2fbf0900982788408d3b0034e0e3f914fb3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/569922b82ca660f8b24e705f6cf674e6b1f99cc7"
        }
      ],
      "title": "ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58012",
    "datePublished": "2025-02-27T02:12:06.202Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-04T10:08:24.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21689 (GCVE-0-2025-21689)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of "port" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds.

References

►

URL

Tags

	https://git.kernel.org/stable/c/fa4c7472469d97c4707698b4c0e098f8cfc2bf22
	https://git.kernel.org/stable/c/94770cf7c5124f0268d481886829dc2beecc4507
	https://git.kernel.org/stable/c/6068dcff7f19e9fa6fa23ee03453ad6a40fa4efe
	https://git.kernel.org/stable/c/4b9b41fabcd38990f69ef0cee9c631d954a2b530
	https://git.kernel.org/stable/c/6377838560c03b36e1153a42ef727533def9b68f
	https://git.kernel.org/stable/c/f371471708c7d997f763b0e70565026eb67cc470
	https://git.kernel.org/stable/c/8542b33622571f54dfc2a267fce378b6e3840b8b
	https://git.kernel.org/stable/c/575a5adf48b06a2980c9eeffedf699ed5534fade

Impacted products

Vendor

Product

Version

►

Linux

Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed
Version: f7a33e608d9ae022b7f49307921627e34e9484ed

Linux

Version: 3.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/serial/quatech2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fa4c7472469d97c4707698b4c0e098f8cfc2bf22",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "94770cf7c5124f0268d481886829dc2beecc4507",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "6068dcff7f19e9fa6fa23ee03453ad6a40fa4efe",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "4b9b41fabcd38990f69ef0cee9c631d954a2b530",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "6377838560c03b36e1153a42ef727533def9b68f",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "f371471708c7d997f763b0e70565026eb67cc470",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "8542b33622571f54dfc2a267fce378b6e3840b8b",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            },
            {
              "lessThan": "575a5adf48b06a2980c9eeffedf699ed5534fade",
              "status": "affected",
              "version": "f7a33e608d9ae022b7f49307921627e34e9484ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/serial/quatech2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()\n\nThis patch addresses a null-ptr-deref in qt2_process_read_urb() due to\nan incorrect bounds check in the following:\n\n       if (newport \u003e serial-\u003enum_ports) {\n               dev_err(\u0026port-\u003edev,\n                       \"%s - port change to invalid port: %i\\n\",\n                       __func__, newport);\n               break;\n       }\n\nThe condition doesn\u0027t account for the valid range of the serial-\u003eport\nbuffer, which is from 0 to serial-\u003enum_ports - 1. When newport is equal\nto serial-\u003enum_ports, the assignment of \"port\" in the\nfollowing code is out-of-bounds and NULL:\n\n       serial_priv-\u003ecurrent_port = newport;\n       port = serial-\u003eport[serial_priv-\u003ecurrent_port];\n\nThe fix checks if newport is greater than or equal to serial-\u003enum_ports\nindicating it is out-of-bounds."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:05.956Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fa4c7472469d97c4707698b4c0e098f8cfc2bf22"
        },
        {
          "url": "https://git.kernel.org/stable/c/94770cf7c5124f0268d481886829dc2beecc4507"
        },
        {
          "url": "https://git.kernel.org/stable/c/6068dcff7f19e9fa6fa23ee03453ad6a40fa4efe"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b9b41fabcd38990f69ef0cee9c631d954a2b530"
        },
        {
          "url": "https://git.kernel.org/stable/c/6377838560c03b36e1153a42ef727533def9b68f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f371471708c7d997f763b0e70565026eb67cc470"
        },
        {
          "url": "https://git.kernel.org/stable/c/8542b33622571f54dfc2a267fce378b6e3840b8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/575a5adf48b06a2980c9eeffedf699ed5534fade"
        }
      ],
      "title": "USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21689",
    "datePublished": "2025-02-10T15:58:45.493Z",
    "dateReserved": "2024-12-29T08:45:45.741Z",
    "dateUpdated": "2025-05-04T07:19:05.956Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-42307 (GCVE-0-2024-42307)

Vulnerability from cvelistv5

Published

2024-08-17 09:09

Modified

2025-05-04 12:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors.

References

►

URL

Tags

	https://git.kernel.org/stable/c/6018971710fdc7739f8655c1540832b4bb903671
	https://git.kernel.org/stable/c/160235efb4f9b55212dedff5de0094c606c4b303
	https://git.kernel.org/stable/c/3739d711246d8fbc95ff73dbdace9741cdce4777
	https://git.kernel.org/stable/c/193cc89ea0ca1da311877d2b4bb5e9f03bcc82a2

Impacted products

Vendor

Product

Version

►

Linux

Version: 8c99dfb49bdc17edffc7ff3d46b400c8c291686c
Version: 6f17163b9339fac92023a1d9bef22128db3b9a4b
Version: 173217bd73365867378b5e75a86f0049e1069ee8
Version: 173217bd73365867378b5e75a86f0049e1069ee8
Version: 40a5d14c9d3b585d55d3209fb5efe202dcaac926

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42307",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:10:12.002656Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:27.701Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6018971710fdc7739f8655c1540832b4bb903671",
              "status": "affected",
              "version": "8c99dfb49bdc17edffc7ff3d46b400c8c291686c",
              "versionType": "git"
            },
            {
              "lessThan": "160235efb4f9b55212dedff5de0094c606c4b303",
              "status": "affected",
              "version": "6f17163b9339fac92023a1d9bef22128db3b9a4b",
              "versionType": "git"
            },
            {
              "lessThan": "3739d711246d8fbc95ff73dbdace9741cdce4777",
              "status": "affected",
              "version": "173217bd73365867378b5e75a86f0049e1069ee8",
              "versionType": "git"
            },
            {
              "lessThan": "193cc89ea0ca1da311877d2b4bb5e9f03bcc82a2",
              "status": "affected",
              "version": "173217bd73365867378b5e75a86f0049e1069ee8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "40a5d14c9d3b585d55d3209fb5efe202dcaac926",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifsfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.103",
                  "versionStartIncluding": "6.1.85",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "6.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential null pointer use in destroy_workqueue in init_cifs error path\n\nDan Carpenter reported a Smack static checker warning:\n   fs/smb/client/cifsfs.c:1981 init_cifs()\n   error: we previously assumed \u0027serverclose_wq\u0027 could be null (see line 1895)\n\nThe patch which introduced the serverclose workqueue used the wrong\noredering in error paths in init_cifs() for freeing it on errors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:04.018Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6018971710fdc7739f8655c1540832b4bb903671"
        },
        {
          "url": "https://git.kernel.org/stable/c/160235efb4f9b55212dedff5de0094c606c4b303"
        },
        {
          "url": "https://git.kernel.org/stable/c/3739d711246d8fbc95ff73dbdace9741cdce4777"
        },
        {
          "url": "https://git.kernel.org/stable/c/193cc89ea0ca1da311877d2b4bb5e9f03bcc82a2"
        }
      ],
      "title": "cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42307",
    "datePublished": "2024-08-17T09:09:12.613Z",
    "dateReserved": "2024-07-30T07:40:12.273Z",
    "dateUpdated": "2025-05-04T12:58:04.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21815 (GCVE-0-2025-21815)

Vulnerability from cvelistv5

Published

2025-02-27 20:04

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/compaction: fix UBSAN shift-out-of-bounds warning syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning.

References

►

URL

Tags

	https://git.kernel.org/stable/c/4491159774d973a9e2e998d25d8fbb20fada6dfa
	https://git.kernel.org/stable/c/10b7d3eb535098ccd4c82a182a33655d8a0e5c88
	https://git.kernel.org/stable/c/d1366e74342e75555af2648a2964deb2d5c92200

Impacted products

Vendor

Product

Version

►

Linux

Version: 3da0272a4c7d0d37b47b28e87014f421296fc2be
Version: 3da0272a4c7d0d37b47b28e87014f421296fc2be
Version: 3da0272a4c7d0d37b47b28e87014f421296fc2be

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/compaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4491159774d973a9e2e998d25d8fbb20fada6dfa",
              "status": "affected",
              "version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
              "versionType": "git"
            },
            {
              "lessThan": "10b7d3eb535098ccd4c82a182a33655d8a0e5c88",
              "status": "affected",
              "version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
              "versionType": "git"
            },
            {
              "lessThan": "d1366e74342e75555af2648a2964deb2d5c92200",
              "status": "affected",
              "version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/compaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/compaction: fix UBSAN shift-out-of-bounds warning\n\nsyzkaller reported a UBSAN shift-out-of-bounds warning of (1UL \u003c\u003c order)\nin isolate_freepages_block().  The bogus compound_order can be any value\nbecause it is union with flags.  Add back the MAX_PAGE_ORDER check to fix\nthe warning."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:46.285Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4491159774d973a9e2e998d25d8fbb20fada6dfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/10b7d3eb535098ccd4c82a182a33655d8a0e5c88"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1366e74342e75555af2648a2964deb2d5c92200"
        }
      ],
      "title": "mm/compaction: fix UBSAN shift-out-of-bounds warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21815",
    "datePublished": "2025-02-27T20:04:14.733Z",
    "dateReserved": "2024-12-29T08:45:45.774Z",
    "dateUpdated": "2025-05-04T07:21:46.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21877 (GCVE-0-2025-21877)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536
	https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e
	https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc
	https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4
	https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c
	https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5
	https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943
	https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f

Impacted products

Vendor

Product

Version

►

Linux

Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f

Linux

Version: 2.6.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f2dbabbce04b1ffcd6d8d07564adb94db577536",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "24dd971104057c8828d420a48e0a5af6e6f30d3e",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "67ebc3391c8377738e97a43374054d9718fdb6e4",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "a2ee5e55b50a97d13617c8653482c0ad4decff8c",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "4e8b8d43373bf837be159366f0192502f97ec7a5",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "ded25730c96949cb8b048b29c557e38569124943",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "1cf9631d836b289bd5490776551961c883ae8a4f",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register \u0027gl620a\u0027 at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:09.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536"
        },
        {
          "url": "https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f"
        }
      ],
      "title": "usbnet: gl620a: fix endpoint checking in genelink_bind()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21877",
    "datePublished": "2025-03-27T14:57:07.462Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:23:09.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53177 (GCVE-0-2024-53177)

Vulnerability from cvelistv5

Published

2024-12-27 13:49

Modified

2025-05-04 09:54

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000)

References

►

URL

Tags

	https://git.kernel.org/stable/c/791f833053578b9fd24252ebb7162a61bc3f805b
	https://git.kernel.org/stable/c/97e2afcac0bebfef6a5360f4267ce4c44507b845
	https://git.kernel.org/stable/c/47655a12c6b1bca8fa230085eab2e85a076932b7
	https://git.kernel.org/stable/c/a9685b409a03b73d2980bbfa53eb47555802d0a9

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53177",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:43:30.968681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:26.716Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "791f833053578b9fd24252ebb7162a61bc3f805b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "97e2afcac0bebfef6a5360f4267ce4c44507b845",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "47655a12c6b1bca8fa230085eab2e85a076932b7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a9685b409a03b73d2980bbfa53eb47555802d0a9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: prevent use-after-free due to open_cached_dir error paths\n\nIf open_cached_dir() encounters an error parsing the lease from the\nserver, the error handling may race with receiving a lease break,\nresulting in open_cached_dir() freeing the cfid while the queued work is\npending.\n\nUpdate open_cached_dir() to drop refs rather than directly freeing the\ncfid.\n\nHave cached_dir_lease_break(), cfids_laundromat_worker(), and\ninvalidate_all_cached_dirs() clear has_lease immediately while still\nholding cfids-\u003ecfid_list_lock, and then use this to also simplify the\nreference counting in cfids_laundromat_worker() and\ninvalidate_all_cached_dirs().\n\nFixes this KASAN splat (which manually injects an error and lease break\nin open_cached_dir()):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0\nRead of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65\n\nCPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nWorkqueue: cifsiod smb2_cached_lease_break\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x77/0xb0\n print_report+0xce/0x660\n kasan_report+0xd3/0x110\n smb2_cached_lease_break+0x27/0xb0\n process_one_work+0x50a/0xc50\n worker_thread+0x2ba/0x530\n kthread+0x17c/0x1c0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 2464:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n open_cached_dir+0xa7d/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2464:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x51/0x70\n kfree+0x174/0x520\n open_cached_dir+0x97f/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x32/0x100\n __queue_work+0x5c9/0x870\n queue_work_on+0x82/0x90\n open_cached_dir+0x1369/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe buggy address belongs to the object at ffff88811cc24c00\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 16 bytes inside of\n freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:59.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/791f833053578b9fd24252ebb7162a61bc3f805b"
        },
        {
          "url": "https://git.kernel.org/stable/c/97e2afcac0bebfef6a5360f4267ce4c44507b845"
        },
        {
          "url": "https://git.kernel.org/stable/c/47655a12c6b1bca8fa230085eab2e85a076932b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9685b409a03b73d2980bbfa53eb47555802d0a9"
        }
      ],
      "title": "smb: prevent use-after-free due to open_cached_dir error paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53177",
    "datePublished": "2024-12-27T13:49:21.362Z",
    "dateReserved": "2024-11-19T17:17:25.007Z",
    "dateUpdated": "2025-05-04T09:54:59.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21726 (GCVE-0-2025-21726)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:06

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0
	https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1
	https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2
	https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc
	https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac
	https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0
	https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600

Impacted products

Vendor

Product

Version

►

Linux

Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: bbefa1dd6a6d53537c11624752219e39959d04fb
Version: b4c8ed0bf977760a206997b6429a7ac91978f440
Version: e43d65719527043f1ef79ecba9d4ede58cbc7ffe

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:10.478288Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:28.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "7000507bb0d2ceb545c0a690e0c707c897d102c2",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "a54091c24220a4cd847d5b4f36d678edacddbaf0",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "lessThan": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "status": "affected",
              "version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b4c8ed0bf977760a206997b6429a7ac91978f440",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e43d65719527043f1ef79ecba9d4ede58cbc7ffe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: avoid UAF for reorder_work\n\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\n\ncrypto_request\t\t\tcrypto_request\t\tcrypto_del_alg\npadata_do_serial\n  ...\n  padata_reorder\n    // processes all remaining\n    // requests then breaks\n    while (1) {\n      if (!padata)\n        break;\n      ...\n    }\n\n\t\t\t\tpadata_do_serial\n\t\t\t\t  // new request added\n\t\t\t\t  list_add\n    // sees the new request\n    queue_work(reorder_work)\n\t\t\t\t  padata_reorder\n\t\t\t\t    queue_work_on(squeue-\u003ework)\n...\n\n\t\t\t\t\u003ckworker context\u003e\n\t\t\t\tpadata_serial_worker\n\t\t\t\t// completes new request,\n\t\t\t\t// no more outstanding\n\t\t\t\t// requests\n\n\t\t\t\t\t\t\tcrypto_del_alg\n\t\t\t\t\t\t\t  // free pd\n\n\u003ckworker context\u003e\ninvoke_padata_reorder\n  // UAF of pd\n\nTo avoid UAF for \u0027reorder_work\u0027, get \u0027pd\u0027 ref before put \u0027reorder_work\u0027\ninto the \u0027serial_wq\u0027 and put \u0027pd\u0027 ref until the \u0027serial_wq\u0027 finish."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:27.271Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"
        },
        {
          "url": "https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"
        }
      ],
      "title": "padata: avoid UAF for reorder_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21726",
    "datePublished": "2025-02-27T02:07:32.861Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T13:06:27.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-26465 (GCVE-0-2025-26465)

Vulnerability from cvelistv5

Published

2025-02-18 18:27

Modified

2025-08-14 13:06

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-390 - Detection of Error Condition Without Action

Summary

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:3837	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:6993	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8385	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-26465	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2344780	issue-tracking, x_refsource_REDHAT
	https://seclists.org/oss-sec/2025/q1/144

Impacted products

Vendor

Product

Version

►

Version: 6.8p1 <

Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:8.7p1-45.el9 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:8.7p1-45.el9 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	Unaffected: 0:8.7p1-38.el9_4.5 < * cpe:/o:redhat:rhel_eus:9.4::baseos cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Discovery 1.14	Unaffected: sha256:f33991d766b618a128fb99fbe4f9b61c5004f7c6aa73b2b38e28d59e56c64d63 < * cpe:/a:redhat:discovery:1.14::el9
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-03T17:48:15.682Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html"
          },
          {
            "url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
          },
          {
            "url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
          },
          {
            "url": "https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/"
          },
          {
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1237040"
          },
          {
            "url": "https://security-tracker.debian.org/tracker/CVE-2025-26465"
          },
          {
            "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig"
          },
          {
            "url": "https://ubuntu.com/security/CVE-2025-26465"
          },
          {
            "url": "https://www.openssh.com/releasenotes.html#9.9p2"
          },
          {
            "url": "https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466"
          },
          {
            "url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250228-0003/"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-26465",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-19T15:02:09.369445Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T15:02:45.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://seclists.org/oss-sec/2025/q1/144"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.openssh.com/",
          "defaultStatus": "unaffected",
          "packageName": "OpenSSH",
          "repo": "https://anongit.mindrot.org/openssh.git",
          "versions": [
            {
              "lessThanOrEqual": "9.9p1",
              "status": "affected",
              "version": "6.8p1",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.7p1-45.el9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.7p1-45.el9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:9.4::baseos",
            "cpe:/a:redhat:rhel_eus:9.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.7p1-38.el9_4.5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:1.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/discovery/discovery-server-rhel9",
          "product": "Red Hat Discovery 1.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:f33991d766b618a128fb99fbe4f9b61c5004f7c6aa73b2b38e28d59e56c64d63",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-17T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client\u0027s memory resource first, turning the attack complexity high."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-390",
              "description": "Detection of Error Condition Without Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T13:06:48.611Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:3837",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:3837"
        },
        {
          "name": "RHSA-2025:6993",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:6993"
        },
        {
          "name": "RHSA-2025:8385",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8385"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-26465"
        },
        {
          "name": "RHBZ#2344780",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344780"
        },
        {
          "url": "https://seclists.org/oss-sec/2025/q1/144"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-10T21:56:03.853000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-17T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-390: Detection of Error Condition Without Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-26465",
    "datePublished": "2025-02-18T18:27:16.843Z",
    "dateReserved": "2025-02-10T18:31:47.978Z",
    "dateUpdated": "2025-08-14T13:06:48.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22869 (GCVE-0-2025-22869)

Vulnerability from cvelistv5

Published

2025-02-26 03:07

Modified

2025-04-11 22:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

Summary

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

References

►

URL

Tags

	https://go.dev/cl/652135
	https://go.dev/issue/71931
	https://pkg.go.dev/vuln/GO-2025-3487

Impacted products

	Vendor	Product	Version
	golang.org/x/crypto	golang.org/x/crypto/ssh	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T14:57:07.968721Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T14:57:49.252Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-11T22:03:24.222Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250411-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "newHandshakeTransport"
            },
            {
              "name": "handshakeTransport.recordWriteError"
            },
            {
              "name": "handshakeTransport.kexLoop"
            },
            {
              "name": "handshakeTransport.writePacket"
            },
            {
              "name": "Client.Dial"
            },
            {
              "name": "Client.DialContext"
            },
            {
              "name": "Client.DialTCP"
            },
            {
              "name": "Client.Listen"
            },
            {
              "name": "Client.ListenTCP"
            },
            {
              "name": "Client.ListenUnix"
            },
            {
              "name": "Client.NewSession"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DiscardRequests"
            },
            {
              "name": "NewClient"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "Request.Reply"
            },
            {
              "name": "Session.Close"
            },
            {
              "name": "Session.CombinedOutput"
            },
            {
              "name": "Session.Output"
            },
            {
              "name": "Session.RequestPty"
            },
            {
              "name": "Session.RequestSubsystem"
            },
            {
              "name": "Session.Run"
            },
            {
              "name": "Session.SendRequest"
            },
            {
              "name": "Session.Setenv"
            },
            {
              "name": "Session.Shell"
            },
            {
              "name": "Session.Signal"
            },
            {
              "name": "Session.Start"
            },
            {
              "name": "Session.WindowChange"
            },
            {
              "name": "channel.Accept"
            },
            {
              "name": "channel.Close"
            },
            {
              "name": "channel.CloseWrite"
            },
            {
              "name": "channel.Read"
            },
            {
              "name": "channel.ReadExtended"
            },
            {
              "name": "channel.Reject"
            },
            {
              "name": "channel.SendRequest"
            },
            {
              "name": "channel.Write"
            },
            {
              "name": "channel.WriteExtended"
            },
            {
              "name": "connection.SendAuthBanner"
            },
            {
              "name": "curve25519sha256.Client"
            },
            {
              "name": "curve25519sha256.Server"
            },
            {
              "name": "dhGEXSHA.Client"
            },
            {
              "name": "dhGEXSHA.Server"
            },
            {
              "name": "dhGroup.Client"
            },
            {
              "name": "dhGroup.Server"
            },
            {
              "name": "ecdh.Client"
            },
            {
              "name": "ecdh.Server"
            },
            {
              "name": "extChannel.Read"
            },
            {
              "name": "extChannel.Write"
            },
            {
              "name": "mux.OpenChannel"
            },
            {
              "name": "mux.SendRequest"
            },
            {
              "name": "sessionStdin.Close"
            },
            {
              "name": "sshClientKeyboardInteractive.Challenge"
            },
            {
              "name": "tcpListener.Accept"
            },
            {
              "name": "tcpListener.Close"
            },
            {
              "name": "unixListener.Accept"
            },
            {
              "name": "unixListener.Close"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.35.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Yuichi Watanabe"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-26T03:07:48.855Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/652135"
        },
        {
          "url": "https://go.dev/issue/71931"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3487"
        }
      ],
      "title": "Potential denial of service in golang.org/x/crypto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22869",
    "datePublished": "2025-02-26T03:07:48.855Z",
    "dateReserved": "2025-01-08T19:11:42.834Z",
    "dateUpdated": "2025-04-11T22:03:24.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-40403 (GCVE-0-2023-40403)

Vulnerability from cvelistv5

Published

2023-09-26 20:14

Modified

2025-02-13 17:07

Severity ?

CWE

Processing web content may disclose sensitive information

Summary

The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information.

References

►

URL

Tags

	https://support.apple.com/en-us/HT213938
	https://support.apple.com/en-us/HT213932
	https://support.apple.com/en-us/HT213927
	https://support.apple.com/en-us/HT213931
	https://support.apple.com/en-us/HT213936
	https://support.apple.com/en-us/HT213940
	https://support.apple.com/en-us/HT213937
	http://seclists.org/fulldisclosure/2023/Oct/5
	http://seclists.org/fulldisclosure/2023/Oct/10
	http://seclists.org/fulldisclosure/2023/Oct/6
	http://seclists.org/fulldisclosure/2023/Oct/8
	http://seclists.org/fulldisclosure/2023/Oct/9
	http://seclists.org/fulldisclosure/2023/Oct/3
	http://seclists.org/fulldisclosure/2023/Oct/4

Impacted products

Vendor

Product

Version

►

Apple

iOS and iPadOS

Version: unspecified < 17

Apple	macOS	Version: unspecified < 12.7
Apple	iOS and iPadOS	Version: unspecified < 16.7
Apple	macOS	Version: unspecified < 13.6
Apple	tvOS	Version: unspecified < 17
Apple	macOS	Version: unspecified < 14
Apple	watchOS	Version: unspecified < 10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:31:53.743Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213938"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213932"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213927"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213931"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213936"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213940"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/en-us/HT213937"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40403",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T14:28:39.479611Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T14:47:30.567Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iOS and iPadOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "17",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "12.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "iOS and iPadOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "16.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "13.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "tvOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "17",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "14",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "watchOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Processing web content may disclose sensitive information",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-03T05:06:43.212Z",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "url": "https://support.apple.com/en-us/HT213938"
        },
        {
          "url": "https://support.apple.com/en-us/HT213932"
        },
        {
          "url": "https://support.apple.com/en-us/HT213927"
        },
        {
          "url": "https://support.apple.com/en-us/HT213931"
        },
        {
          "url": "https://support.apple.com/en-us/HT213936"
        },
        {
          "url": "https://support.apple.com/en-us/HT213940"
        },
        {
          "url": "https://support.apple.com/en-us/HT213937"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/5"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/10"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/6"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/8"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/9"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/3"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/4"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2023-40403",
    "datePublished": "2023-09-26T20:14:54.697Z",
    "dateReserved": "2023-08-14T20:26:36.254Z",
    "dateUpdated": "2025-02-13T17:07:54.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58083 (GCVE-0-2024-58083)

Vulnerability from cvelistv5

Published

2025-03-06 16:13

Modified

2025-05-04 13:01

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.

References

►

URL

Tags

	https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8
	https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63
	https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480
	https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd
	https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7
	https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4
	https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96
	https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46

Impacted products

Vendor

Product

Version

►

Linux

Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c
Version: 559e2696d2f47a3575e9550f101a7e59e30b1b38
Version: d39f3cc71382165bb7efb8e06a2bd32f847de4ae
Version: 7cee966029037a183d98cb88251ceb92a233fe63

Linux

Version: 5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58083",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T17:00:02.623750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:08:23.092Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/kvm_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cce2ed69b00e022b5cdf0c49c82986abd2941a8",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "09d50ccf0b2d739db4a485b08afe7520a4402a63",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "7c4899239d0f70f88ac42665b3da51678d122480",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "d817e510662fd1c9797952408d94806f97a5fffd",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "125da53b3c0c9d7f58353aea0076e9efd6498ba7",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "f2f805ada63b536bc192458a7098388286568ad4",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "ca8da90ed1432ff3d000de4f1e2275d4e7d21b96",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "1e7381f3617d14b3c11da80ff5f8a93ab14cfc46",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "559e2696d2f47a3575e9550f101a7e59e30b1b38",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d39f3cc71382165bb7efb8e06a2bd32f847de4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7cee966029037a183d98cb88251ceb92a233fe63",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/kvm_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu().  If the index is \"bad\", the nospec clamping will\ngenerate \u00270\u0027, i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn\u0027t exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm-\u003evcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0.  Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum.  Preventing\naccesses to vCPU0 before it\u0027s fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:53.162Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480"
        },
        {
          "url": "https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd"
        },
        {
          "url": "https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46"
        }
      ],
      "title": "KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58083",
    "datePublished": "2025-03-06T16:13:45.631Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-05-04T13:01:53.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58017 (GCVE-0-2024-58017)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer.

References

►

URL

Tags

	https://git.kernel.org/stable/c/54c14022fa2ba427dc543455c2cf9225903a7174
	https://git.kernel.org/stable/c/dfb7b179741ee09506dc7719d92f9e1cea01f10e
	https://git.kernel.org/stable/c/bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1
	https://git.kernel.org/stable/c/9a6d43844de2479a3ff8d674c3e2a16172e01598
	https://git.kernel.org/stable/c/4acf6bab775dbd22a9a799030a808a7305e01d63
	https://git.kernel.org/stable/c/404e5fd918a0b14abec06c7eca128f04c9b98e41
	https://git.kernel.org/stable/c/4a2c4e7265b8eed83c25d86d702cea06493cab18
	https://git.kernel.org/stable/c/3d6f83df8ff2d5de84b50377e4f0d45e25311c7a

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/printk/printk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "54c14022fa2ba427dc543455c2cf9225903a7174",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dfb7b179741ee09506dc7719d92f9e1cea01f10e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9a6d43844de2479a3ff8d674c3e2a16172e01598",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4acf6bab775dbd22a9a799030a808a7305e01d63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "404e5fd918a0b14abec06c7eca128f04c9b98e41",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4a2c4e7265b8eed83c25d86d702cea06493cab18",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3d6f83df8ff2d5de84b50377e4f0d45e25311c7a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/printk/printk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprintk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX\n\nShifting 1 \u003c\u003c 31 on a 32-bit int causes signed integer overflow, which\nleads to undefined behavior. To prevent this, cast 1 to u32 before\nperforming the shift, ensuring well-defined behavior.\n\nThis change explicitly avoids any potential overflow by ensuring that\nthe shift occurs on an unsigned 32-bit integer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:32.308Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/54c14022fa2ba427dc543455c2cf9225903a7174"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfb7b179741ee09506dc7719d92f9e1cea01f10e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a6d43844de2479a3ff8d674c3e2a16172e01598"
        },
        {
          "url": "https://git.kernel.org/stable/c/4acf6bab775dbd22a9a799030a808a7305e01d63"
        },
        {
          "url": "https://git.kernel.org/stable/c/404e5fd918a0b14abec06c7eca128f04c9b98e41"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a2c4e7265b8eed83c25d86d702cea06493cab18"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d6f83df8ff2d5de84b50377e4f0d45e25311c7a"
        }
      ],
      "title": "printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58017",
    "datePublished": "2025-02-27T02:12:09.075Z",
    "dateReserved": "2025-02-27T02:10:48.228Z",
    "dateUpdated": "2025-05-04T10:08:32.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21684 (GCVE-0-2025-21684)

Vulnerability from cvelistv5

Published

2025-02-09 11:37

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)

References

►

URL

Tags

	https://git.kernel.org/stable/c/d25041d4a3b2af64c888cf762362b2528ba59294
	https://git.kernel.org/stable/c/f0ed2d0abc021f56fa27dc6d0770535c1851a43b
	https://git.kernel.org/stable/c/b0111650ee596219bb5defa0ce1a1308e6e77ccf
	https://git.kernel.org/stable/c/9c035105c5537d2ecad6b9415e9417a1ffbd0a62
	https://git.kernel.org/stable/c/9860370c2172704b6b4f0075a0c2a29fd84af96a

Impacted products

Vendor

Product

Version

►

Linux

Version: a32c7caea292c4d1e417eae6e5a348d187546acf
Version: a32c7caea292c4d1e417eae6e5a348d187546acf
Version: a32c7caea292c4d1e417eae6e5a348d187546acf
Version: a32c7caea292c4d1e417eae6e5a348d187546acf
Version: a32c7caea292c4d1e417eae6e5a348d187546acf

Linux

Version: 5.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-xilinx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d25041d4a3b2af64c888cf762362b2528ba59294",
              "status": "affected",
              "version": "a32c7caea292c4d1e417eae6e5a348d187546acf",
              "versionType": "git"
            },
            {
              "lessThan": "f0ed2d0abc021f56fa27dc6d0770535c1851a43b",
              "status": "affected",
              "version": "a32c7caea292c4d1e417eae6e5a348d187546acf",
              "versionType": "git"
            },
            {
              "lessThan": "b0111650ee596219bb5defa0ce1a1308e6e77ccf",
              "status": "affected",
              "version": "a32c7caea292c4d1e417eae6e5a348d187546acf",
              "versionType": "git"
            },
            {
              "lessThan": "9c035105c5537d2ecad6b9415e9417a1ffbd0a62",
              "status": "affected",
              "version": "a32c7caea292c4d1e417eae6e5a348d187546acf",
              "versionType": "git"
            },
            {
              "lessThan": "9860370c2172704b6b4f0075a0c2a29fd84af96a",
              "status": "affected",
              "version": "a32c7caea292c4d1e417eae6e5a348d187546acf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-xilinx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: xilinx: Convert gpio_lock to raw spinlock\n\nirq_chip functions may be called in raw spinlock context. Therefore, we\nmust also use a raw spinlock for our own internal locking.\n\nThis fixes the following lockdep splat:\n\n[    5.349336] =============================\n[    5.353349] [ BUG: Invalid wait context ]\n[    5.357361] 6.13.0-rc5+ #69 Tainted: G        W\n[    5.363031] -----------------------------\n[    5.367045] kworker/u17:1/44 is trying to lock:\n[    5.371587] ffffff88018b02c0 (\u0026chip-\u003egpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))\n[    5.380079] other info that might help us debug this:\n[    5.385138] context-{5:5}\n[    5.387762] 5 locks held by kworker/u17:1/44:\n[    5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204)\n[    5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205)\n[    5.411528] #2: ffffff880172c900 (\u0026dev-\u003emutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006)\n[    5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596)\n[    5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614)\n[    5.436472] stack backtrace:\n[    5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G        W          6.13.0-rc5+ #69\n[    5.448690] Tainted: [W]=WARN\n[    5.451656] Hardware name: xlnx,zynqmp (DT)\n[    5.455845] Workqueue: events_unbound deferred_probe_work_func\n[    5.461699] Call trace:\n[    5.464147] show_stack+0x18/0x24 C\n[    5.467821] dump_stack_lvl (lib/dump_stack.c:123)\n[    5.471501] dump_stack (lib/dump_stack.c:130)\n[    5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176)\n[    5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814)\n[    5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)\n[    5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))\n[    5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345)\n[    5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250)\n[    5.497645] irq_startup (kernel/irq/chip.c:270)\n[    5.501143] __setup_irq (kernel/irq/manage.c:1807)\n[    5.504728] request_threaded_irq (kernel/irq/manage.c:2208)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:00.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d25041d4a3b2af64c888cf762362b2528ba59294"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0ed2d0abc021f56fa27dc6d0770535c1851a43b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0111650ee596219bb5defa0ce1a1308e6e77ccf"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c035105c5537d2ecad6b9415e9417a1ffbd0a62"
        },
        {
          "url": "https://git.kernel.org/stable/c/9860370c2172704b6b4f0075a0c2a29fd84af96a"
        }
      ],
      "title": "gpio: xilinx: Convert gpio_lock to raw spinlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21684",
    "datePublished": "2025-02-09T11:37:24.610Z",
    "dateReserved": "2024-12-29T08:45:45.740Z",
    "dateUpdated": "2025-05-04T07:19:00.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21697 (GCVE-0-2025-21697)

Vulnerability from cvelistv5

Published

2025-02-12 13:27

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1bd6303d08c85072ce40ac01a767ab67195105bd
	https://git.kernel.org/stable/c/a34050f70e7955a359874dff1a912a748724a140
	https://git.kernel.org/stable/c/14e0a874488e79086340ba8e2d238cb9596b68a8
	https://git.kernel.org/stable/c/2a1c88f7ca5c12dff6fa6787492ac910bb9e4407
	https://git.kernel.org/stable/c/63195bae1cbf78f1d392b1bc9ae4b03c82d0ebf3
	https://git.kernel.org/stable/c/b22467b1ae104073dcb11aa78562a331cd7fb0e0
	https://git.kernel.org/stable/c/e4b5ccd392b92300a2b341705cc4805681094e49

Impacted products

Vendor

Product

Version

►

Linux

Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2
Version: 14d1d190869685d3a1e8a3f63924e20594557cb2

Linux

Version: 4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1bd6303d08c85072ce40ac01a767ab67195105bd",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "a34050f70e7955a359874dff1a912a748724a140",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "14e0a874488e79086340ba8e2d238cb9596b68a8",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "2a1c88f7ca5c12dff6fa6787492ac910bb9e4407",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "63195bae1cbf78f1d392b1bc9ae4b03c82d0ebf3",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "b22467b1ae104073dcb11aa78562a331cd7fb0e0",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            },
            {
              "lessThan": "e4b5ccd392b92300a2b341705cc4805681094e49",
              "status": "affected",
              "version": "14d1d190869685d3a1e8a3f63924e20594557cb2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Ensure job pointer is set to NULL after job completion\n\nAfter a job completes, the corresponding pointer in the device must\nbe set to NULL. Failing to do so triggers a warning when unloading\nthe driver, as it appears the job is still active. To prevent this,\nassign the job pointer to NULL after completing the job, indicating\nthe job has finished."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:14.739Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1bd6303d08c85072ce40ac01a767ab67195105bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a34050f70e7955a359874dff1a912a748724a140"
        },
        {
          "url": "https://git.kernel.org/stable/c/14e0a874488e79086340ba8e2d238cb9596b68a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a1c88f7ca5c12dff6fa6787492ac910bb9e4407"
        },
        {
          "url": "https://git.kernel.org/stable/c/63195bae1cbf78f1d392b1bc9ae4b03c82d0ebf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b22467b1ae104073dcb11aa78562a331cd7fb0e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b5ccd392b92300a2b341705cc4805681094e49"
        }
      ],
      "title": "drm/v3d: Ensure job pointer is set to NULL after job completion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21697",
    "datePublished": "2025-02-12T13:27:55.488Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2025-05-04T07:19:14.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21791 (GCVE-0-2025-21791)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
	https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b
	https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b
	https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c
	https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f
	https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21
	https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019
	https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773

Impacted products

Vendor

Product

Version

►

Linux

Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539

Linux

Version: 4.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:16.236835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n  ip_send_skb()\n   ip_local_out()\n    __ip_local_out()\n     l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:18.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
        }
      ],
      "title": "vrf: use RCU protection in l3mdev_l3_out()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21791",
    "datePublished": "2025-02-27T02:18:29.014Z",
    "dateReserved": "2024-12-29T08:45:45.766Z",
    "dateUpdated": "2025-05-04T07:21:18.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-29088 (GCVE-0-2025-29088)

Vulnerability from cvelistv5

Published

2025-04-10 00:00

Modified

2025-04-14 13:56

Severity ?

5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-190 - Integer Overflow or Wraparound

Summary

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

References

►

URL

Tags

	https://www.sqlite.org/cves.html
	https://sqlite.org/forum/forumpost/48f365daec
	https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
	https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
	https://sqlite.org/releaselog/3_49_1.html

Impacted products

	Vendor	Product	Version
	SQLite	SQLite	Version: 3.49.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-29088",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-11T19:43:38.254260Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-11T19:44:50.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SQLite",
          "vendor": "SQLite",
          "versions": [
            {
              "lessThan": "3.49.1",
              "status": "affected",
              "version": "3.49.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.49.1",
                  "versionStartIncluding": "3.49.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-14T13:56:32.775Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.sqlite.org/cves.html"
        },
        {
          "url": "https://sqlite.org/forum/forumpost/48f365daec"
        },
        {
          "url": "https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4"
        },
        {
          "url": "https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248"
        },
        {
          "url": "https://sqlite.org/releaselog/3_49_1.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-29088",
    "datePublished": "2025-04-10T00:00:00.000Z",
    "dateReserved": "2025-03-11T00:00:00.000Z",
    "dateUpdated": "2025-04-14T13:56:32.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21693 (GCVE-0-2025-21693)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment]

References

►

URL

Tags

	https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1
	https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65

Impacted products

Vendor

Product

Version

►

Linux

Version: 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161
Version: 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161

Linux

Version: 5.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21693",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:10:07.856772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T17:11:03.608Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1",
              "status": "affected",
              "version": "1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161",
              "versionType": "git"
            },
            {
              "lessThan": "12dcb0ef540629a281533f9dedc1b6b8e14cfb65",
              "status": "affected",
              "version": "1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: properly synchronize freeing resources during CPU hotunplug\n\nIn zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the\ncurrent CPU at the beginning of the operation is retrieved and used\nthroughout.  However, since neither preemption nor migration are disabled,\nit is possible that the operation continues on a different CPU.\n\nIf the original CPU is hotunplugged while the acomp_ctx is still in use,\nwe run into a UAF bug as some of the resources attached to the acomp_ctx\nare freed during hotunplug in zswap_cpu_comp_dead() (i.e. \nacomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).\n\nThe problem was introduced in commit 1ec3b5fe6eec (\"mm/zswap: move to use\ncrypto_acomp API for hardware acceleration\") when the switch to the\ncrypto_acomp API was made.  Prior to that, the per-CPU crypto_comp was\nretrieved using get_cpu_ptr() which disables preemption and makes sure the\nCPU cannot go away from under us.  Preemption cannot be disabled with the\ncrypto_acomp API as a sleepable context is needed.\n\nUse the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating\nand freeing resources with compression/decompression paths.  Make sure\nthat acomp_ctx.req is NULL when the resources are freed.  In the\ncompression/decompression paths, check if acomp_ctx.req is NULL after\nacquiring the mutex (meaning the CPU was offlined) and retry on the new\nCPU.\n\nThe initialization of acomp_ctx.mutex is moved from the CPU hotplug\ncallback to the pool initialization where it belongs (where the mutex is\nallocated).  In addition to adding clarity, this makes sure that CPU\nhotplug cannot reinitialize a mutex that is already locked by\ncompression/decompression.\n\nPreviously a fix was attempted by holding cpus_read_lock() [1].  This\nwould have caused a potential deadlock as it is possible for code already\nholding the lock to fall into reclaim and enter zswap (causing a\ndeadlock).  A fix was also attempted using SRCU for synchronization, but\nJohannes pointed out that synchronize_srcu() cannot be used in CPU hotplug\nnotifiers [2].\n\nAlternative fixes that were considered/attempted and could have worked:\n- Refcounting the per-CPU acomp_ctx. This involves complexity in\n  handling the race between the refcount dropping to zero in\n  zswap_[de]compress() and the refcount being re-initialized when the\n  CPU is onlined.\n- Disabling migration before getting the per-CPU acomp_ctx [3], but\n  that\u0027s discouraged and is a much bigger hammer than needed, and could\n  result in subtle performance issues.\n\n[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/\n[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/\n[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/\n\n[yosryahmed@google.com: remove comment]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:10.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1"
        },
        {
          "url": "https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65"
        }
      ],
      "title": "mm: zswap: properly synchronize freeing resources during CPU hotunplug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21693",
    "datePublished": "2025-02-10T15:58:49.056Z",
    "dateReserved": "2024-12-29T08:45:45.742Z",
    "dateUpdated": "2025-05-04T07:19:10.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-31651 (GCVE-0-2025-31651)

Vulnerability from cvelistv5

Published

2025-04-28 19:17

Modified

2025-08-08 11:49

Severity ?

CWE

CWE-116 - Improper Encoding or Escaping of Output

Summary

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

References

►

URL

Tags

https://lists.apache.org/list.html?announce@tomcat.apache.org

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 11.0.0-M1 ≤ 11.0.5 Version: 10.1.0-M1 ≤ 10.1.39 Version: 9.0.0.M1 ≤ 9.0.102 Version: 8.5.0 ≤ 8.5.100

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-28T22:02:47.596Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/28/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-31651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-29T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T03:55:44.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.5",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.39",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.102",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unknown",
              "version": "8.0.0.RC1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "COSCO Shipping Lines DIC"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\u0026nbsp;For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\u00a0For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T11:49:29.178Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/list.html?announce@tomcat.apache.org"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Bypass of rules in Rewrite Valve",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-31651",
    "datePublished": "2025-04-28T19:17:21.721Z",
    "dateReserved": "2025-03-31T12:25:25.164Z",
    "dateUpdated": "2025-08-08T11:49:29.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58007 (GCVE-0-2024-58007)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7445fa05317534bbd8b373c0eff8319187916030
	https://git.kernel.org/stable/c/2495c6598731b6d7f565140f2bd63ef4bc36ce7d
	https://git.kernel.org/stable/c/2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd
	https://git.kernel.org/stable/c/9c88b3a3fae4d60641c3a45be66269d00eff33cd
	https://git.kernel.org/stable/c/47470acd719d45c4c8c418c07962f74cc995652b
	https://git.kernel.org/stable/c/407c928305c1a37232a63811c400ef616f85ccbc
	https://git.kernel.org/stable/c/0a92feddae0634a0b87c04b19d343f6af97af700
	https://git.kernel.org/stable/c/22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0

Impacted products

Vendor

Product

Version

►

Linux

Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e
Version: efb448d0a3fca01bb987dd70963da6185b81751e

Linux

Version: 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/socinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7445fa05317534bbd8b373c0eff8319187916030",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "2495c6598731b6d7f565140f2bd63ef4bc36ce7d",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "9c88b3a3fae4d60641c3a45be66269d00eff33cd",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "47470acd719d45c4c8c418c07962f74cc995652b",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "407c928305c1a37232a63811c400ef616f85ccbc",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "0a92feddae0634a0b87c04b19d343f6af97af700",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/socinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: socinfo: Avoid out of bounds read of serial number\n\nOn MSM8916 devices, the serial number exposed in sysfs is constant and does\nnot change across individual devices. It\u0027s always:\n\n  db410c:/sys/devices/soc0$ cat serial_number\n  2644893864\n\nThe firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not\nhave support for the serial_num field in the socinfo struct. There is an\nexisting check to avoid exposing the serial number in that case, but it\u0027s\nnot correct: When checking the item_size returned by SMEM, we need to make\nsure the *end* of the serial_num is within bounds, instead of comparing\nwith the *start* offset. The serial_number currently exposed on MSM8916\ndevices is just an out of bounds read of whatever comes after the socinfo\nstruct in SMEM.\n\nFix this by changing offsetof() to offsetofend(), so that the size of the\nfield is also taken into account."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:16.807Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7445fa05317534bbd8b373c0eff8319187916030"
        },
        {
          "url": "https://git.kernel.org/stable/c/2495c6598731b6d7f565140f2bd63ef4bc36ce7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c88b3a3fae4d60641c3a45be66269d00eff33cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/47470acd719d45c4c8c418c07962f74cc995652b"
        },
        {
          "url": "https://git.kernel.org/stable/c/407c928305c1a37232a63811c400ef616f85ccbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a92feddae0634a0b87c04b19d343f6af97af700"
        },
        {
          "url": "https://git.kernel.org/stable/c/22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0"
        }
      ],
      "title": "soc: qcom: socinfo: Avoid out of bounds read of serial number",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58007",
    "datePublished": "2025-02-27T02:12:03.593Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-04T10:08:16.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21876 (GCVE-0-2025-21876)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix suspicious RCU usage Commit <d74169ceb0d2> ("iommu/vt-d: Allocate DMAR fault interrupts locally") moved the call to enable_drhd_fault_handling() to a code path that does not hold any lock while traversing the drhd list. Fix it by ensuring the dmar_global_lock lock is held when traversing the drhd list. Without this fix, the following warning is triggered: ============================= WARNING: suspicious RCU usage 6.14.0-rc3 #55 Not tainted ----------------------------- drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 1 2 locks held by cpuhp/1/23: #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 stack backtrace: CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55 Call Trace: <TASK> dump_stack_lvl+0xb7/0xd0 lockdep_rcu_suspicious+0x159/0x1f0 ? __pfx_enable_drhd_fault_handling+0x10/0x10 enable_drhd_fault_handling+0x151/0x180 cpuhp_invoke_callback+0x1df/0x990 cpuhp_thread_fun+0x1ea/0x2c0 smpboot_thread_fn+0x1f5/0x2e0 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x12a/0x2d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4a/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Holding the lock in enable_drhd_fault_handling() triggers a lockdep splat about a possible deadlock between dmar_global_lock and cpu_hotplug_lock. This is avoided by not holding dmar_global_lock when calling iommu_device_register(), which initiates the device probe process.

References

►

URL

Tags

	https://git.kernel.org/stable/c/4117c72938493a77ab53cc4b8284be8fb6ec8065
	https://git.kernel.org/stable/c/c603ccbe91d189849e1439134598ec567088dcec
	https://git.kernel.org/stable/c/b150654f74bf0df8e6a7936d5ec51400d9ec06d8

Impacted products

Vendor

Product

Version

►

Linux

Version: d74169ceb0d2e32438946a2f1f9fc8c803304bd6
Version: d74169ceb0d2e32438946a2f1f9fc8c803304bd6
Version: d74169ceb0d2e32438946a2f1f9fc8c803304bd6

Linux

Version: 6.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/dmar.c",
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4117c72938493a77ab53cc4b8284be8fb6ec8065",
              "status": "affected",
              "version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
              "versionType": "git"
            },
            {
              "lessThan": "c603ccbe91d189849e1439134598ec567088dcec",
              "status": "affected",
              "version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
              "versionType": "git"
            },
            {
              "lessThan": "b150654f74bf0df8e6a7936d5ec51400d9ec06d8",
              "status": "affected",
              "version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/dmar.c",
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix suspicious RCU usage\n\nCommit \u003cd74169ceb0d2\u003e (\"iommu/vt-d: Allocate DMAR fault interrupts\nlocally\") moved the call to enable_drhd_fault_handling() to a code\npath that does not hold any lock while traversing the drhd list. Fix\nit by ensuring the dmar_global_lock lock is held when traversing the\ndrhd list.\n\nWithout this fix, the following warning is triggered:\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3 #55 Not tainted\n -----------------------------\n drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!\n               other info that might help us debug this:\n               rcu_scheduler_active = 1, debug_locks = 1\n 2 locks held by cpuhp/1/23:\n #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n stack backtrace:\n CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0xb7/0xd0\n  lockdep_rcu_suspicious+0x159/0x1f0\n  ? __pfx_enable_drhd_fault_handling+0x10/0x10\n  enable_drhd_fault_handling+0x151/0x180\n  cpuhp_invoke_callback+0x1df/0x990\n  cpuhp_thread_fun+0x1ea/0x2c0\n  smpboot_thread_fn+0x1f5/0x2e0\n  ? __pfx_smpboot_thread_fn+0x10/0x10\n  kthread+0x12a/0x2d0\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x4a/0x60\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1a/0x30\n  \u003c/TASK\u003e\n\nHolding the lock in enable_drhd_fault_handling() triggers a lockdep splat\nabout a possible deadlock between dmar_global_lock and cpu_hotplug_lock.\nThis is avoided by not holding dmar_global_lock when calling\niommu_device_register(), which initiates the device probe process."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:02.780Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4117c72938493a77ab53cc4b8284be8fb6ec8065"
        },
        {
          "url": "https://git.kernel.org/stable/c/c603ccbe91d189849e1439134598ec567088dcec"
        },
        {
          "url": "https://git.kernel.org/stable/c/b150654f74bf0df8e6a7936d5ec51400d9ec06d8"
        }
      ],
      "title": "iommu/vt-d: Fix suspicious RCU usage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21876",
    "datePublished": "2025-03-27T14:57:06.802Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:23:02.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52925 (GCVE-0-2023-52925)

Vulnerability from cvelistv5

Published

2025-02-05 09:07

Modified

2025-05-04 12:49

Severity ?

6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error.

References

►

URL

Tags

	https://git.kernel.org/stable/c/891ca5dfe3b718b441fc786014a7ba8f517da188
	https://git.kernel.org/stable/c/af78b0489e8898a8c9449ffc0fdd2e181916f0d4
	https://git.kernel.org/stable/c/59ee68c437c562170265194a99698c805a686bb3
	https://git.kernel.org/stable/c/156369a702c33ad5434a19c3a689bfb836d4e0b8
	https://git.kernel.org/stable/c/7845914f45f066497ac75b30c50dbc735e84e884

Impacted products

Vendor

Product

Version

►

Linux

Version: b15ea4017af82011dd55225ce77cce3d4dfc169c
Version: 7c7e658a36f8b1522bd3586d8137e5f93a25ddc5
Version: 59dab3bf0b8fc08eb802721c0532f13dd89209b8
Version: bd156ce9553dcaf2d6ee2c825d1a5a1718e86524
Version: 24138933b97b055d486e8064b4a1721702442a9b
Version: 94313a196b44184b5b52c1876da6a537701b425a
Version: 1da4874d05da1526b11b82fc7f3c7ac38749ddf8

Linux

Version: 6.4.11 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.2,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52925",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T15:12:24.648776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-06T15:12:27.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "891ca5dfe3b718b441fc786014a7ba8f517da188",
              "status": "affected",
              "version": "b15ea4017af82011dd55225ce77cce3d4dfc169c",
              "versionType": "git"
            },
            {
              "lessThan": "af78b0489e8898a8c9449ffc0fdd2e181916f0d4",
              "status": "affected",
              "version": "7c7e658a36f8b1522bd3586d8137e5f93a25ddc5",
              "versionType": "git"
            },
            {
              "lessThan": "59ee68c437c562170265194a99698c805a686bb3",
              "status": "affected",
              "version": "59dab3bf0b8fc08eb802721c0532f13dd89209b8",
              "versionType": "git"
            },
            {
              "lessThan": "156369a702c33ad5434a19c3a689bfb836d4e0b8",
              "status": "affected",
              "version": "bd156ce9553dcaf2d6ee2c825d1a5a1718e86524",
              "versionType": "git"
            },
            {
              "lessThan": "7845914f45f066497ac75b30c50dbc735e84e884",
              "status": "affected",
              "version": "24138933b97b055d486e8064b4a1721702442a9b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "94313a196b44184b5b52c1876da6a537701b425a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1da4874d05da1526b11b82fc7f3c7ac38749ddf8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.4.12",
              "status": "affected",
              "version": "6.4.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.12",
                  "versionStartIncluding": "6.4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.316",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.262",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don\u0027t fail inserts if duplicate has expired\n\nnftables selftests fail:\nrun-tests.sh testcases/sets/0044interval_overlap_0\nExpected: 0-2 . 0-3, got:\nW: [FAILED]     ./testcases/sets/0044interval_overlap_0: got 1\n\nInsertion must ignore duplicate but expired entries.\n\nMoreover, there is a strange asymmetry in nft_pipapo_activate:\n\nIt refetches the current element, whereas the other -\u003eactivate callbacks\n(bitmap, hash, rhash, rbtree) use elem-\u003epriv.\nSame for .remove: other set implementations take elem-\u003epriv,\nnft_pipapo_remove fetches elem-\u003epriv, then does a relookup,\nremove this.\n\nI suspect this was the reason for the change that prompted the\nremoval of the expired check in pipapo_get() in the first place,\nbut skipping exired elements there makes no sense to me, this helper\nis used for normal get requests, insertions (duplicate check)\nand deactivate callback.\n\nIn first two cases expired elements must be skipped.\n\nFor -\u003edeactivate(), this gets called for DELSETELEM, so it\nseems to me that expired elements should be skipped as well, i.e.\ndelete request should fail with -ENOENT error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:49:52.404Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/891ca5dfe3b718b441fc786014a7ba8f517da188"
        },
        {
          "url": "https://git.kernel.org/stable/c/af78b0489e8898a8c9449ffc0fdd2e181916f0d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/59ee68c437c562170265194a99698c805a686bb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/156369a702c33ad5434a19c3a689bfb836d4e0b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/7845914f45f066497ac75b30c50dbc735e84e884"
        }
      ],
      "title": "netfilter: nf_tables: don\u0027t fail inserts if duplicate has expired",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52925",
    "datePublished": "2025-02-05T09:07:56.434Z",
    "dateReserved": "2024-08-21T06:07:11.018Z",
    "dateUpdated": "2025-05-04T12:49:52.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57947 (GCVE-0-2024-57947)

Vulnerability from cvelistv5

Published

2025-01-23 13:54

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo: fix initial map fill The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough.

References

►

URL

Tags

	https://git.kernel.org/stable/c/957a4d1c4c5849e4515c9fb4db21bf85318103dc
	https://git.kernel.org/stable/c/9625c46ce6fd4f922595a4b32b1de5066d70464f
	https://git.kernel.org/stable/c/69b6a67f7052905e928d75a0c5871de50e686986
	https://git.kernel.org/stable/c/8058c88ac0df21239daee54b5934d5c80ca9685f
	https://git.kernel.org/stable/c/791a615b7ad2258c560f91852be54b0480837c93

Impacted products

Vendor

Product

Version

►

Linux

Version: 3c4287f62044a90e73a561aa05fc46e62da173da
Version: 3c4287f62044a90e73a561aa05fc46e62da173da
Version: 3c4287f62044a90e73a561aa05fc46e62da173da
Version: 3c4287f62044a90e73a561aa05fc46e62da173da
Version: 3c4287f62044a90e73a561aa05fc46e62da173da

Linux

Version: 5.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo.c",
            "net/netfilter/nft_set_pipapo.h",
            "net/netfilter/nft_set_pipapo_avx2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "957a4d1c4c5849e4515c9fb4db21bf85318103dc",
              "status": "affected",
              "version": "3c4287f62044a90e73a561aa05fc46e62da173da",
              "versionType": "git"
            },
            {
              "lessThan": "9625c46ce6fd4f922595a4b32b1de5066d70464f",
              "status": "affected",
              "version": "3c4287f62044a90e73a561aa05fc46e62da173da",
              "versionType": "git"
            },
            {
              "lessThan": "69b6a67f7052905e928d75a0c5871de50e686986",
              "status": "affected",
              "version": "3c4287f62044a90e73a561aa05fc46e62da173da",
              "versionType": "git"
            },
            {
              "lessThan": "8058c88ac0df21239daee54b5934d5c80ca9685f",
              "status": "affected",
              "version": "3c4287f62044a90e73a561aa05fc46e62da173da",
              "versionType": "git"
            },
            {
              "lessThan": "791a615b7ad2258c560f91852be54b0480837c93",
              "status": "affected",
              "version": "3c4287f62044a90e73a561aa05fc46e62da173da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_set_pipapo.c",
            "net/netfilter/nft_set_pipapo.h",
            "net/netfilter/nft_set_pipapo_avx2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.165",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.103",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo: fix initial map fill\n\nThe initial buffer has to be inited to all-ones, but it must restrict\nit to the size of the first field, not the total field size.\n\nAfter each round in the map search step, the result and the fill map\nare swapped, so if we have a set where f-\u003ebsize of the first element\nis smaller than m-\u003ebsize_max, those one-bits are leaked into future\nrounds result map.\n\nThis makes pipapo find an incorrect matching results for sets where\nfirst field size is not the largest.\n\nFollowup patch adds a test case to nft_concat_range.sh selftest script.\n\nThanks to Stefano Brivio for pointing out that we need to zero out\nthe remainder explicitly, only correcting memset() argument isn\u0027t enough."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:17.250Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/957a4d1c4c5849e4515c9fb4db21bf85318103dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9625c46ce6fd4f922595a4b32b1de5066d70464f"
        },
        {
          "url": "https://git.kernel.org/stable/c/69b6a67f7052905e928d75a0c5871de50e686986"
        },
        {
          "url": "https://git.kernel.org/stable/c/8058c88ac0df21239daee54b5934d5c80ca9685f"
        },
        {
          "url": "https://git.kernel.org/stable/c/791a615b7ad2258c560f91852be54b0480837c93"
        }
      ],
      "title": "netfilter: nf_set_pipapo: fix initial map fill",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57947",
    "datePublished": "2025-01-23T13:54:20.267Z",
    "dateReserved": "2025-01-19T11:50:08.380Z",
    "dateUpdated": "2025-05-04T10:07:17.250Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56718 (GCVE-0-2024-56718)

Vulnerability from cvelistv5

Published

2024-12-29 08:48

Modified

2025-05-04 10:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30

References

►

URL

Tags

	https://git.kernel.org/stable/c/bec2f52866d511e94c1c37cd962e4382b1b1a299
	https://git.kernel.org/stable/c/2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2
	https://git.kernel.org/stable/c/841b1824750d3b8d1dc0a96b14db4418b952abbc
	https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec

Impacted products

Vendor

Product

Version

►

Linux

Version: 541afa10c126b6c22c2a805a559c70cc41fd156e
Version: 541afa10c126b6c22c2a805a559c70cc41fd156e
Version: 541afa10c126b6c22c2a805a559c70cc41fd156e
Version: 541afa10c126b6c22c2a805a559c70cc41fd156e

Linux

Version: 5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bec2f52866d511e94c1c37cd962e4382b1b1a299",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "841b1824750d3b8d1dc0a96b14db4418b952abbc",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            },
            {
              "lessThan": "2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec",
              "status": "affected",
              "version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: protect link down work from execute after lgr freed\n\nlink down work may be scheduled before lgr freed but execute\nafter lgr freed, which may result in crash. So it is need to\nhold a reference before shedule link down work, and put the\nreference after work executed or canceled.\n\nThe relevant crash call stack as follows:\n list_del corruption. prev-\u003enext should be ffffb638c9c0fe20,\n    but was 0000000000000000\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:51!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1\n Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014\n Workqueue: events smc_link_down_work [smc]\n RIP: 0010:__list_del_entry_valid.cold+0x31/0x47\n RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086\n RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000\n RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38\n R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002\n R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0\n FS:  0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  rwsem_down_write_slowpath+0x17e/0x470\n  smc_link_down_work+0x3c/0x60 [smc]\n  process_one_work+0x1ac/0x350\n  worker_thread+0x49/0x2f0\n  ? rescuer_thread+0x360/0x360\n  kthread+0x118/0x140\n  ? __kthread_bind_mask+0x60/0x60\n  ret_from_fork+0x1f/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:15.766Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bec2f52866d511e94c1c37cd962e4382b1b1a299"
        },
        {
          "url": "https://git.kernel.org/stable/c/2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/841b1824750d3b8d1dc0a96b14db4418b952abbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec"
        }
      ],
      "title": "net/smc: protect link down work from execute after lgr freed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56718",
    "datePublished": "2024-12-29T08:48:50.740Z",
    "dateReserved": "2024-12-27T15:00:39.858Z",
    "dateUpdated": "2025-05-04T10:03:15.766Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49924 (GCVE-0-2024-49924)

Vulnerability from cvelistv5

Published

2024-10-21 18:01

Modified

2025-05-04 09:41

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd
	https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473
	https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae
	https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a
	https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd
	https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370
	https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08
	https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e
	https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49924",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:39:57.349772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:48:44.187Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/pxafb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6d0a07f68b66269e167def6c0b90a219cd3e7473",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e6897e299f57b103e999e62010b88e363b3eebae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4cda484e584be34d55ee17436ebf7ad11922b97a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3c0d416eb4bef705f699213cee94bf54b6acdacd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fdda354f60a576d52dcf90351254714681df4370",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aaadc0cb05c999ccd8898a03298b7e5c31509b08",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a3a855764dbacbdb1cc51e15dc588f2d21c93e0e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4a6921095eb04a900e0000da83d9475eb958e61e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/pxafb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.323",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.323",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which \u0026fbi-\u003etask is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the \u0026pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi-\u003efb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0                                                CPU1\n\n                                   | pxafb_task\npxafb_remove                       |\nunregister_framebuffer(info)       |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info)               |\n// free fbi-\u003efb                    | set_ctrlr_state(fbi, state)\n                                   | __pxafb_lcd_power(fbi, 0)\n                                   | fbi-\u003elcd_power(on, \u0026fbi-\u003efb.var)\n                                   | //use fbi-\u003efb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:41:22.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e"
        }
      ],
      "title": "fbdev: pxafb: Fix possible use after free in pxafb_task()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49924",
    "datePublished": "2024-10-21T18:01:49.076Z",
    "dateReserved": "2024-10-21T12:17:06.036Z",
    "dateUpdated": "2025-05-04T09:41:22.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53123 (GCVE-0-2024-53123)

Vulnerability from cvelistv5

Published

2024-12-02 13:44

Modified

2025-05-04 13:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: error out earlier on disconnect Eric reported a division by zero splat in the MPTCP protocol: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 <f7> 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1073 __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 __do_sys_recvfrom net/socket.c:2283 [inline] __se_sys_recvfrom net/socket.c:2279 [inline] __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5d857559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef and provided a nice reproducer. The root cause is the current bad handling of racing disconnect. After the blamed commit below, sk_wait_data() can return (with error) with the underlying socket disconnected and a zero rcv_mss. Catch the error and return without performing any additional operations on the current socket.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a749b23059b43a9b1787eb36c5d9d44150a34238
	https://git.kernel.org/stable/c/a66805c9b22caf4e42af7a616f6c6b83c90d1010
	https://git.kernel.org/stable/c/955388e1d5d222c4101c596b536d41b91a8b212e
	https://git.kernel.org/stable/c/581302298524e9d77c4c44ff5156a6cd112227ae

Impacted products

Vendor

Product

Version

►

Linux

Version: ec9bc89a018842006d63f6545c50768e79bd89f8
Version: 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2
Version: 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2
Version: 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2
Version: 30fa7600e0580cabbbc50e1c94b5609a85469809

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a749b23059b43a9b1787eb36c5d9d44150a34238",
              "status": "affected",
              "version": "ec9bc89a018842006d63f6545c50768e79bd89f8",
              "versionType": "git"
            },
            {
              "lessThan": "a66805c9b22caf4e42af7a616f6c6b83c90d1010",
              "status": "affected",
              "version": "419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2",
              "versionType": "git"
            },
            {
              "lessThan": "955388e1d5d222c4101c596b536d41b91a8b212e",
              "status": "affected",
              "version": "419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2",
              "versionType": "git"
            },
            {
              "lessThan": "581302298524e9d77c4c44ff5156a6cd112227ae",
              "status": "affected",
              "version": "419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "30fa7600e0580cabbbc50e1c94b5609a85469809",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.119",
                  "versionStartIncluding": "6.1.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.63",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: error out earlier on disconnect\n\nEric reported a division by zero splat in the MPTCP protocol:\n\nOops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted\n6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0\nHardware name: Google Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nRIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163\nCode: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8\n0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 \u003cf7\u003e 7c\n24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89\nRSP: 0018:ffffc900041f7930 EFLAGS: 00010293\nRAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b\nRDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004\nRBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67\nR10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80\nR13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000\nFS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n__tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493\nmptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline]\nmptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289\ninet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885\nsock_recvmsg_nosec net/socket.c:1051 [inline]\nsock_recvmsg+0x1b2/0x250 net/socket.c:1073\n__sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265\n__do_sys_recvfrom net/socket.c:2283 [inline]\n__se_sys_recvfrom net/socket.c:2279 [inline]\n__x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7feb5d857559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559\nRDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000\nR10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c\nR13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef\n\nand provided a nice reproducer.\n\nThe root cause is the current bad handling of racing disconnect.\nAfter the blamed commit below, sk_wait_data() can return (with\nerror) with the underlying socket disconnected and a zero rcv_mss.\n\nCatch the error and return without performing any additional\noperations on the current socket."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:28.432Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a749b23059b43a9b1787eb36c5d9d44150a34238"
        },
        {
          "url": "https://git.kernel.org/stable/c/a66805c9b22caf4e42af7a616f6c6b83c90d1010"
        },
        {
          "url": "https://git.kernel.org/stable/c/955388e1d5d222c4101c596b536d41b91a8b212e"
        },
        {
          "url": "https://git.kernel.org/stable/c/581302298524e9d77c4c44ff5156a6cd112227ae"
        }
      ],
      "title": "mptcp: error out earlier on disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53123",
    "datePublished": "2024-12-02T13:44:53.598Z",
    "dateReserved": "2024-11-19T17:17:24.994Z",
    "dateUpdated": "2025-05-04T13:00:28.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57999 (GCVE-0-2024-57999)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing. These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range. The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100 LR [c00000000005e830] iommu_init_table+0x80/0x1e0 Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable) [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net] [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18 There are 2 issues in the code 1. The index is "int" while the address is "unsigned long". This results in negative value when setting the bitmap. 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7043d58ecd1381674f5b2c894deb6986a1a4896b
	https://git.kernel.org/stable/c/d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9
	https://git.kernel.org/stable/c/8f70caad82e9c088ed93b4fea48d941ab6441886

Impacted products

Vendor

Product

Version

►

Linux

Version: 3c33066a21903076722a2881556a92aa3cd7d359
Version: 3c33066a21903076722a2881556a92aa3cd7d359
Version: 3c33066a21903076722a2881556a92aa3cd7d359

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/iommu.c",
            "arch/powerpc/platforms/pseries/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7043d58ecd1381674f5b2c894deb6986a1a4896b",
              "status": "affected",
              "version": "3c33066a21903076722a2881556a92aa3cd7d359",
              "versionType": "git"
            },
            {
              "lessThan": "d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9",
              "status": "affected",
              "version": "3c33066a21903076722a2881556a92aa3cd7d359",
              "versionType": "git"
            },
            {
              "lessThan": "8f70caad82e9c088ed93b4fea48d941ab6441886",
              "status": "affected",
              "version": "3c33066a21903076722a2881556a92aa3cd7d359",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/iommu.c",
            "arch/powerpc/platforms/pseries/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW\n\nPower Hypervisor can possibily allocate MMIO window intersecting with\nDynamic DMA Window (DDW) range, which is over 32-bit addressing.\n\nThese MMIO pages needs to be marked as reserved so that IOMMU doesn\u0027t map\nDMA buffers in this range.\n\nThe current code is not marking these pages correctly which is resulting\nin LPAR to OOPS while booting. The stack is at below\n\nBUG: Unable to handle kernel data access on read at 0xc00800005cd40000\nFaulting instruction address: 0xc00000000005cdac\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod\nSupported: Yes, External\nCPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b\nHardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries\nWorkqueue: events work_for_cpu_fn\nNIP:  c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000\nREGS: c00001400c9ff770 TRAP: 0300   Not tainted  (6.4.0-150600.23.14-default)\nMSR:  800000000280b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e  CR: 24228448  XER: 00000001\nCFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0\nGPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800\nGPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000\nGPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff\nGPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000\nGPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800\nGPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b\nGPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8\nGPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800\nNIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100\nLR [c00000000005e830] iommu_init_table+0x80/0x1e0\nCall Trace:\n[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)\n[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40\n[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230\n[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90\n[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80\n[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]\n[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110\n[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60\n[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620\n[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620\n[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150\n[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18\n\nThere are 2 issues in the code\n\n1. The index is \"int\" while the address is \"unsigned long\". This results in\n   negative value when setting the bitmap.\n\n2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit\n   address). MMIO address needs to be page shifted as well."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:04.729Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7043d58ecd1381674f5b2c894deb6986a1a4896b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f70caad82e9c088ed93b4fea48d941ab6441886"
        }
      ],
      "title": "powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57999",
    "datePublished": "2025-02-27T02:07:18.570Z",
    "dateReserved": "2025-02-27T02:04:28.915Z",
    "dateUpdated": "2025-05-04T10:08:04.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58020 (GCVE-0-2024-58020)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 13:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt_input_configured() is not checked. Add NULL check in mt_input_configured(), to handle kernel NULL pointer dereference error.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a04d96ef67a42165f93194eef22a270acba4b74c
	https://git.kernel.org/stable/c/a6bfd3856e9f3da083f177753c623d58ba935e0a
	https://git.kernel.org/stable/c/2052b44cd0a62b6fdbe3371e5ba6029c56c400ca
	https://git.kernel.org/stable/c/4e7113f591163d99adc7cbcd7295030c8c5d3fc7
	https://git.kernel.org/stable/c/62f8bf06262b6fc55c58f4c5256140f1382f3b01
	https://git.kernel.org/stable/c/aa879ef6d3acf96fa2c7122d0632061d4ea58d48
	https://git.kernel.org/stable/c/97c09cc2e72769edb6994b531edcfa313b96bade
	https://git.kernel.org/stable/c/9b8e2220d3a052a690b1d1b23019673e612494c5

Impacted products

Vendor

Product

Version

►

Linux

Version: df7ca43fe090e1a56c216c8ebc106ef5fd49afc6
Version: 15ec7cb55e7d88755aa01d44a7a1015a42bfce86
Version: dde88ab4e45beb60b217026207aa9c14c88d71ab
Version: 2763732ec1e68910719c75b6b896e11b6d3d622b
Version: 4794394635293a3e74591351fff469cea7ad15a2
Version: 4794394635293a3e74591351fff469cea7ad15a2
Version: 4794394635293a3e74591351fff469cea7ad15a2
Version: 4794394635293a3e74591351fff469cea7ad15a2
Version: ac0d389402a6ff9ad92cea02c2d8c711483b91ab
Version: 39c70c19456e50dcb3abfe53539220dff0490f1d
Version: 1d7833db9fd118415dace2ca157bfa603dec9c8c
Version: b70ac7849248ec8128fa12f86e3655ba38838f29

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-multitouch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a04d96ef67a42165f93194eef22a270acba4b74c",
              "status": "affected",
              "version": "df7ca43fe090e1a56c216c8ebc106ef5fd49afc6",
              "versionType": "git"
            },
            {
              "lessThan": "a6bfd3856e9f3da083f177753c623d58ba935e0a",
              "status": "affected",
              "version": "15ec7cb55e7d88755aa01d44a7a1015a42bfce86",
              "versionType": "git"
            },
            {
              "lessThan": "2052b44cd0a62b6fdbe3371e5ba6029c56c400ca",
              "status": "affected",
              "version": "dde88ab4e45beb60b217026207aa9c14c88d71ab",
              "versionType": "git"
            },
            {
              "lessThan": "4e7113f591163d99adc7cbcd7295030c8c5d3fc7",
              "status": "affected",
              "version": "2763732ec1e68910719c75b6b896e11b6d3d622b",
              "versionType": "git"
            },
            {
              "lessThan": "62f8bf06262b6fc55c58f4c5256140f1382f3b01",
              "status": "affected",
              "version": "4794394635293a3e74591351fff469cea7ad15a2",
              "versionType": "git"
            },
            {
              "lessThan": "aa879ef6d3acf96fa2c7122d0632061d4ea58d48",
              "status": "affected",
              "version": "4794394635293a3e74591351fff469cea7ad15a2",
              "versionType": "git"
            },
            {
              "lessThan": "97c09cc2e72769edb6994b531edcfa313b96bade",
              "status": "affected",
              "version": "4794394635293a3e74591351fff469cea7ad15a2",
              "versionType": "git"
            },
            {
              "lessThan": "9b8e2220d3a052a690b1d1b23019673e612494c5",
              "status": "affected",
              "version": "4794394635293a3e74591351fff469cea7ad15a2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ac0d389402a6ff9ad92cea02c2d8c711483b91ab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "39c70c19456e50dcb3abfe53539220dff0490f1d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1d7833db9fd118415dace2ca157bfa603dec9c8c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b70ac7849248ec8128fa12f86e3655ba38838f29",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-multitouch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.257",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.132",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.326",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.295",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Add NULL check in mt_input_configured\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt_input_configured() is not checked.\nAdd NULL check in mt_input_configured(), to handle kernel NULL\npointer dereference error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:50.957Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a04d96ef67a42165f93194eef22a270acba4b74c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6bfd3856e9f3da083f177753c623d58ba935e0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2052b44cd0a62b6fdbe3371e5ba6029c56c400ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e7113f591163d99adc7cbcd7295030c8c5d3fc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/62f8bf06262b6fc55c58f4c5256140f1382f3b01"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa879ef6d3acf96fa2c7122d0632061d4ea58d48"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c09cc2e72769edb6994b531edcfa313b96bade"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b8e2220d3a052a690b1d1b23019673e612494c5"
        }
      ],
      "title": "HID: multitouch: Add NULL check in mt_input_configured",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58020",
    "datePublished": "2025-02-27T02:18:10.081Z",
    "dateReserved": "2025-02-27T02:10:48.228Z",
    "dateUpdated": "2025-05-04T13:01:50.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56751 (GCVE-0-2024-56751)

Vulnerability from cvelistv5

Published

2024-12-29 11:30

Modified

2025-05-04 10:03

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: release nexthop on device removal The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test: unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6 ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at dst_init+0x84/0x4a0 dst_alloc+0x97/0x150 ip6_dst_alloc+0x23/0x90 ip6_rt_pcpu_alloc+0x1e6/0x520 ip6_pol_route+0x56f/0x840 fib6_rule_lookup+0x334/0x630 ip6_route_output_flags+0x259/0x480 ip6_dst_lookup_tail.constprop.0+0x5c2/0x940 ip6_dst_lookup_flow+0x88/0x190 udp_tunnel6_dst_lookup+0x2a7/0x4c0 vxlan_xmit_one+0xbde/0x4a50 [vxlan] vxlan_xmit+0x9ad/0xf20 [vxlan] dev_hard_start_xmit+0x10e/0x360 __dev_queue_xmit+0xf95/0x18c0 arp_solicit+0x4a2/0xe00 neigh_probe+0xaa/0xf0 While the first suspect is the dst_cache, explicitly tracking the dst owing the last device reference via probes proved such dst is held by the nexthop in the originating fib6_info. Similar to commit f5b51fe804ec ("ipv6: route: purge exception on removal"), we need to explicitly release the originating fib info when disconnecting a to-be-removed device from a live ipv6 dst: move the fib6_info cleanup into ip6_dst_ifdown(). Tested running: ./pmtu.sh cleanup_ipv6_exception in a tight loop for more than 400 iterations with no spat, running an unpatched kernel I observed a splat every ~10 iterations.

References

►

URL

Tags

	https://git.kernel.org/stable/c/77aa9855a878fb43f547ddfbda3127a1e88ad31a
	https://git.kernel.org/stable/c/b2f26a27ea3f72f75d18330f76f5d1007c791848
	https://git.kernel.org/stable/c/43e25adc80269f917d2a195f0d59f74cdd182955
	https://git.kernel.org/stable/c/a3c3f8a4d025acc8c857246ec2b812c59102487a
	https://git.kernel.org/stable/c/0e4c6faaef8a24b762a24ffb767280e263ef8e10
	https://git.kernel.org/stable/c/eb02688c5c45c3e7af7e71f036a7144f5639cbfe

Impacted products

Vendor

Product

Version

►

Linux

Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74

Linux

Version: 5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77aa9855a878fb43f547ddfbda3127a1e88ad31a",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            },
            {
              "lessThan": "b2f26a27ea3f72f75d18330f76f5d1007c791848",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            },
            {
              "lessThan": "43e25adc80269f917d2a195f0d59f74cdd182955",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            },
            {
              "lessThan": "a3c3f8a4d025acc8c857246ec2b812c59102487a",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            },
            {
              "lessThan": "0e4c6faaef8a24b762a24ffb767280e263ef8e10",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            },
            {
              "lessThan": "eb02688c5c45c3e7af7e71f036a7144f5639cbfe",
              "status": "affected",
              "version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: release nexthop on device removal\n\nThe CI is hitting some aperiodic hangup at device removal time in the\npmtu.sh self-test:\n\nunregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6\nref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at\n\tdst_init+0x84/0x4a0\n\tdst_alloc+0x97/0x150\n\tip6_dst_alloc+0x23/0x90\n\tip6_rt_pcpu_alloc+0x1e6/0x520\n\tip6_pol_route+0x56f/0x840\n\tfib6_rule_lookup+0x334/0x630\n\tip6_route_output_flags+0x259/0x480\n\tip6_dst_lookup_tail.constprop.0+0x5c2/0x940\n\tip6_dst_lookup_flow+0x88/0x190\n\tudp_tunnel6_dst_lookup+0x2a7/0x4c0\n\tvxlan_xmit_one+0xbde/0x4a50 [vxlan]\n\tvxlan_xmit+0x9ad/0xf20 [vxlan]\n\tdev_hard_start_xmit+0x10e/0x360\n\t__dev_queue_xmit+0xf95/0x18c0\n\tarp_solicit+0x4a2/0xe00\n\tneigh_probe+0xaa/0xf0\n\nWhile the first suspect is the dst_cache, explicitly tracking the dst\nowing the last device reference via probes proved such dst is held by\nthe nexthop in the originating fib6_info.\n\nSimilar to commit f5b51fe804ec (\"ipv6: route: purge exception on\nremoval\"), we need to explicitly release the originating fib info when\ndisconnecting a to-be-removed device from a live ipv6 dst: move the\nfib6_info cleanup into ip6_dst_ifdown().\n\nTested running:\n\n./pmtu.sh cleanup_ipv6_exception\n\nin a tight loop for more than 400 iterations with no spat, running an\nunpatched kernel  I observed a splat every ~10 iterations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:03:52.312Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77aa9855a878fb43f547ddfbda3127a1e88ad31a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2f26a27ea3f72f75d18330f76f5d1007c791848"
        },
        {
          "url": "https://git.kernel.org/stable/c/43e25adc80269f917d2a195f0d59f74cdd182955"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3c3f8a4d025acc8c857246ec2b812c59102487a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e4c6faaef8a24b762a24ffb767280e263ef8e10"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb02688c5c45c3e7af7e71f036a7144f5639cbfe"
        }
      ],
      "title": "ipv6: release nexthop on device removal",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56751",
    "datePublished": "2024-12-29T11:30:16.805Z",
    "dateReserved": "2024-12-29T11:26:39.759Z",
    "dateUpdated": "2025-05-04T10:03:52.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58086 (GCVE-0-2024-58086)

Vulnerability from cvelistv5

Published

2025-03-06 16:28

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop active perfmon if it is being destroyed If the active performance monitor (`v3d->active_perfmon`) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the `v3d->active_perfmon` pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed").

References

►

URL

Tags

	https://git.kernel.org/stable/c/22e19c8c5f6b709f4ae40227392a30d57bac187d
	https://git.kernel.org/stable/c/95036d4c01167568166108d42c2b0e9f8dbd7d2b
	https://git.kernel.org/stable/c/eb0e0eca0eab93f310c6c37b8564049366704691
	https://git.kernel.org/stable/c/1c5673a2c8926adbb61f340c779b28e18188a8cd
	https://git.kernel.org/stable/c/f8805b12f477bd964e2820a87921c7b58cc2dee3
	https://git.kernel.org/stable/c/21f1435b1e6b012a07c42f36b206d2b66fc8f13b

Impacted products

Vendor

Product

Version

►

Linux

Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_perfmon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22e19c8c5f6b709f4ae40227392a30d57bac187d",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            },
            {
              "lessThan": "95036d4c01167568166108d42c2b0e9f8dbd7d2b",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            },
            {
              "lessThan": "eb0e0eca0eab93f310c6c37b8564049366704691",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            },
            {
              "lessThan": "1c5673a2c8926adbb61f340c779b28e18188a8cd",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            },
            {
              "lessThan": "f8805b12f477bd964e2820a87921c7b58cc2dee3",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            },
            {
              "lessThan": "21f1435b1e6b012a07c42f36b206d2b66fc8f13b",
              "status": "affected",
              "version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/v3d/v3d_perfmon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop active perfmon if it is being destroyed\n\nIf the active performance monitor (`v3d-\u003eactive_perfmon`) is being\ndestroyed, stop it first. Currently, the active perfmon is not\nstopped during destruction, leaving the `v3d-\u003eactive_perfmon` pointer\nstale. This can lead to undefined behavior and instability.\n\nThis patch ensures that the active perfmon is stopped before being\ndestroyed, aligning with the behavior introduced in commit\n7d1fd3638ee3 (\"drm/v3d: Stop the active perfmon before being destroyed\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:45.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22e19c8c5f6b709f4ae40227392a30d57bac187d"
        },
        {
          "url": "https://git.kernel.org/stable/c/95036d4c01167568166108d42c2b0e9f8dbd7d2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb0e0eca0eab93f310c6c37b8564049366704691"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c5673a2c8926adbb61f340c779b28e18188a8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8805b12f477bd964e2820a87921c7b58cc2dee3"
        },
        {
          "url": "https://git.kernel.org/stable/c/21f1435b1e6b012a07c42f36b206d2b66fc8f13b"
        }
      ],
      "title": "drm/v3d: Stop active perfmon if it is being destroyed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58086",
    "datePublished": "2025-03-06T16:28:23.042Z",
    "dateReserved": "2025-03-06T15:52:09.184Z",
    "dateUpdated": "2025-05-04T10:09:45.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21681 (GCVE-0-2025-21681)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well.

References

►

URL

Tags

	https://git.kernel.org/stable/c/b5c73fc92f8d15c16e5dc87b5c17d2abf1e6d092
	https://git.kernel.org/stable/c/87fcf0d137c770e6040ebfdb0abd8e7dd481b504
	https://git.kernel.org/stable/c/930268823f6bccb697aa5d2047aeffd4a497308c
	https://git.kernel.org/stable/c/ea9e990356b7bee95440ba0e6e83cc4d701afaca
	https://git.kernel.org/stable/c/ea966b6698785fb9cd0fdb867acd91b222e4723f
	https://git.kernel.org/stable/c/82f433e8dd0629e16681edf6039d094b5518d8ed
	https://git.kernel.org/stable/c/47e55e4b410f7d552e43011baa5be1aab4093990

Impacted products

Vendor

Product

Version

►

Linux

Version: 9b0dd09c1ceb35950d2884848099fccc9ec9a123
Version: 284be5db6c8d06d247ed056cfc448c4f79bbb16c
Version: 5efcb301523baacd98a47553d4996e924923114d
Version: 644b3051b06ba465bc7401bfae9b14963cbc8c1c
Version: 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8
Version: 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8
Version: 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8
Version: 56252da41426f3d01957456f13caf46ce670ea29

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5c73fc92f8d15c16e5dc87b5c17d2abf1e6d092",
              "status": "affected",
              "version": "9b0dd09c1ceb35950d2884848099fccc9ec9a123",
              "versionType": "git"
            },
            {
              "lessThan": "87fcf0d137c770e6040ebfdb0abd8e7dd481b504",
              "status": "affected",
              "version": "284be5db6c8d06d247ed056cfc448c4f79bbb16c",
              "versionType": "git"
            },
            {
              "lessThan": "930268823f6bccb697aa5d2047aeffd4a497308c",
              "status": "affected",
              "version": "5efcb301523baacd98a47553d4996e924923114d",
              "versionType": "git"
            },
            {
              "lessThan": "ea9e990356b7bee95440ba0e6e83cc4d701afaca",
              "status": "affected",
              "version": "644b3051b06ba465bc7401bfae9b14963cbc8c1c",
              "versionType": "git"
            },
            {
              "lessThan": "ea966b6698785fb9cd0fdb867acd91b222e4723f",
              "status": "affected",
              "version": "066b86787fa3d97b7aefb5ac0a99a22dad2d15f8",
              "versionType": "git"
            },
            {
              "lessThan": "82f433e8dd0629e16681edf6039d094b5518d8ed",
              "status": "affected",
              "version": "066b86787fa3d97b7aefb5ac0a99a22dad2d15f8",
              "versionType": "git"
            },
            {
              "lessThan": "47e55e4b410f7d552e43011baa5be1aab4093990",
              "status": "affected",
              "version": "066b86787fa3d97b7aefb5ac0a99a22dad2d15f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "56252da41426f3d01957456f13caf46ce670ea29",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "6.1.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix lockup on tx to unregistering netdev with carrier\n\nCommit in a fixes tag attempted to fix the issue in the following\nsequence of calls:\n\n    do_output\n    -\u003e ovs_vport_send\n       -\u003e dev_queue_xmit\n          -\u003e __dev_queue_xmit\n             -\u003e netdev_core_pick_tx\n                -\u003e skb_tx_hash\n\nWhen device is unregistering, the \u0027dev-\u003ereal_num_tx_queues\u0027 goes to\nzero and the \u0027while (unlikely(hash \u003e= qcount))\u0027 loop inside the\n\u0027skb_tx_hash\u0027 becomes infinite, locking up the core forever.\n\nBut unfortunately, checking just the carrier status is not enough to\nfix the issue, because some devices may still be in unregistering\nstate while reporting carrier status OK.\n\nOne example of such device is a net/dummy.  It sets carrier ON\non start, but it doesn\u0027t implement .ndo_stop to set the carrier off.\nAnd it makes sense, because dummy doesn\u0027t really have a carrier.\nTherefore, while this device is unregistering, it\u0027s still easy to hit\nthe infinite loop in the skb_tx_hash() from the OVS datapath.  There\nmight be other drivers that do the same, but dummy by itself is\nimportant for the OVS ecosystem, because it is frequently used as a\npacket sink for tcpdump while debugging OVS deployments.  And when the\nissue is hit, the only way to recover is to reboot.\n\nFix that by also checking if the device is running.  The running\nstate is handled by the net core during unregistering, so it covers\nunregistering case better, and we don\u0027t really need to send packets\nto devices that are not running anyway.\n\nWhile only checking the running state might be enough, the carrier\ncheck is preserved.  The running and the carrier states seem disjoined\nthroughout the code and different drivers.  And other core functions\nlike __dev_direct_xmit() check both before attempting to transmit\na packet.  So, it seems safer to check both flags in OVS as well."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:16.064Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5c73fc92f8d15c16e5dc87b5c17d2abf1e6d092"
        },
        {
          "url": "https://git.kernel.org/stable/c/87fcf0d137c770e6040ebfdb0abd8e7dd481b504"
        },
        {
          "url": "https://git.kernel.org/stable/c/930268823f6bccb697aa5d2047aeffd4a497308c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea9e990356b7bee95440ba0e6e83cc4d701afaca"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea966b6698785fb9cd0fdb867acd91b222e4723f"
        },
        {
          "url": "https://git.kernel.org/stable/c/82f433e8dd0629e16681edf6039d094b5518d8ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/47e55e4b410f7d552e43011baa5be1aab4093990"
        }
      ],
      "title": "openvswitch: fix lockup on tx to unregistering netdev with carrier",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21681",
    "datePublished": "2025-01-31T11:25:41.491Z",
    "dateReserved": "2024-12-29T08:45:45.739Z",
    "dateUpdated": "2025-05-04T13:06:16.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58034 (GCVE-0-2024-58034)

Vulnerability from cvelistv5

Published

2025-02-27 20:00

Modified

2025-05-04 10:08

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument device node, tegra_emc_find_node_by_ram_code() releases some device nodes while still in use, resulting in possible UAFs. According to the bindings and the in-tree DTS files, the "emc-tables" node is always device's child node with the property "nvidia,use-ram-code", and the "lpddr2" node is a child of the "emc-tables" node. Thus utilize the for_each_child_of_node() macro and of_get_child_by_name() instead of of_find_node_by_name() to simplify the code. This bug was found by an experimental verification tool that I am developing. [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]

References

►

URL

Tags

	https://git.kernel.org/stable/c/c3def10c610ae046aaa61d00528e7bd15e4ad8d3
	https://git.kernel.org/stable/c/e9d07e91de140679eeaf275f47ad154467cb9e05
	https://git.kernel.org/stable/c/c144423cb07e4e227a8572d5742ca2b36ada770d
	https://git.kernel.org/stable/c/3b02273446e23961d910b50cc12528faec649fb2
	https://git.kernel.org/stable/c/755e44538c190c31de9090d8e8821d228fcfd416
	https://git.kernel.org/stable/c/b9784e5cde1f9fb83661a70e580e381ae1264d12

Impacted products

Vendor

Product

Version

►

Linux

Version: 96e5da7c842424bcf64afe1082b960b42b96190b
Version: 96e5da7c842424bcf64afe1082b960b42b96190b
Version: 96e5da7c842424bcf64afe1082b960b42b96190b
Version: 96e5da7c842424bcf64afe1082b960b42b96190b
Version: 96e5da7c842424bcf64afe1082b960b42b96190b
Version: 96e5da7c842424bcf64afe1082b960b42b96190b

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58034",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T17:59:56.831079Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T18:07:17.095Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/memory/tegra/tegra20-emc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c3def10c610ae046aaa61d00528e7bd15e4ad8d3",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            },
            {
              "lessThan": "e9d07e91de140679eeaf275f47ad154467cb9e05",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            },
            {
              "lessThan": "c144423cb07e4e227a8572d5742ca2b36ada770d",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            },
            {
              "lessThan": "3b02273446e23961d910b50cc12528faec649fb2",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            },
            {
              "lessThan": "755e44538c190c31de9090d8e8821d228fcfd416",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            },
            {
              "lessThan": "b9784e5cde1f9fb83661a70e580e381ae1264d12",
              "status": "affected",
              "version": "96e5da7c842424bcf64afe1082b960b42b96190b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/memory/tegra/tegra20-emc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()\n\nAs of_find_node_by_name() release the reference of the argument device\nnode, tegra_emc_find_node_by_ram_code() releases some device nodes while\nstill in use, resulting in possible UAFs. According to the bindings and\nthe in-tree DTS files, the \"emc-tables\" node is always device\u0027s child\nnode with the property \"nvidia,use-ram-code\", and the \"lpddr2\" node is a\nchild of the \"emc-tables\" node. Thus utilize the\nfor_each_child_of_node() macro and of_get_child_by_name() instead of\nof_find_node_by_name() to simplify the code.\n\nThis bug was found by an experimental verification tool that I am\ndeveloping.\n\n[krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:41.276Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c3def10c610ae046aaa61d00528e7bd15e4ad8d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9d07e91de140679eeaf275f47ad154467cb9e05"
        },
        {
          "url": "https://git.kernel.org/stable/c/c144423cb07e4e227a8572d5742ca2b36ada770d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b02273446e23961d910b50cc12528faec649fb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/755e44538c190c31de9090d8e8821d228fcfd416"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9784e5cde1f9fb83661a70e580e381ae1264d12"
        }
      ],
      "title": "memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58034",
    "datePublished": "2025-02-27T20:00:52.226Z",
    "dateReserved": "2025-02-27T02:16:34.052Z",
    "dateUpdated": "2025-05-04T10:08:41.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21871 (GCVE-0-2025-21871)

Vulnerability from cvelistv5

Published

2025-03-27 13:38

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3eb4911364c764572e9db4ab900a57689a54e8ce
	https://git.kernel.org/stable/c/0180cf0373f84fff61b16f8c062553a13dd7cfca
	https://git.kernel.org/stable/c/c0a9a948159153be145f9471435695373904ee6d
	https://git.kernel.org/stable/c/ec18520f5edc20a00c34a8c9fdd6507c355e880f
	https://git.kernel.org/stable/c/d61cc1a435e6894bfb0dd3370c6f765d2d12825d
	https://git.kernel.org/stable/c/fd9d2d6124c293e40797a080adf8a9c237efd8b8
	https://git.kernel.org/stable/c/21234efe2a8474a6d2d01ea9573319de7858ce44
	https://git.kernel.org/stable/c/70b0d6b0a199c5a3ee6c72f5e61681ed6f759612

Impacted products

Vendor

Product

Version

►

Linux

Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2

Linux

Version: 4.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tee/optee/supp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3eb4911364c764572e9db4ab900a57689a54e8ce",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "0180cf0373f84fff61b16f8c062553a13dd7cfca",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "c0a9a948159153be145f9471435695373904ee6d",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "ec18520f5edc20a00c34a8c9fdd6507c355e880f",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "d61cc1a435e6894bfb0dd3370c6f765d2d12825d",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "fd9d2d6124c293e40797a080adf8a9c237efd8b8",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "21234efe2a8474a6d2d01ea9573319de7858ce44",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            },
            {
              "lessThan": "70b0d6b0a199c5a3ee6c72f5e61681ed6f759612",
              "status": "affected",
              "version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tee/optee/supp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix supplicant wait loop\n\nOP-TEE supplicant is a user-space daemon and it\u0027s possible for it\nbe hung or crashed or killed in the middle of processing an OP-TEE\nRPC call. It becomes more complicated when there is incorrect shutdown\nordering of the supplicant process vs the OP-TEE client application which\ncan eventually lead to system hang-up waiting for the closure of the\nclient application.\n\nAllow the client process waiting in kernel for supplicant response to\nbe killed rather than indefinitely waiting in an unkillable state. Also,\na normal uninterruptible wait should not have resulted in the hung-task\nwatchdog getting triggered, but the endless loop would.\n\nThis fixes issues observed during system reboot/shutdown when supplicant\ngot hung for some reason or gets crashed/killed which lead to client\ngetting hung in an unkillable state. It in turn lead to system being in\nhung up state requiring hard power off/on to recover."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:55.829Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3eb4911364c764572e9db4ab900a57689a54e8ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/0180cf0373f84fff61b16f8c062553a13dd7cfca"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0a9a948159153be145f9471435695373904ee6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec18520f5edc20a00c34a8c9fdd6507c355e880f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d61cc1a435e6894bfb0dd3370c6f765d2d12825d"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd9d2d6124c293e40797a080adf8a9c237efd8b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/21234efe2a8474a6d2d01ea9573319de7858ce44"
        },
        {
          "url": "https://git.kernel.org/stable/c/70b0d6b0a199c5a3ee6c72f5e61681ed6f759612"
        }
      ],
      "title": "tee: optee: Fix supplicant wait loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21871",
    "datePublished": "2025-03-27T13:38:23.461Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:55.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41005 (GCVE-0-2024-41005)

Vulnerability from cvelistv5

Published

2024-07-12 12:44

Modified

2025-05-04 09:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix race condition in netpoll_owner_active KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) <snip> read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) netpoll_send_udp (net/core/netpoll.c:?) <snip> value changed: 0x0000000a -> 0xffffffff This happens because netpoll_owner_active() needs to check if the current CPU is the owner of the lock, touching napi->poll_owner non atomically. The ->poll_owner field contains the current CPU holding the lock. Use an atomic read to check if the poll owner is the current CPU.

References

►

URL

Tags

	https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265
	https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e
	https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c
	https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d
	https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57
	https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:56.066Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41005",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:01:02.203539Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:18.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/netpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "43c0ca793a18578a0f5b305dd77fcf7ed99f1265",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "96826b16ef9c6568d31a1f6ceaa266411a46e46c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f1a155950a1685ffd0fd7175b3f671da8771f3d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a130e7da73ae93afdb4659842267eec734ffbd57",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c2e6a872bde9912f1a7579639c5ca3adf1003916",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/netpoll.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.221",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.221",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.96",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\u003csnip\u003e\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\u003csnip\u003e\n\tvalue changed: 0x0000000a -\u003e 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi-\u003epoll_owner\nnon atomically. The -\u003epoll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:19:54.124Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265"
        },
        {
          "url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916"
        }
      ],
      "title": "netpoll: Fix race condition in netpoll_owner_active",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41005",
    "datePublished": "2024-07-12T12:44:40.467Z",
    "dateReserved": "2024-07-12T12:17:45.610Z",
    "dateUpdated": "2025-05-04T09:19:54.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21636 (GCVE-0-2025-21636)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 07:17

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1dc5da6c4178f3e4b95c631418f72de9f86c0449
	https://git.kernel.org/stable/c/44ee8635922b6eb940faddb961a8347c6857d722
	https://git.kernel.org/stable/c/284a221f8fa503628432c7bb5108277c688c6ffa
	https://git.kernel.org/stable/c/bcf8c60074e81ed2ac2d35130917175a3949c917
	https://git.kernel.org/stable/c/6259d2484d0ceff42245d1f09cc8cb6ee72d847a

Impacted products

Vendor

Product

Version

►

Linux

Version: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105
Version: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105
Version: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105
Version: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105
Version: d1e462a7a5f359cbb9a0e8fbfafcfb6657034105

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1dc5da6c4178f3e4b95c631418f72de9f86c0449",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "44ee8635922b6eb940faddb961a8347c6857d722",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "284a221f8fa503628432c7bb5108277c688c6ffa",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "bcf8c60074e81ed2ac2d35130917175a3949c917",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            },
            {
              "lessThan": "6259d2484d0ceff42245d1f09cc8cb6ee72d847a",
              "status": "affected",
              "version": "d1e462a7a5f359cbb9a0e8fbfafcfb6657034105",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: plpmtud_probe_interval: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, as this is the only\nmember needed from the \u0027net\u0027 structure, but that would increase the size\nof this fix, to use \u0027*data\u0027 everywhere \u0027net-\u003esctp.probe_interval\u0027 is\nused."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:17:57.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1dc5da6c4178f3e4b95c631418f72de9f86c0449"
        },
        {
          "url": "https://git.kernel.org/stable/c/44ee8635922b6eb940faddb961a8347c6857d722"
        },
        {
          "url": "https://git.kernel.org/stable/c/284a221f8fa503628432c7bb5108277c688c6ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcf8c60074e81ed2ac2d35130917175a3949c917"
        },
        {
          "url": "https://git.kernel.org/stable/c/6259d2484d0ceff42245d1f09cc8cb6ee72d847a"
        }
      ],
      "title": "sctp: sysctl: plpmtud_probe_interval: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21636",
    "datePublished": "2025-01-19T10:17:54.576Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-05-04T07:17:57.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21804 (GCVE-0-2025-21804)

Vulnerability from cvelistv5

Published

2025-02-27 20:00

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior. Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows: $ cat /proc/iomem 30000000-37ffffff : 38000000-3fffffff : Sometimes, garbage may appear after the colon. In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack. Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows: $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log]

References

►

URL

Tags

	https://git.kernel.org/stable/c/7a47e14c5fb0b6dba7073be7b0119fb8fe864e01
	https://git.kernel.org/stable/c/6987e021b64cbb49981d140bb72d9d1466f191c4
	https://git.kernel.org/stable/c/24576899c49509c0d533bcf569139f691d8f7af7
	https://git.kernel.org/stable/c/2c54b9fca1755e80a343ccfde0652dc5ea4744b2
	https://git.kernel.org/stable/c/9ff46b0bfeb6e0724a4ace015aa7a0b887cdb7c1
	https://git.kernel.org/stable/c/44708208c2a4b828a57a2abe7799c9d3962e7eaa
	https://git.kernel.org/stable/c/2d2da5a4c1b4509f6f7e5a8db015cd420144beb4

Impacted products

Vendor

Product

Version

►

Linux

Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951
Version: 2a6d0d63d99956a66f6605832f11755d74a41951

Linux

Version: 5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/pcie-rcar-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a47e14c5fb0b6dba7073be7b0119fb8fe864e01",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "6987e021b64cbb49981d140bb72d9d1466f191c4",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "24576899c49509c0d533bcf569139f691d8f7af7",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "2c54b9fca1755e80a343ccfde0652dc5ea4744b2",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "9ff46b0bfeb6e0724a4ace015aa7a0b887cdb7c1",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "44708208c2a4b828a57a2abe7799c9d3962e7eaa",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            },
            {
              "lessThan": "2d2da5a4c1b4509f6f7e5a8db015cd420144beb4",
              "status": "affected",
              "version": "2a6d0d63d99956a66f6605832f11755d74a41951",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/pcie-rcar-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()\n\nThe rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()\nmacro to request a needed resource. A string variable that lives on the\nstack is then used to store a dynamically computed resource name, which\nis then passed on as one of the macro arguments. This can lead to\nundefined behavior.\n\nDepending on the current contents of the memory, the manifestations of\nerrors may vary. One possible output may be as follows:\n\n  $ cat /proc/iomem\n  30000000-37ffffff :\n  38000000-3fffffff :\n\nSometimes, garbage may appear after the colon.\n\nIn very rare cases, if no NULL-terminator is found in memory, the system\nmight crash because the string iterator will overrun which can lead to\naccess of unmapped memory above the stack.\n\nThus, fix this by replacing outbound_name with the name of the previously\nrequested resource. With the changes applied, the output will be as\nfollows:\n\n  $ cat /proc/iomem\n  30000000-37ffffff : memory2\n  38000000-3fffffff : memory3\n\n[kwilczynski: commit log]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:34.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a47e14c5fb0b6dba7073be7b0119fb8fe864e01"
        },
        {
          "url": "https://git.kernel.org/stable/c/6987e021b64cbb49981d140bb72d9d1466f191c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/24576899c49509c0d533bcf569139f691d8f7af7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c54b9fca1755e80a343ccfde0652dc5ea4744b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ff46b0bfeb6e0724a4ace015aa7a0b887cdb7c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/44708208c2a4b828a57a2abe7799c9d3962e7eaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d2da5a4c1b4509f6f7e5a8db015cd420144beb4"
        }
      ],
      "title": "PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21804",
    "datePublished": "2025-02-27T20:00:57.639Z",
    "dateReserved": "2024-12-29T08:45:45.771Z",
    "dateUpdated": "2025-05-04T07:21:34.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58011 (GCVE-0-2024-58011)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().

References

►

URL

Tags

	https://git.kernel.org/stable/c/4f8b210823cc2d1f9d967f089a6c00d025bb237f
	https://git.kernel.org/stable/c/f9c7cc44758f4930b41285a6d54afa8cbd9762b4
	https://git.kernel.org/stable/c/0a30353beca2693d30bde477024d755ffecea514
	https://git.kernel.org/stable/c/a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d
	https://git.kernel.org/stable/c/cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c

Impacted products

Vendor

Product

Version

►

Linux

Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/intel/int3472/discrete.c",
            "drivers/platform/x86/intel/int3472/tps68470.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4f8b210823cc2d1f9d967f089a6c00d025bb237f",
              "status": "affected",
              "version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
              "versionType": "git"
            },
            {
              "lessThan": "f9c7cc44758f4930b41285a6d54afa8cbd9762b4",
              "status": "affected",
              "version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
              "versionType": "git"
            },
            {
              "lessThan": "0a30353beca2693d30bde477024d755ffecea514",
              "status": "affected",
              "version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
              "versionType": "git"
            },
            {
              "lessThan": "a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d",
              "status": "affected",
              "version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
              "versionType": "git"
            },
            {
              "lessThan": "cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c",
              "status": "affected",
              "version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/intel/int3472/discrete.c",
            "drivers/platform/x86/intel/int3472/tps68470.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:22.894Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4f8b210823cc2d1f9d967f089a6c00d025bb237f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9c7cc44758f4930b41285a6d54afa8cbd9762b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a30353beca2693d30bde477024d755ffecea514"
        },
        {
          "url": "https://git.kernel.org/stable/c/a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c"
        }
      ],
      "title": "platform/x86: int3472: Check for adev == NULL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58011",
    "datePublished": "2025-02-27T02:12:05.675Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-04T10:08:22.894Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-29087 (GCVE-0-2025-29087)

Vulnerability from cvelistv5

Published

2025-04-07 00:00

Modified

2025-04-15 15:14

Severity ?

3.2 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-190 - Integer Overflow or Wraparound

Summary

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

References

►

URL

Tags

	https://www.sqlite.org/cves.html
	https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a
	https://sqlite.org/releaselog/3_49_1.html

Impacted products

	Vendor	Product	Version
	SQLite	SQLite	Version: 3.44.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29087",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-08T13:27:16.707351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T15:14:39.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SQLite",
          "vendor": "SQLite",
          "versions": [
            {
              "lessThan": "3.49.1",
              "status": "affected",
              "version": "3.44.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.49.1",
                  "versionStartIncluding": "3.44.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.2,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-14T13:34:42.160Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.sqlite.org/cves.html"
        },
        {
          "url": "https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a"
        },
        {
          "url": "https://sqlite.org/releaselog/3_49_1.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-29087",
    "datePublished": "2025-04-07T00:00:00.000Z",
    "dateReserved": "2025-03-11T00:00:00.000Z",
    "dateUpdated": "2025-04-15T15:14:39.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-31115 (GCVE-0-2025-31115)

Vulnerability from cvelistv5

Published

2025-04-03 16:57

Modified

2025-04-03 20:03

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-366 - Race Condition within a Thread
CWE-416 - Use After Free
CWE-476 - NULL Pointer Dereference
CWE-826 - Premature Release of Resource During Expected Lifetime

Summary

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

References

►

URL

Tags

	https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2	x_refsource_CONFIRM
	https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480	x_refsource_MISC
	https://tukaani.org/xz/xz-cve-2025-31115.patch	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tukaani-project	xz	Version: >= 5.3.3alpha, < 5.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-03T17:57:35.541572Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-03T17:58:59.148Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-03T20:03:09.458Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/03/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/03/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/03/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xz",
          "vendor": "tukaani-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.3.3alpha, \u003c 5.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-366",
              "description": "CWE-366: Race Condition within a Thread",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-826",
              "description": "CWE-826: Premature Release of Resource During Expected Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-03T16:57:05.488Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2"
        },
        {
          "name": "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480"
        },
        {
          "name": "https://tukaani.org/xz/xz-cve-2025-31115.patch",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://tukaani.org/xz/xz-cve-2025-31115.patch"
        }
      ],
      "source": {
        "advisory": "GHSA-6cc8-p5mm-29w2",
        "discovery": "UNKNOWN"
      },
      "title": "XZ has a heap-use-after-free bug in threaded .xz decoder"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-31115",
    "datePublished": "2025-04-03T16:57:05.488Z",
    "dateReserved": "2025-03-26T15:04:52.624Z",
    "dateUpdated": "2025-04-03T20:03:09.458Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-55549 (GCVE-0-2024-55549)

Vulnerability from cvelistv5

Published

2025-03-14 00:00

Modified

2025-03-14 19:27

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-416 - Use After Free

Summary

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

Impacted products

	Vendor	Product	Version
	xmlsoft	libxslt	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-55549",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-14T19:26:54.516211Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T19:27:01.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxslt",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "1.1.43",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.1.43",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-14T01:02:10.105Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-55549",
    "datePublished": "2025-03-14T00:00:00.000Z",
    "dateReserved": "2024-12-08T00:00:00.000Z",
    "dateUpdated": "2025-03-14T19:27:01.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21725 (GCVE-0-2025-21725)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 </TASK> Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset.

References

►

URL

Tags

	https://git.kernel.org/stable/c/208e102a2fca44e40a6c3f7b9e2609cfd17a15aa
	https://git.kernel.org/stable/c/3f901c35e1a1b3ed1b528a17ffdb941aa0294458
	https://git.kernel.org/stable/c/699179dfc8d7da457b152ca5d18ae45f9ed9beaa
	https://git.kernel.org/stable/c/ad3b49fbdb156aa8ee2026ba590642c9b5a410f2
	https://git.kernel.org/stable/c/be7a6a77669588bfa5022a470989702bbbb11e7f

Impacted products

Vendor

Product

Version

►

Linux

Version: 548893404c44fc01a59f17727876e02553146fe6
Version: 1cd8c353708de99d8bfa7db8a0c961a800b1fa7f
Version: a6d8fb54a515f0546ffdb7870102b1238917e567
Version: a6d8fb54a515f0546ffdb7870102b1238917e567
Version: a6d8fb54a515f0546ffdb7870102b1238917e567

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "208e102a2fca44e40a6c3f7b9e2609cfd17a15aa",
              "status": "affected",
              "version": "548893404c44fc01a59f17727876e02553146fe6",
              "versionType": "git"
            },
            {
              "lessThan": "3f901c35e1a1b3ed1b528a17ffdb941aa0294458",
              "status": "affected",
              "version": "1cd8c353708de99d8bfa7db8a0c961a800b1fa7f",
              "versionType": "git"
            },
            {
              "lessThan": "699179dfc8d7da457b152ca5d18ae45f9ed9beaa",
              "status": "affected",
              "version": "a6d8fb54a515f0546ffdb7870102b1238917e567",
              "versionType": "git"
            },
            {
              "lessThan": "ad3b49fbdb156aa8ee2026ba590642c9b5a410f2",
              "status": "affected",
              "version": "a6d8fb54a515f0546ffdb7870102b1238917e567",
              "versionType": "git"
            },
            {
              "lessThan": "be7a6a77669588bfa5022a470989702bbbb11e7f",
              "status": "affected",
              "version": "a6d8fb54a515f0546ffdb7870102b1238917e567",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.65",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix oops due to unset link speed\n\nIt isn\u0027t guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always\nbe set by the server, so the client must handle any values and then\nprevent oopses like below from happening:\n\nOops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nRIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48\n89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8\ne7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 \u003c48\u003e f7 74 24 18 48 89\nc3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24\nRSP: 0018:ffffc90001817be0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99\nRDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228\nRBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac\nR10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200\nR13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58\nFS: 00007fe27119e740(0000) GS:ffff888148600000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0x159/0x1b0\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? do_error_trap+0x90/0x130\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? exc_divide_error+0x39/0x50\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? asm_exc_divide_error+0x1a/0x20\n ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs]\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? seq_read_iter+0x42e/0x790\n seq_read_iter+0x19a/0x790\n proc_reg_read_iter+0xbe/0x110\n ? __pfx_proc_reg_read_iter+0x10/0x10\n vfs_read+0x469/0x570\n ? do_user_addr_fault+0x398/0x760\n ? __pfx_vfs_read+0x10/0x10\n ? find_held_lock+0x8a/0xa0\n ? __pfx_lock_release+0x10/0x10\n ksys_read+0xd3/0x170\n ? __pfx_ksys_read+0x10/0x10\n ? __rcu_read_unlock+0x50/0x270\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe271288911\nCode: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8\n20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 \u003c48\u003e 3d\n00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec\nRSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911\nRDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003\nRBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380\nR10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000\nR13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000\n \u003c/TASK\u003e\n\nFix this by setting cifs_server_iface::speed to a sane value (1Gbps)\nby default when link speed is unset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:49.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/208e102a2fca44e40a6c3f7b9e2609cfd17a15aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f901c35e1a1b3ed1b528a17ffdb941aa0294458"
        },
        {
          "url": "https://git.kernel.org/stable/c/699179dfc8d7da457b152ca5d18ae45f9ed9beaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad3b49fbdb156aa8ee2026ba590642c9b5a410f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/be7a6a77669588bfa5022a470989702bbbb11e7f"
        }
      ],
      "title": "smb: client: fix oops due to unset link speed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21725",
    "datePublished": "2025-02-27T02:07:32.226Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T07:19:49.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21637 (GCVE-0-2025-21637)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 07:17

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: udp_port: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure.

References

►

URL

Tags

	https://git.kernel.org/stable/c/0a0966312ac3eedd7f5f2a766ed4702df39a9a65
	https://git.kernel.org/stable/c/e919197fb8616331f5dc81e4c3cc3d12769cb725
	https://git.kernel.org/stable/c/55627918febdf9d71107a1e68d1528dc591c9a15
	https://git.kernel.org/stable/c/5b77d73f3be5102720fb685b9e6900e3500e1096
	https://git.kernel.org/stable/c/c10377bbc1972d858eaf0ab366a311b39f8ef1b6

Impacted products

Vendor

Product

Version

►

Linux

Version: 046c052b475e7119b6a30e3483e2888fc606a2f8
Version: 046c052b475e7119b6a30e3483e2888fc606a2f8
Version: 046c052b475e7119b6a30e3483e2888fc606a2f8
Version: 046c052b475e7119b6a30e3483e2888fc606a2f8
Version: 046c052b475e7119b6a30e3483e2888fc606a2f8

Linux

Version: 5.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0a0966312ac3eedd7f5f2a766ed4702df39a9a65",
              "status": "affected",
              "version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
              "versionType": "git"
            },
            {
              "lessThan": "e919197fb8616331f5dc81e4c3cc3d12769cb725",
              "status": "affected",
              "version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
              "versionType": "git"
            },
            {
              "lessThan": "55627918febdf9d71107a1e68d1528dc591c9a15",
              "status": "affected",
              "version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
              "versionType": "git"
            },
            {
              "lessThan": "5b77d73f3be5102720fb685b9e6900e3500e1096",
              "status": "affected",
              "version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
              "versionType": "git"
            },
            {
              "lessThan": "c10377bbc1972d858eaf0ab366a311b39f8ef1b6",
              "status": "affected",
              "version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: udp_port: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, but that would\nincrease the size of this fix, while \u0027sctp.ctl_sock\u0027 still needs to be\nretrieved from \u0027net\u0027 structure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:17:58.644Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0a0966312ac3eedd7f5f2a766ed4702df39a9a65"
        },
        {
          "url": "https://git.kernel.org/stable/c/e919197fb8616331f5dc81e4c3cc3d12769cb725"
        },
        {
          "url": "https://git.kernel.org/stable/c/55627918febdf9d71107a1e68d1528dc591c9a15"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b77d73f3be5102720fb685b9e6900e3500e1096"
        },
        {
          "url": "https://git.kernel.org/stable/c/c10377bbc1972d858eaf0ab366a311b39f8ef1b6"
        }
      ],
      "title": "sctp: sysctl: udp_port: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21637",
    "datePublished": "2025-01-19T10:17:55.321Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-05-04T07:17:58.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32728 (GCVE-0-2025-32728)

Vulnerability from cvelistv5

Published

2025-04-10 00:00

Modified

2025-05-08 13:11

Severity ?

4.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-440 - Expected Behavior Violation

Summary

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

References

►

URL

Tags

	https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html
	https://www.openssh.com/txt/release-10.0
	https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
	https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig
	https://www.openssh.com/txt/release-7.4

Impacted products

	Vendor	Product	Version
	OpenBSD	OpenSSH	Version: 7.4 < 10.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T18:35:34.531350Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-10T18:35:46.150Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-08T13:11:19.684Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250425-0002/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSH",
          "vendor": "OpenBSD",
          "versions": [
            {
              "lessThan": "10.0",
              "status": "affected",
              "version": "7.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0",
                  "versionStartIncluding": "7.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440 Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-10T01:40:34.658Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html"
        },
        {
          "url": "https://www.openssh.com/txt/release-10.0"
        },
        {
          "url": "https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367"
        },
        {
          "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig"
        },
        {
          "url": "https://www.openssh.com/txt/release-7.4"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32728",
    "datePublished": "2025-04-10T00:00:00.000Z",
    "dateReserved": "2025-04-10T00:00:00.000Z",
    "dateUpdated": "2025-05-08T13:11:19.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21784 (GCVE-0-2025-21784)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() In function psp_init_cap_microcode(), it should bail out when failed to load firmware, otherwise it may cause invalid memory access.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3f40a7ff39d9f1d283d5aa9b13e2fb16200aff5f
	https://git.kernel.org/stable/c/d1d10bd595539ed82ab59b60249f9bdf0994f678
	https://git.kernel.org/stable/c/e7eb84384335e2abf960c94ec0f8c5b835283777
	https://git.kernel.org/stable/c/a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf

Impacted products

Vendor

Product

Version

►

Linux

Version: 07dbfc6b102e25087ec345ef2c2eae21c9856f17
Version: 07dbfc6b102e25087ec345ef2c2eae21c9856f17
Version: 07dbfc6b102e25087ec345ef2c2eae21c9856f17
Version: 07dbfc6b102e25087ec345ef2c2eae21c9856f17

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f40a7ff39d9f1d283d5aa9b13e2fb16200aff5f",
              "status": "affected",
              "version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
              "versionType": "git"
            },
            {
              "lessThan": "d1d10bd595539ed82ab59b60249f9bdf0994f678",
              "status": "affected",
              "version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
              "versionType": "git"
            },
            {
              "lessThan": "e7eb84384335e2abf960c94ec0f8c5b835283777",
              "status": "affected",
              "version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
              "versionType": "git"
            },
            {
              "lessThan": "a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf",
              "status": "affected",
              "version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()\n\nIn function psp_init_cap_microcode(), it should bail out when failed to\nload firmware, otherwise it may cause invalid memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:11.128Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f40a7ff39d9f1d283d5aa9b13e2fb16200aff5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1d10bd595539ed82ab59b60249f9bdf0994f678"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7eb84384335e2abf960c94ec0f8c5b835283777"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf"
        }
      ],
      "title": "drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21784",
    "datePublished": "2025-02-27T02:18:25.431Z",
    "dateReserved": "2024-12-29T08:45:45.765Z",
    "dateUpdated": "2025-05-04T07:21:11.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26708 (GCVE-0-2024-26708)

Vulnerability from cvelistv5

Published

2024-04-03 14:55

Modified

2025-05-04 08:54

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked. Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1.

References

►

URL

Tags

	https://git.kernel.org/stable/c/4bfe217e075d04e63c092df9d40c608e598c2ef2
	https://git.kernel.org/stable/c/e158fb9679d15a2317ec13b4f6301bd26265df2f
	https://git.kernel.org/stable/c/337cebbd850f94147cee05252778f8f78b8c337f

Impacted products

Vendor

Product

Version

►

Linux

Version: 1e777f39b4d75e599a3aac8e0f67d739474f198c
Version: 1e777f39b4d75e599a3aac8e0f67d739474f198c
Version: 1e777f39b4d75e599a3aac8e0f67d739474f198c

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-03T18:54:23.010833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T21:56:45.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:12.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4bfe217e075d04e63c092df9d40c608e598c2ef2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e158fb9679d15a2317ec13b4f6301bd26265df2f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/337cebbd850f94147cee05252778f8f78b8c337f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4bfe217e075d04e63c092df9d40c608e598c2ef2",
              "status": "affected",
              "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
              "versionType": "git"
            },
            {
              "lessThan": "e158fb9679d15a2317ec13b4f6301bd26265df2f",
              "status": "affected",
              "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
              "versionType": "git"
            },
            {
              "lessThan": "337cebbd850f94147cee05252778f8f78b8c337f",
              "status": "affected",
              "version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.6",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: really cope with fastopen race\n\nFastopen and PM-trigger subflow shutdown can race, as reported by\nsyzkaller.\n\nIn my first attempt to close such race, I missed the fact that\nthe subflow status can change again before the subflow_state_change\ncallback is invoked.\n\nAddress the issue additionally copying with all the states directly\nreachable from TCP_FIN_WAIT1."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:54:33.265Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4bfe217e075d04e63c092df9d40c608e598c2ef2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e158fb9679d15a2317ec13b4f6301bd26265df2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/337cebbd850f94147cee05252778f8f78b8c337f"
        }
      ],
      "title": "mptcp: really cope with fastopen race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26708",
    "datePublished": "2024-04-03T14:55:11.054Z",
    "dateReserved": "2024-02-19T14:20:24.158Z",
    "dateUpdated": "2025-05-04T08:54:33.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21704 (GCVE-0-2025-21704)

Vulnerability from cvelistv5

Published

2025-02-22 09:43

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2
	https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118
	https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812
	https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646
	https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c
	https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636
	https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831
	https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01
	https://project-zero.issues.chromium.org/issues/395107243

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/cdc-acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "90dd2f1b7342b9a671a5ea4160f408037b92b118",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "871619c2b78fdfe05afb4e8ba548678687beb812",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7828e9363ac4d23b02419bf2a45b9f1d9fb35646",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6abb510251e75f875797d8983a830e6731fa281c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f64079bef6a8a7823358c3f352ea29a617844636",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "383d516a0ebc8641372b521c8cb717f0f1834831",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e563b01208f4d1f609bcab13333b6c0e24ce6a01",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/cdc-acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can\u0027t\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm-\u003enb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device\u0027s vendor/product IDs and\nits other interfaces."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:21.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"
        },
        {
          "url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"
        },
        {
          "url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"
        },
        {
          "url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"
        },
        {
          "url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"
        },
        {
          "url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/395107243"
        }
      ],
      "title": "usb: cdc-acm: Check control transfer buffer size before access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21704",
    "datePublished": "2025-02-22T09:43:37.377Z",
    "dateReserved": "2024-12-29T08:45:45.751Z",
    "dateUpdated": "2025-05-04T07:19:21.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53140 (GCVE-0-2024-53140)

Vulnerability from cvelistv5

Published

2024-12-04 14:20

Modified

2025-05-04 13:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own.

References

►

URL

Tags

	https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834
	https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559
	https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4
	https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603
	https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98
	https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca
	https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f
	https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505

Impacted products

Vendor

Product

Version

►

Linux

Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e
Version: baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df
Version: 25d9b4bb64ea964769087fc5ae09aee9c838d759

Linux

Version: 4.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c",
            "net/netlink/af_netlink.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "114a61d8d94ae3a43b82446cf737fd757021b834",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "598c956b62699c3753929602560d8df322e60559",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "4e87a52133284afbd40fb522dbf96e258af52a98",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "176c41b3ca9281a9736b67c6121b03dbf0c8c08f",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "lessThan": "1904fb9ebf911441f90a68e96b22aa73e4410505",
              "status": "affected",
              "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "25d9b4bb64ea964769087fc5ae09aee9c838d759",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c",
            "net/netlink/af_netlink.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.325",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.325",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.119",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.63",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.10",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.8.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump  - actual dump helper, keeps getting called until it returns 0\n - done  - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon\u0027t actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we\u0027re back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn\u0027t have to take a reference of its own."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:35.955Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834"
        },
        {
          "url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505"
        }
      ],
      "title": "netlink: terminate outstanding dump on socket close",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53140",
    "datePublished": "2024-12-04T14:20:44.914Z",
    "dateReserved": "2024-11-19T17:17:24.997Z",
    "dateUpdated": "2025-05-04T13:00:35.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4207 (GCVE-0-2025-4207)

Vulnerability from cvelistv5

Published

2025-05-08 14:22

Modified

2025-05-09 18:03

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-126 - Buffer Over-read

Summary

Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

References

►

URL

Tags

https://www.postgresql.org/support/security/CVE-2025-4207/

Impacted products

	Vendor	Product	Version
	n/a	PostgreSQL	Version: 17 < 17.5 Version: 16 < 16.9 Version: 15 < 15.13 Version: 14 < 14.18 Version: 0 < 13.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4207",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T14:52:17.907978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T14:56:08.741Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-09T18:03:35.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00011.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/09/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "17.5",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.9",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.13",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.18",
              "status": "affected",
              "version": "14",
              "versionType": "rpm"
            },
            {
              "lessThan": "13.21",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination.  This affects the database server and also libpq.  Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-126",
              "description": "Buffer Over-read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-08T14:22:45.543Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2025-4207/"
        }
      ],
      "title": "PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2025-4207",
    "datePublished": "2025-05-08T14:22:45.543Z",
    "dateReserved": "2025-05-02T00:03:22.439Z",
    "dateUpdated": "2025-05-09T18:03:35.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56171 (GCVE-0-2024-56171)

Vulnerability from cvelistv5

Published

2025-02-18 00:00

Modified

2025-03-28 15:03

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-416 - Use After Free

Summary

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impacted products

	Vendor	Product	Version
	xmlsoft	libxml2	Version: 0 ≤ Version: 2.13.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56171",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-19T16:26:31.484719Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T16:26:41.297Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-28T15:03:06.595Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.12.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.13.6",
              "status": "affected",
              "version": "2.13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.12.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.6",
                  "versionStartIncluding": "2.13.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-18T22:10:20.934Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/828"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-56171",
    "datePublished": "2025-02-18T00:00:00.000Z",
    "dateReserved": "2024-12-18T00:00:00.000Z",
    "dateUpdated": "2025-03-28T15:03:06.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41149 (GCVE-0-2024-41149)

Vulnerability from cvelistv5

Published

2025-01-11 12:35

Modified

2025-05-04 09:22

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: block: avoid to reuse `hctx` not removed from cpuhp callback list If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it, otherwise use-after-free may be triggered.

References

►

URL

Tags

	https://git.kernel.org/stable/c/ee18012c80155f6809522804099621070c69ec72
	https://git.kernel.org/stable/c/b5792c162dcf6197bf3d2de2be6c8169435b73d0
	https://git.kernel.org/stable/c/85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b

Impacted products

Vendor

Product

Version

►

Linux

Version: 58bf93580fec30d84a46be41171c5fad98b5cc70
Version: c1291ea131d186296dc8d328a36c3caf38e8e159
Version: 22465bbac53c821319089016f268a2437de9b00a

Linux

Version: 6.12.6 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:11.000102Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:20.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee18012c80155f6809522804099621070c69ec72",
              "status": "affected",
              "version": "58bf93580fec30d84a46be41171c5fad98b5cc70",
              "versionType": "git"
            },
            {
              "lessThan": "b5792c162dcf6197bf3d2de2be6c8169435b73d0",
              "status": "affected",
              "version": "c1291ea131d186296dc8d328a36c3caf38e8e159",
              "versionType": "git"
            },
            {
              "lessThan": "85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b",
              "status": "affected",
              "version": "22465bbac53c821319089016f268a2437de9b00a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.12.7",
              "status": "affected",
              "version": "6.12.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "6.12.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid to reuse `hctx` not removed from cpuhp callback list\n\nIf the \u0027hctx\u0027 isn\u0027t removed from cpuhp callback list, we can\u0027t reuse it,\notherwise use-after-free may be triggered."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:22:05.525Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee18012c80155f6809522804099621070c69ec72"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5792c162dcf6197bf3d2de2be6c8169435b73d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b"
        }
      ],
      "title": "block: avoid to reuse `hctx` not removed from cpuhp callback list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41149",
    "datePublished": "2025-01-11T12:35:33.428Z",
    "dateReserved": "2025-01-11T12:33:33.672Z",
    "dateUpdated": "2025-05-04T09:22:05.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1215 (GCVE-0-2025-1215)

Vulnerability from cvelistv5

Published

2025-02-12 18:31

Modified

2025-03-21 18:03

Severity ?

2.4 (Low) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
2.8 (Low) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-119 - Memory Corruption

Summary

A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.

References

►

URL

Tags

	https://vuldb.com/?id.295174	vdb-entry, technical-description
	https://vuldb.com/?ctiid.295174	signature, permissions-required
	https://vuldb.com/?submit.497546	third-party-advisory
	https://github.com/vim/vim/issues/16606	issue-tracking
	https://github.com/vim/vim/commit/c5654b84480822817bb7b69ebc97c174c91185e9	patch
	https://github.com/vim/vim/releases/tag/v9.1.1097	patch

Impacted products

	Vendor	Product	Version
	n/a	vim	Version: 9.1.1096

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1215",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T19:39:18.655840Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T19:39:22.660Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://vuldb.com/?submit.497546"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vim/vim/issues/16606"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-21T18:03:50.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250321-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "9.1.1096"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "wenjusun (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component."
        },
        {
          "lang": "de",
          "value": "In vim bis 9.1.1096 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei src/main.c. Dank der Manipulation des Arguments --log mit unbekannten Daten kann eine memory corruption-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs hat dabei lokal zu erfolgen. Ein Aktualisieren auf die Version 9.1.1097 vermag dieses Problem zu l\u00f6sen. Der Patch wird als c5654b84480822817bb7b69ebc97c174c91185e9 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.7,
            "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-12T18:31:06.472Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-295174 | vim main.c memory corruption",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.295174"
        },
        {
          "name": "VDB-295174 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.295174"
        },
        {
          "name": "Submit #497546 | VIM vim 68d08588928b29fe0b19e3513cd689486260ab1c illegal read access",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.497546"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/vim/vim/issues/16606"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/vim/vim/commit/c5654b84480822817bb7b69ebc97c174c91185e9"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/vim/vim/releases/tag/v9.1.1097"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-02-10T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-02-11T00:01:11.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "vim main.c memory corruption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-1215",
    "datePublished": "2025-02-12T18:31:06.472Z",
    "dateReserved": "2025-02-10T22:55:47.747Z",
    "dateUpdated": "2025-03-21T18:03:50.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21741 (GCVE-0-2025-21741)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header.

References

►

URL

Tags

	https://git.kernel.org/stable/c/22475242ddb70e35c9148234be9a3aa9fb8efff9
	https://git.kernel.org/stable/c/5835bf66c50ac2b85ed28b282c2456c3516ef0a6
	https://git.kernel.org/stable/c/971b8c572559e52d32a2b82f2d9e0685439a0117
	https://git.kernel.org/stable/c/ee591f2b281721171896117f9946fced31441418

Impacted products

Vendor

Product

Version

►

Linux

Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22475242ddb70e35c9148234be9a3aa9fb8efff9",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "5835bf66c50ac2b85ed28b282c2456c3516ef0a6",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "971b8c572559e52d32a2b82f2d9e0685439a0117",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "ee591f2b281721171896117f9946fced31441418",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix DPE OoB read\n\nFix an out-of-bounds DPE read, limit the number of processed DPEs to\nthe amount that fits into the fixed-size NDP16 header."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:08.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22475242ddb70e35c9148234be9a3aa9fb8efff9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5835bf66c50ac2b85ed28b282c2456c3516ef0a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/971b8c572559e52d32a2b82f2d9e0685439a0117"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee591f2b281721171896117f9946fced31441418"
        }
      ],
      "title": "usbnet: ipheth: fix DPE OoB read",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21741",
    "datePublished": "2025-02-27T02:12:15.715Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:08.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52927 (GCVE-0-2023-52927)

Vulnerability from cvelistv5

Published

2025-03-14 14:25

Modified

2025-05-04 07:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec
	https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack_expect.h",
            "net/netfilter/nf_conntrack_core.c",
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4914109a8e1e494c6aa9852f9e84ec77a5fc643f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/netfilter/nf_conntrack_expect.h",
            "net/netfilter/nf_conntrack_core.c",
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:46:10.143Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f"
        }
      ],
      "title": "netfilter: allow exp not to be removed in nf_ct_find_expectation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52927",
    "datePublished": "2025-03-14T14:25:59.166Z",
    "dateReserved": "2024-08-21T06:07:11.018Z",
    "dateUpdated": "2025-05-04T07:46:10.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21680 (GCVE-0-2025-21680)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ]

References

►

URL

Tags

	https://git.kernel.org/stable/c/3450092cc2d1c311c5ea92a2486daa2a33520ea5
	https://git.kernel.org/stable/c/e5d24a7074dcd0c7e76b7e7e4efbbe7418d62486
	https://git.kernel.org/stable/c/7cde21f52042aa2e29a654458166b873d2ae66b3
	https://git.kernel.org/stable/c/1a9b65c672ca9dc4ba52ca2fd54329db9580ce29
	https://git.kernel.org/stable/c/76201b5979768500bca362871db66d77cb4c225e

Impacted products

Vendor

Product

Version

►

Linux

Version: 52a62f8603f97e720882c8f5aff2767ac6a11d5f
Version: 52a62f8603f97e720882c8f5aff2767ac6a11d5f
Version: 52a62f8603f97e720882c8f5aff2767ac6a11d5f
Version: 52a62f8603f97e720882c8f5aff2767ac6a11d5f
Version: 52a62f8603f97e720882c8f5aff2767ac6a11d5f

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/pktgen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3450092cc2d1c311c5ea92a2486daa2a33520ea5",
              "status": "affected",
              "version": "52a62f8603f97e720882c8f5aff2767ac6a11d5f",
              "versionType": "git"
            },
            {
              "lessThan": "e5d24a7074dcd0c7e76b7e7e4efbbe7418d62486",
              "status": "affected",
              "version": "52a62f8603f97e720882c8f5aff2767ac6a11d5f",
              "versionType": "git"
            },
            {
              "lessThan": "7cde21f52042aa2e29a654458166b873d2ae66b3",
              "status": "affected",
              "version": "52a62f8603f97e720882c8f5aff2767ac6a11d5f",
              "versionType": "git"
            },
            {
              "lessThan": "1a9b65c672ca9dc4ba52ca2fd54329db9580ce29",
              "status": "affected",
              "version": "52a62f8603f97e720882c8f5aff2767ac6a11d5f",
              "versionType": "git"
            },
            {
              "lessThan": "76201b5979768500bca362871db66d77cb4c225e",
              "status": "affected",
              "version": "52a62f8603f97e720882c8f5aff2767ac6a11d5f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/pktgen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npktgen: Avoid out-of-bounds access in get_imix_entries\n\nPassing a sufficient amount of imix entries leads to invalid access to the\npkt_dev-\u003eimix_entries array because of the incorrect boundary check.\n\nUBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24\nindex 20 is out of range for type \u0027imix_pkt [20]\u0027\nCPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl lib/dump_stack.c:117\n__ubsan_handle_out_of_bounds lib/ubsan.c:429\nget_imix_entries net/core/pktgen.c:874\npktgen_if_write net/core/pktgen.c:1063\npde_write fs/proc/inode.c:334\nproc_reg_write fs/proc/inode.c:346\nvfs_write fs/read_write.c:593\nksys_write fs/read_write.c:644\ndo_syscall_64 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[ fp: allow to fill the array completely; minor changelog cleanup ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:55.584Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3450092cc2d1c311c5ea92a2486daa2a33520ea5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5d24a7074dcd0c7e76b7e7e4efbbe7418d62486"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cde21f52042aa2e29a654458166b873d2ae66b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a9b65c672ca9dc4ba52ca2fd54329db9580ce29"
        },
        {
          "url": "https://git.kernel.org/stable/c/76201b5979768500bca362871db66d77cb4c225e"
        }
      ],
      "title": "pktgen: Avoid out-of-bounds access in get_imix_entries",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21680",
    "datePublished": "2025-01-31T11:25:40.831Z",
    "dateReserved": "2024-12-29T08:45:45.738Z",
    "dateUpdated": "2025-05-04T07:18:55.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21738 (GCVE-0-2025-21738)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c
	https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c
	https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902
	https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45
	https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-sff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d5e6e3000309359eae2a17117aa6e3c44897bf6c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0dd5aade301a10f4b329fa7454fdcc2518741902",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0a17a9944b8d89ef03946121241870ac53ddaf45",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6e74e53b34b6dec5a50e1404e2680852ec6768d2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-sff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-sff: Ensure that we cannot write outside the allocated buffer\n\nreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len\nset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to\nATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to\nwrite outside the allocated buffer, overwriting random memory.\n\nWhile a ATA device is supposed to abort a ATA_NOP command, there does seem\nto be a bug either in libata-sff or QEMU, where either this status is not\nset, or the status is cleared before read by ata_sff_hsm_move().\nAnyway, that is most likely a separate bug.\n\nLooking at __atapi_pio_bytes(), it already has a safety check to ensure\nthat __atapi_pio_bytes() cannot write outside the allocated buffer.\n\nAdd a similar check to ata_pio_sector(), such that also ata_pio_sector()\ncannot write outside the allocated buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:05.966Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2"
        }
      ],
      "title": "ata: libata-sff: Ensure that we cannot write outside the allocated buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21738",
    "datePublished": "2025-02-27T02:12:13.942Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:05.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27363 (GCVE-0-2025-27363)

Vulnerability from cvelistv5

Published

2025-03-11 13:28

Modified

2025-07-30 01:36

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

CWE

Out-of-bounds Write (CWE-787)

Summary

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

References

►

URL

Tags

https://www.facebook.com/security/advisories/cve-2025-27363

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	FreeType	FreeType	Version: 0.0.0 ≤ 2.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27363",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-07T03:55:53.843762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-05-06",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:36:18.147Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory"
            ],
            "url": "https://source.android.com/docs/security/bulletin/2025-05-01"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-05-06T00:00:00+00:00",
            "value": "CVE-2025-27363 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-06T22:02:53.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/8"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/11"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/13/12"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/14/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/14/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/14/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/14/4"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/06/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FreeType",
          "vendor": "FreeType",
          "versions": [
            {
              "lessThanOrEqual": "2.13.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "dateAssigned": "2025-02-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Out-of-bounds Write (CWE-787)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-13T12:54:55.748Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.facebook.com/security/advisories/cve-2025-27363"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2025-27363",
    "datePublished": "2025-03-11T13:28:31.705Z",
    "dateReserved": "2025-02-21T19:53:14.160Z",
    "dateUpdated": "2025-07-30T01:36:18.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-39028 (GCVE-0-2022-39028)

Vulnerability from cvelistv5

Published

2022-08-30 00:00

Modified

2024-08-03 11:10

Severity ?

CWE

n/a

Summary

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

References

►

URL

Tags

	https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
	https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
	https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289
	https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html	mailing-list

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T11:10:32.472Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289"
          },
          {
            "name": "[debian-lts-announce] 20221125 [SECURITY] [DLA 3205-1] inetutils security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-25T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html"
        },
        {
          "url": "https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html"
        },
        {
          "url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289"
        },
        {
          "name": "[debian-lts-announce] 20221125 [SECURITY] [DLA 3205-1] inetutils security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-39028",
    "datePublished": "2022-08-30T00:00:00",
    "dateReserved": "2022-08-30T00:00:00",
    "dateUpdated": "2024-08-03T11:10:32.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58014 (GCVE-0-2024-58014)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-21 09:13

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN() instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE.

References

►

URL

Tags

	https://git.kernel.org/stable/c/0a457223cb2b9ca46bae7de387d0f4c093b0220d
	https://git.kernel.org/stable/c/13ef16c4fe384b1e70277bbe1d87934ee6c81e12
	https://git.kernel.org/stable/c/d280a12e9b87819a8a209639d600b48a2d6d65dc
	https://git.kernel.org/stable/c/ada9df08b3ef683507e75b92f522fb659260147f
	https://git.kernel.org/stable/c/093286c33409bf38896f2dab0c0bb6ca388afb33
	https://git.kernel.org/stable/c/c27ce584d274f6ad3cba2294497de824a3c66646
	https://git.kernel.org/stable/c/6f6e293246dc1f5b2b6b3d0f2d757598489cda79
	https://git.kernel.org/stable/c/3f4a0948c3524ae50f166dbc6572a3296b014e62

Impacted products

Vendor

Product

Version

►

Linux

Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009
Version: 5b435de0d786869c95d1962121af0d7df2542009

Linux

Version: 3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0a457223cb2b9ca46bae7de387d0f4c093b0220d",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "13ef16c4fe384b1e70277bbe1d87934ee6c81e12",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "d280a12e9b87819a8a209639d600b48a2d6d65dc",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "ada9df08b3ef683507e75b92f522fb659260147f",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "093286c33409bf38896f2dab0c0bb6ca388afb33",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "c27ce584d274f6ad3cba2294497de824a3c66646",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "6f6e293246dc1f5b2b6b3d0f2d757598489cda79",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            },
            {
              "lessThan": "3f4a0948c3524ae50f166dbc6572a3296b014e62",
              "status": "affected",
              "version": "5b435de0d786869c95d1962121af0d7df2542009",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()\n\nIn \u0027wlc_phy_iqcal_gainparams_nphy()\u0027, add gain range check to WARN()\ninstead of possible out-of-bounds \u0027tbl_iqcal_gainparams_nphy\u0027 access.\nCompile tested only.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T09:13:49.431Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0a457223cb2b9ca46bae7de387d0f4c093b0220d"
        },
        {
          "url": "https://git.kernel.org/stable/c/13ef16c4fe384b1e70277bbe1d87934ee6c81e12"
        },
        {
          "url": "https://git.kernel.org/stable/c/d280a12e9b87819a8a209639d600b48a2d6d65dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ada9df08b3ef683507e75b92f522fb659260147f"
        },
        {
          "url": "https://git.kernel.org/stable/c/093286c33409bf38896f2dab0c0bb6ca388afb33"
        },
        {
          "url": "https://git.kernel.org/stable/c/c27ce584d274f6ad3cba2294497de824a3c66646"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f6e293246dc1f5b2b6b3d0f2d757598489cda79"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f4a0948c3524ae50f166dbc6572a3296b014e62"
        }
      ],
      "title": "wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58014",
    "datePublished": "2025-02-27T02:12:07.344Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-21T09:13:49.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43790 (GCVE-0-2024-43790)

Vulnerability from cvelistv5

Published

2024-08-22 21:23

Modified

2024-09-20 16:03

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.

References

►

URL

Tags

	https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: < v9.1.0689

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-23T16:42:30.460971Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-23T16:42:39.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-20T16:03:12.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20240920-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c v9.1.0689"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-22T21:23:07.797Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm"
        },
        {
          "name": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc"
        }
      ],
      "source": {
        "advisory": "GHSA-v2x2-cjcg-f9jm",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow in do_search() in Vim \u003c 9.1.0689"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43790",
    "datePublished": "2024-08-22T21:23:07.797Z",
    "dateReserved": "2024-08-16T14:20:37.323Z",
    "dateUpdated": "2024-09-20T16:03:12.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45010 (GCVE-0-2024-45010)

Vulnerability from cvelistv5

Published

2024-09-11 15:13

Modified

2025-05-04 09:30

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal' endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to 'subflow' endpoints, and here it is a 'signal' endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and if the ID is not 0 -- local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7fdc870d08960961408a44c569f20f50940e7d4f
	https://git.kernel.org/stable/c/43cf912b0b0fc7b4fd12cbc735d1f5afb8e1322d
	https://git.kernel.org/stable/c/9849cfc67383ceb167155186f8f8fe8a896b60b3
	https://git.kernel.org/stable/c/322ea3778965da72862cca2a0c50253aacf65fe6

Impacted products

Vendor

Product

Version

►

Linux

Version: 06faa22710342bca5e9c249634199c650799fce6
Version: 06faa22710342bca5e9c249634199c650799fce6
Version: 06faa22710342bca5e9c249634199c650799fce6
Version: 06faa22710342bca5e9c249634199c650799fce6

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45010",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T15:50:56.116338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T15:51:10.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7fdc870d08960961408a44c569f20f50940e7d4f",
              "status": "affected",
              "version": "06faa22710342bca5e9c249634199c650799fce6",
              "versionType": "git"
            },
            {
              "lessThan": "43cf912b0b0fc7b4fd12cbc735d1f5afb8e1322d",
              "status": "affected",
              "version": "06faa22710342bca5e9c249634199c650799fce6",
              "versionType": "git"
            },
            {
              "lessThan": "9849cfc67383ceb167155186f8f8fe8a896b60b3",
              "status": "affected",
              "version": "06faa22710342bca5e9c249634199c650799fce6",
              "versionType": "git"
            },
            {
              "lessThan": "322ea3778965da72862cca2a0c50253aacf65fe6",
              "status": "affected",
              "version": "06faa22710342bca5e9c249634199c650799fce6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.108",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.108",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.48",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.7",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only mark \u0027subflow\u0027 endp as available\n\nAdding the following warning ...\n\n  WARN_ON_ONCE(msk-\u003epm.local_addr_used == 0)\n\n... before decrementing the local_addr_used counter helped to find a bug\nwhen running the \"remove single address\" subtest from the mptcp_join.sh\nselftests.\n\nRemoving a \u0027signal\u0027 endpoint will trigger the removal of all subflows\nlinked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with\nrm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used\ncounter, which is wrong in this case because this counter is linked to\n\u0027subflow\u0027 endpoints, and here it is a \u0027signal\u0027 endpoint that is being\nremoved.\n\nNow, the counter is decremented, only if the ID is being used outside\nof mptcp_pm_nl_rm_addr_or_subflow(), only for \u0027subflow\u0027 endpoints, and\nif the ID is not 0 -- local_addr_used is not taking into account these\nones. This marking of the ID as being available, and the decrement is\ndone no matter if a subflow using this ID is currently available,\nbecause the subflow could have been closed before."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:30:57.476Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7fdc870d08960961408a44c569f20f50940e7d4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/43cf912b0b0fc7b4fd12cbc735d1f5afb8e1322d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9849cfc67383ceb167155186f8f8fe8a896b60b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/322ea3778965da72862cca2a0c50253aacf65fe6"
        }
      ],
      "title": "mptcp: pm: only mark \u0027subflow\u0027 endp as available",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-45010",
    "datePublished": "2024-09-11T15:13:48.358Z",
    "dateReserved": "2024-08-21T05:34:56.681Z",
    "dateUpdated": "2025-05-04T09:30:57.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56703 (GCVE-0-2024-56703)

Vulnerability from cvelistv5

Published

2024-12-28 09:46

Modified

2025-05-04 10:02

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb

References

►

URL

Tags

	https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2
	https://git.kernel.org/stable/c/52da02521ede55fb86546c3fffd9377b3261b91f
	https://git.kernel.org/stable/c/11edcd026012ac18acee0f1514db3ed1b160fc6f
	https://git.kernel.org/stable/c/34a949e7a0869dfa31a40416d2a56973fae1807b
	https://git.kernel.org/stable/c/d9ccb18f83ea2bb654289b6ecf014fd267cc988b

Impacted products

Vendor

Product

Version

►

Linux

Version: 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83
Version: 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83
Version: 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83
Version: 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83
Version: 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83

Linux

Version: 4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c",
            "net/ipv6/route.c",
            "tools/testing/selftests/net/Makefile",
            "tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
              "status": "affected",
              "version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
              "versionType": "git"
            },
            {
              "lessThan": "52da02521ede55fb86546c3fffd9377b3261b91f",
              "status": "affected",
              "version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
              "versionType": "git"
            },
            {
              "lessThan": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
              "status": "affected",
              "version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
              "versionType": "git"
            },
            {
              "lessThan": "34a949e7a0869dfa31a40416d2a56973fae1807b",
              "status": "affected",
              "version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
              "versionType": "git"
            },
            {
              "lessThan": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
              "status": "affected",
              "version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ip6_fib.c",
            "net/ipv6/route.c",
            "tools/testing/selftests/net/Makefile",
            "tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix soft lockups in fib6_select_path under high next hop churn\n\nSoft lockups have been observed on a cluster of Linux-based edge routers\nlocated in a highly dynamic environment. Using the `bird` service, these\nrouters continuously update BGP-advertised routes due to frequently\nchanging nexthop destinations, while also managing significant IPv6\ntraffic. The lockups occur during the traversal of the multipath\ncircular linked-list in the `fib6_select_path` function, particularly\nwhile iterating through the siblings in the list. The issue typically\narises when the nodes of the linked list are unexpectedly deleted\nconcurrently on a different core\u2014indicated by their \u0027next\u0027 and\n\u0027previous\u0027 elements pointing back to the node itself and their reference\ncount dropping to zero. This results in an infinite loop, leading to a\nsoft lockup that triggers a system panic via the watchdog timer.\n\nApply RCU primitives in the problematic code sections to resolve the\nissue. Where necessary, update the references to fib6_siblings to\nannotate or use the RCU APIs.\n\nInclude a test script that reproduces the issue. The script\nperiodically updates the routing table while generating a heavy load\nof outgoing IPv6 traffic through multiple iperf3 clients. It\nconsistently induces infinite soft lockups within a couple of minutes.\n\nKernel log:\n\n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb\n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3\n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4\n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03\n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f\n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756\n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af\n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d\n-- \u003cIRQ stack\u003e --\n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb\n    [exception RIP: fib6_select_path+299]\n    RIP: ffffffff8ddafe7b  RSP: ffffbd13003d37b8  RFLAGS: 00000287\n    RAX: ffff975850b43600  RBX: ffff975850b40200  RCX: 0000000000000000\n    RDX: 000000003fffffff  RSI: 0000000051d383e4  RDI: ffff975850b43618\n    RBP: ffffbd13003d3800   R8: 0000000000000000   R9: ffff975850b40200\n    R10: 0000000000000000  R11: 0000000000000000  R12: ffffbd13003d3830\n    R13: ffff975850b436a8  R14: ffff975850b43600  R15: 0000000000000007\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c\n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c\n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5\n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47\n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0\n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274\n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474\n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615\n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec\n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3\n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9\n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]\n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]\n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]\n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000\n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581\n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9\n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47\n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30\n28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f\n29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64\n30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:02:52.011Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/52da02521ede55fb86546c3fffd9377b3261b91f"
        },
        {
          "url": "https://git.kernel.org/stable/c/11edcd026012ac18acee0f1514db3ed1b160fc6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/34a949e7a0869dfa31a40416d2a56973fae1807b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9ccb18f83ea2bb654289b6ecf014fd267cc988b"
        }
      ],
      "title": "ipv6: Fix soft lockups in fib6_select_path under high next hop churn",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56703",
    "datePublished": "2024-12-28T09:46:24.978Z",
    "dateReserved": "2024-12-27T15:00:39.856Z",
    "dateUpdated": "2025-05-04T10:02:52.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-40635 (GCVE-0-2024-40635)

Vulnerability from cvelistv5

Published

2025-03-17 21:32

Modified

2025-05-04 22:02

Severity ?

4.6 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-190 - Integer Overflow or Wraparound

Summary

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References

►

URL

Tags

	https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg	x_refsource_CONFIRM
	https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da	x_refsource_MISC
	https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20	x_refsource_MISC
	https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	containerd	containerd	Version: < 1.6.38 Version: >= 1.7.0-beta.0, < 1.7.27 Version: >= 2.0.0-beta.0, < 2.0.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40635",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-18T14:17:05.162920Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T14:17:14.209Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-04T22:02:39.748Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.38"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.7.0-beta.0, \u003c 1.7.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-beta.0, \u003c 2.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-17T21:32:37.894Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg"
        },
        {
          "name": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da"
        },
        {
          "name": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20"
        },
        {
          "name": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a"
        }
      ],
      "source": {
        "advisory": "GHSA-265r-hfxg-fhmg",
        "discovery": "UNKNOWN"
      },
      "title": "containerd has an integer overflow in User ID handling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-40635",
    "datePublished": "2025-03-17T21:32:37.894Z",
    "dateReserved": "2024-07-08T16:13:15.511Z",
    "dateUpdated": "2025-05-04T22:02:39.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21716 (GCVE-0-2025-21716)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014

References

►

URL

Tags

	https://git.kernel.org/stable/c/cb1de9309a48cc5b771115781eec05075fd67039
	https://git.kernel.org/stable/c/a84d511165d6ba7f331b90ae6b6ce180ec534daa
	https://git.kernel.org/stable/c/f554bce488605d2f70e06eeab5e4d2448c813713
	https://git.kernel.org/stable/c/1693d1fade71646a0731b6b213298cb443d186ea
	https://git.kernel.org/stable/c/5066293b9b7046a906eff60e3949a887ae185a43

Impacted products

Vendor

Product

Version

►

Linux

Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_vnifilter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb1de9309a48cc5b771115781eec05075fd67039",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "a84d511165d6ba7f331b90ae6b6ce180ec534daa",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "f554bce488605d2f70e06eeab5e4d2448c813713",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "1693d1fade71646a0731b6b213298cb443d186ea",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "5066293b9b7046a906eff60e3949a887ae185a43",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_vnifilter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix uninit-value in vxlan_vnifilter_dump()\n\nKMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1].\n\nIf the length of the netlink message payload is less than\nsizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes\nbeyond the message. This can lead to uninit-value access. Fix this by\nreturning an error in such situations.\n\n[1]\nBUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422\n vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786\n netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317\n __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432\n netlink_dump_start include/linux/netlink.h:340 [inline]\n rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline]\n rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882\n netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542\n rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:726\n ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637\n __sys_sendmsg net/socket.c:2669 [inline]\n __do_sys_sendmsg net/socket.c:2674 [inline]\n __se_sys_sendmsg net/socket.c:2672 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672\n x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4110 [inline]\n slab_alloc_node mm/slub.c:4153 [inline]\n kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205\n kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1323 [inline]\n netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196\n netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:726\n ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637\n __sys_sendmsg net/socket.c:2669 [inline]\n __do_sys_sendmsg net/socket.c:2674 [inline]\n __se_sys_sendmsg net/socket.c:2672 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672\n x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:35.057Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb1de9309a48cc5b771115781eec05075fd67039"
        },
        {
          "url": "https://git.kernel.org/stable/c/a84d511165d6ba7f331b90ae6b6ce180ec534daa"
        },
        {
          "url": "https://git.kernel.org/stable/c/f554bce488605d2f70e06eeab5e4d2448c813713"
        },
        {
          "url": "https://git.kernel.org/stable/c/1693d1fade71646a0731b6b213298cb443d186ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/5066293b9b7046a906eff60e3949a887ae185a43"
        }
      ],
      "title": "vxlan: Fix uninit-value in vxlan_vnifilter_dump()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21716",
    "datePublished": "2025-02-27T02:07:26.779Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-05-04T07:19:35.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22134 (GCVE-0-2025-22134)

Vulnerability from cvelistv5

Published

2025-01-13 20:41

Modified

2025-03-14 10:03

Severity ?

4.2 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003

References

►

URL

Tags

	https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: < v9.1.1003

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-14T10:03:08.447Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/11/1"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250314-0004/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22134",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T16:14:58.107099Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T16:15:03.220Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c v9.1.1003"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won\u0027t try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T20:41:08.144Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8"
        },
        {
          "name": "https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead"
        }
      ],
      "source": {
        "advisory": "GHSA-5rgf-26wj-48v8",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow with visual mode in Vim \u003c 9.1.1003"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22134",
    "datePublished": "2025-01-13T20:41:08.144Z",
    "dateReserved": "2024-12-30T03:00:33.652Z",
    "dateUpdated": "2025-03-14T10:03:08.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21864 (GCVE-0-2025-21864)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.

References

►

URL

Tags

	https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491
	https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98
	https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656
	https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9
	https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd

Impacted products

Vendor

Product

Version

►

Linux

Version: 68822bdf76f10c3dc80609d4e2cdc1e847429086
Version: 68822bdf76f10c3dc80609d4e2cdc1e847429086
Version: 68822bdf76f10c3dc80609d4e2cdc1e847429086
Version: 68822bdf76f10c3dc80609d4e2cdc1e847429086
Version: 68822bdf76f10c3dc80609d4e2cdc1e847429086

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/tcp.h",
            "net/ipv4/tcp_fastopen.c",
            "net/ipv4/tcp_input.c",
            "net/ipv4/tcp_ipv4.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "87858bbf21da239ace300d61dd209907995c0491",
              "status": "affected",
              "version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
              "versionType": "git"
            },
            {
              "lessThan": "f1d5e6a5e468308af7759cf5276779d3155c5e98",
              "status": "affected",
              "version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
              "versionType": "git"
            },
            {
              "lessThan": "cd34a07f744451e2ecf9005bb7d24d0b2fb83656",
              "status": "affected",
              "version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
              "versionType": "git"
            },
            {
              "lessThan": "69cafd9413084cd5012cf5d7c7ec6f3d493726d9",
              "status": "affected",
              "version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
              "versionType": "git"
            },
            {
              "lessThan": "9b6412e6979f6f9e0632075f8f008937b5cd4efd",
              "status": "affected",
              "version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/tcp.h",
            "net/ipv4/tcp_fastopen.c",
            "net/ipv4/tcp_input.c",
            "net/ipv4/tcp_ipv4.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free\u0027d by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU\u0027s\ndefer_list), and don\u0027t flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don\u0027t\nexpect at this point.\n\nWe already drop the skb\u0027s dst in the TCP receive path when it\u0027s no\nlonger needed, so let\u0027s also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:47.376Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656"
        },
        {
          "url": "https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd"
        }
      ],
      "title": "tcp: drop secpath at the same time as we currently drop dst",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21864",
    "datePublished": "2025-03-12T09:42:21.223Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:47.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21782 (GCVE-0-2025-21782)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch.

References

►

URL

Tags

	https://git.kernel.org/stable/c/18b7f841109f697840fe8633cf7ed7d32bd3f91b
	https://git.kernel.org/stable/c/09d472a18c0ee1d5b83612cb919e33a1610fea16
	https://git.kernel.org/stable/c/8725882b0f691f8113b230aea9df0256030a63a6
	https://git.kernel.org/stable/c/1da2697307dad281dd690a19441b5ca4af92d786
	https://git.kernel.org/stable/c/2b84a231910cef2e0a16d29294afabfb69112087
	https://git.kernel.org/stable/c/897f496b946fdcfab5983c983e4b513ab6682364
	https://git.kernel.org/stable/c/1c5244299241cf49d8ae7b5054e299cc8faa4e09
	https://git.kernel.org/stable/c/f7c848431632598ff9bce57a659db6af60d75b39

Impacted products

Vendor

Product

Version

►

Linux

Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/orangefs/orangefs-debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18b7f841109f697840fe8633cf7ed7d32bd3f91b",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "09d472a18c0ee1d5b83612cb919e33a1610fea16",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "8725882b0f691f8113b230aea9df0256030a63a6",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "1da2697307dad281dd690a19441b5ca4af92d786",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "2b84a231910cef2e0a16d29294afabfb69112087",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "897f496b946fdcfab5983c983e4b513ab6682364",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "1c5244299241cf49d8ae7b5054e299cc8faa4e09",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            },
            {
              "lessThan": "f7c848431632598ff9bce57a659db6af60d75b39",
              "status": "affected",
              "version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/orangefs/orangefs-debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix a oob in orangefs_debug_write\n\nI got a syzbot report: slab-out-of-bounds Read in\norangefs_debug_write... several people suggested fixes,\nI tested Al Viro\u0027s suggestion and made this patch."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:08.925Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18b7f841109f697840fe8633cf7ed7d32bd3f91b"
        },
        {
          "url": "https://git.kernel.org/stable/c/09d472a18c0ee1d5b83612cb919e33a1610fea16"
        },
        {
          "url": "https://git.kernel.org/stable/c/8725882b0f691f8113b230aea9df0256030a63a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/1da2697307dad281dd690a19441b5ca4af92d786"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b84a231910cef2e0a16d29294afabfb69112087"
        },
        {
          "url": "https://git.kernel.org/stable/c/897f496b946fdcfab5983c983e4b513ab6682364"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c5244299241cf49d8ae7b5054e299cc8faa4e09"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7c848431632598ff9bce57a659db6af60d75b39"
        }
      ],
      "title": "orangefs: fix a oob in orangefs_debug_write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21782",
    "datePublished": "2025-02-27T02:18:24.506Z",
    "dateReserved": "2024-12-29T08:45:45.764Z",
    "dateUpdated": "2025-05-04T07:21:08.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21821 (GCVE-0-2025-21821)

Vulnerability from cvelistv5

Published

2025-02-27 20:06

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: omap: use threaded IRQ for LCD DMA When using touchscreen and framebuffer, Nokia 770 crashes easily with: BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000 Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2 Hardware name: Nokia 770 Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x54/0x5c dump_stack_lvl from __schedule_bug+0x50/0x70 __schedule_bug from __schedule+0x4d4/0x5bc __schedule from schedule+0x34/0xa0 schedule from schedule_preempt_disabled+0xc/0x10 schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4 __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4 clk_prepare_lock from clk_set_rate+0x18/0x154 clk_set_rate from sossi_read_data+0x4c/0x168 sossi_read_data from hwa742_read_reg+0x5c/0x8c hwa742_read_reg from send_frame_handler+0xfc/0x300 send_frame_handler from process_pending_requests+0x74/0xd0 process_pending_requests from lcd_dma_irq_handler+0x50/0x74 lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130 __handle_irq_event_percpu from handle_irq_event+0x28/0x68 handle_irq_event from handle_level_irq+0x9c/0x170 handle_level_irq from generic_handle_domain_irq+0x2c/0x3c generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c generic_handle_arch_irq from call_with_stack+0x1c/0x24 call_with_stack from __irq_svc+0x94/0xa8 Exception stack(0xc5255da0 to 0xc5255de8) 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94 5de0: 60000013 ffffffff __irq_svc from clk_prepare_lock+0x4c/0xe4 clk_prepare_lock from clk_get_rate+0x10/0x74 clk_get_rate from uwire_setup_transfer+0x40/0x180 uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664 spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498 __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8 __spi_sync from spi_sync+0x24/0x40 spi_sync from ads7846_halfd_read_state+0x5c/0x1c0 ads7846_halfd_read_state from ads7846_irq+0x58/0x348 ads7846_irq from irq_thread_fn+0x1c/0x78 irq_thread_fn from irq_thread+0x120/0x228 irq_thread from kthread+0xc8/0xe8 kthread from ret_from_fork+0x14/0x28 As a quick fix, switch to a threaded IRQ which provides a stable system.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7bbbd311dd503653a2cc86d9226740883051dc92
	https://git.kernel.org/stable/c/fb6a5edb60921887d7d10619fcdcbee9759552cb
	https://git.kernel.org/stable/c/aa8e22cbedeb626f2a6bda0aea362353d627cd0a
	https://git.kernel.org/stable/c/8392ea100f0b86c234c739c6662f39f0ccc0cefd
	https://git.kernel.org/stable/c/e4b6b665df815b4841e71b72f06446884e8aad40

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/omap/lcd_dma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bbbd311dd503653a2cc86d9226740883051dc92",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fb6a5edb60921887d7d10619fcdcbee9759552cb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aa8e22cbedeb626f2a6bda0aea362353d627cd0a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8392ea100f0b86c234c739c6662f39f0ccc0cefd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e4b6b665df815b4841e71b72f06446884e8aad40",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/omap/lcd_dma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omap: use threaded IRQ for LCD DMA\n\nWhen using touchscreen and framebuffer, Nokia 770 crashes easily with:\n\n    BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000\n    Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd\n    CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2\n    Hardware name: Nokia 770\n    Call trace:\n     unwind_backtrace from show_stack+0x10/0x14\n     show_stack from dump_stack_lvl+0x54/0x5c\n     dump_stack_lvl from __schedule_bug+0x50/0x70\n     __schedule_bug from __schedule+0x4d4/0x5bc\n     __schedule from schedule+0x34/0xa0\n     schedule from schedule_preempt_disabled+0xc/0x10\n     schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4\n     __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4\n     clk_prepare_lock from clk_set_rate+0x18/0x154\n     clk_set_rate from sossi_read_data+0x4c/0x168\n     sossi_read_data from hwa742_read_reg+0x5c/0x8c\n     hwa742_read_reg from send_frame_handler+0xfc/0x300\n     send_frame_handler from process_pending_requests+0x74/0xd0\n     process_pending_requests from lcd_dma_irq_handler+0x50/0x74\n     lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130\n     __handle_irq_event_percpu from handle_irq_event+0x28/0x68\n     handle_irq_event from handle_level_irq+0x9c/0x170\n     handle_level_irq from generic_handle_domain_irq+0x2c/0x3c\n     generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c\n     omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c\n     generic_handle_arch_irq from call_with_stack+0x1c/0x24\n     call_with_stack from __irq_svc+0x94/0xa8\n    Exception stack(0xc5255da0 to 0xc5255de8)\n    5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248\n    5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94\n    5de0: 60000013 ffffffff\n     __irq_svc from clk_prepare_lock+0x4c/0xe4\n     clk_prepare_lock from clk_get_rate+0x10/0x74\n     clk_get_rate from uwire_setup_transfer+0x40/0x180\n     uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c\n     spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664\n     spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498\n     __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8\n     __spi_sync from spi_sync+0x24/0x40\n     spi_sync from ads7846_halfd_read_state+0x5c/0x1c0\n     ads7846_halfd_read_state from ads7846_irq+0x58/0x348\n     ads7846_irq from irq_thread_fn+0x1c/0x78\n     irq_thread_fn from irq_thread+0x120/0x228\n     irq_thread from kthread+0xc8/0xe8\n     kthread from ret_from_fork+0x14/0x28\n\nAs a quick fix, switch to a threaded IRQ which provides a stable system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:52.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bbbd311dd503653a2cc86d9226740883051dc92"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb6a5edb60921887d7d10619fcdcbee9759552cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa8e22cbedeb626f2a6bda0aea362353d627cd0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8392ea100f0b86c234c739c6662f39f0ccc0cefd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b6b665df815b4841e71b72f06446884e8aad40"
        }
      ],
      "title": "fbdev: omap: use threaded IRQ for LCD DMA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21821",
    "datePublished": "2025-02-27T20:06:12.722Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:52.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47794 (GCVE-0-2024-47794)

Vulnerability from cvelistv5

Published

2025-01-11 12:25

Modified

2025-05-04 09:39

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent tailcall infinite loop caused by freplace There is a potential infinite loop issue that can occur when using a combination of tail calls and freplace. In an upcoming selftest, the attach target for entry_freplace of tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in entry_freplace leads to entry_tc. This results in an infinite loop: entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc. The problem arises because the tail_call_cnt in entry_freplace resets to zero each time entry_freplace is executed, causing the tail call mechanism to never terminate, eventually leading to a kernel panic. To fix this issue, the solution is twofold: 1. Prevent updating a program extended by an freplace program to a prog_array map. 2. Prevent extending a program that is already part of a prog_array map with an freplace program. This ensures that: * If a program or its subprogram has been extended by an freplace program, it can no longer be updated to a prog_array map. * If a program has been added to a prog_array map, neither it nor its subprograms can be extended by an freplace program. Moreover, an extension program should not be tailcalled. As such, return -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a prog_array map. Additionally, fix a minor code style issue by replacing eight spaces with a tab for proper formatting.

References

►

URL

Tags

	https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d
	https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/arraymap.c",
            "kernel/bpf/core.c",
            "kernel/bpf/syscall.c",
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "987aa730bad3e1ef66d9f30182294daa78f6387d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d6083f040d5d8f8d748462c77e90547097df936e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/arraymap.c",
            "kernel/bpf/core.c",
            "kernel/bpf/syscall.c",
            "kernel/bpf/trampoline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tailcall infinite loop caused by freplace\n\nThere is a potential infinite loop issue that can occur when using a\ncombination of tail calls and freplace.\n\nIn an upcoming selftest, the attach target for entry_freplace of\ntailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in\nentry_freplace leads to entry_tc. This results in an infinite loop:\n\nentry_tc -\u003e subprog_tc -\u003e entry_freplace --tailcall-\u003e entry_tc.\n\nThe problem arises because the tail_call_cnt in entry_freplace resets to\nzero each time entry_freplace is executed, causing the tail call mechanism\nto never terminate, eventually leading to a kernel panic.\n\nTo fix this issue, the solution is twofold:\n\n1. Prevent updating a program extended by an freplace program to a\n   prog_array map.\n2. Prevent extending a program that is already part of a prog_array map\n   with an freplace program.\n\nThis ensures that:\n\n* If a program or its subprogram has been extended by an freplace program,\n  it can no longer be updated to a prog_array map.\n* If a program has been added to a prog_array map, neither it nor its\n  subprograms can be extended by an freplace program.\n\nMoreover, an extension program should not be tailcalled. As such, return\n-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a\nprog_array map.\n\nAdditionally, fix a minor code style issue by replacing eight spaces with a\ntab for proper formatting."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:39:14.985Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e"
        }
      ],
      "title": "bpf: Prevent tailcall infinite loop caused by freplace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47794",
    "datePublished": "2025-01-11T12:25:14.419Z",
    "dateReserved": "2025-01-09T09:49:29.737Z",
    "dateUpdated": "2025-05-04T09:39:14.985Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58085 (GCVE-0-2024-58085)

Vulnerability from cvelistv5

Published

2025-03-06 16:22

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tomoyo: don't emit warning in tomoyo_write_control() syzbot is reporting too large allocation warning at tomoyo_write_control(), for one can write a very very long line without new line character. To fix this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE, for practically a valid line should be always shorter than 32KB where the "too small to fail" memory-allocation rule applies. One might try to write a valid line that is longer than 32KB, but such request will likely fail with -ENOMEM. Therefore, I feel that separately returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant. There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE.

References

►

URL

Tags

	https://git.kernel.org/stable/c/c67efabddc73171c7771d3ffe4ffa1e503ee533e
	https://git.kernel.org/stable/c/f6b37b3e12de638753bce79a2858070b9c4a4ad3
	https://git.kernel.org/stable/c/b2bd5857a0d6973ebbcb4d9831ddcaebbd257be1
	https://git.kernel.org/stable/c/a01c200fa7eb59da4d2dbbb48b61f4a0d196c09f
	https://git.kernel.org/stable/c/fe1c021eb03dae0dc9dce55e81f77a60e419a27a
	https://git.kernel.org/stable/c/c9382f380e8d09209b8e5c0def0545852168be25
	https://git.kernel.org/stable/c/414705c0303350d139b1dc18f329fe47dfb642dd
	https://git.kernel.org/stable/c/3df7546fc03b8f004eee0b9e3256369f7d096685

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/tomoyo/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c67efabddc73171c7771d3ffe4ffa1e503ee533e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f6b37b3e12de638753bce79a2858070b9c4a4ad3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b2bd5857a0d6973ebbcb4d9831ddcaebbd257be1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a01c200fa7eb59da4d2dbbb48b61f4a0d196c09f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fe1c021eb03dae0dc9dce55e81f77a60e419a27a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9382f380e8d09209b8e5c0def0545852168be25",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "414705c0303350d139b1dc18f329fe47dfb642dd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3df7546fc03b8f004eee0b9e3256369f7d096685",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/tomoyo/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: don\u0027t emit warning in tomoyo_write_control()\n\nsyzbot is reporting too large allocation warning at tomoyo_write_control(),\nfor one can write a very very long line without new line character. To fix\nthis warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,\nfor practically a valid line should be always shorter than 32KB where the\n\"too small to fail\" memory-allocation rule applies.\n\nOne might try to write a valid line that is longer than 32KB, but such\nrequest will likely fail with -ENOMEM. Therefore, I feel that separately\nreturning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.\nThere is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:44.077Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c67efabddc73171c7771d3ffe4ffa1e503ee533e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6b37b3e12de638753bce79a2858070b9c4a4ad3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2bd5857a0d6973ebbcb4d9831ddcaebbd257be1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a01c200fa7eb59da4d2dbbb48b61f4a0d196c09f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe1c021eb03dae0dc9dce55e81f77a60e419a27a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9382f380e8d09209b8e5c0def0545852168be25"
        },
        {
          "url": "https://git.kernel.org/stable/c/414705c0303350d139b1dc18f329fe47dfb642dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/3df7546fc03b8f004eee0b9e3256369f7d096685"
        }
      ],
      "title": "tomoyo: don\u0027t emit warning in tomoyo_write_control()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58085",
    "datePublished": "2025-03-06T16:22:32.761Z",
    "dateReserved": "2025-03-06T15:52:09.184Z",
    "dateUpdated": "2025-05-04T10:09:44.077Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21638 (GCVE-0-2025-21638)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure.

References

►

URL

Tags

	https://git.kernel.org/stable/c/cf387cdebfaebae228dfba162f94c567a67610c3
	https://git.kernel.org/stable/c/dc583e7e5f8515ca489c0df28e4362a70eade382
	https://git.kernel.org/stable/c/bd2a2939423566c654545fa3e96a656662a0af9e
	https://git.kernel.org/stable/c/1b67030d39f2b00f94ac1f0af11ba6657589e4d3
	https://git.kernel.org/stable/c/7ec30c54f339c640aa7e49d7e9f7bbed6bd42bf6
	https://git.kernel.org/stable/c/c184bc621e3cef03ac9ba81a50dda2dae6a21d36
	https://git.kernel.org/stable/c/15649fd5415eda664ef35780c2013adeb5d9c695

Impacted products

Vendor

Product

Version

►

Linux

Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: b14878ccb7fac0242db82720b784ab62c467c0dc
Version: e5eae4a0511241959498b180fa0df0d4f1b11b9c
Version: 88830f227a1f96e44d82ddfcb0cc81d517ec6dd8
Version: 3938b0336a93fa5faa242dc9e5823ac69df9e066

Linux

Version: 3.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf387cdebfaebae228dfba162f94c567a67610c3",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "dc583e7e5f8515ca489c0df28e4362a70eade382",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "bd2a2939423566c654545fa3e96a656662a0af9e",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "1b67030d39f2b00f94ac1f0af11ba6657589e4d3",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "7ec30c54f339c640aa7e49d7e9f7bbed6bd42bf6",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "c184bc621e3cef03ac9ba81a50dda2dae6a21d36",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "lessThan": "15649fd5415eda664ef35780c2013adeb5d9c695",
              "status": "affected",
              "version": "b14878ccb7fac0242db82720b784ab62c467c0dc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e5eae4a0511241959498b180fa0df0d4f1b11b9c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "88830f227a1f96e44d82ddfcb0cc81d517ec6dd8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3938b0336a93fa5faa242dc9e5823ac69df9e066",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.41",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: auth_enable: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, but that would\nincrease the size of this fix, while \u0027sctp.ctl_sock\u0027 still needs to be\nretrieved from \u0027net\u0027 structure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:00.778Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf387cdebfaebae228dfba162f94c567a67610c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc583e7e5f8515ca489c0df28e4362a70eade382"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd2a2939423566c654545fa3e96a656662a0af9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b67030d39f2b00f94ac1f0af11ba6657589e4d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ec30c54f339c640aa7e49d7e9f7bbed6bd42bf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c184bc621e3cef03ac9ba81a50dda2dae6a21d36"
        },
        {
          "url": "https://git.kernel.org/stable/c/15649fd5415eda664ef35780c2013adeb5d9c695"
        }
      ],
      "title": "sctp: sysctl: auth_enable: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21638",
    "datePublished": "2025-01-19T10:17:56.084Z",
    "dateReserved": "2024-12-29T08:45:45.727Z",
    "dateUpdated": "2025-05-04T13:06:00.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21724 (GCVE-0-2025-21724)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.

References

►

URL

Tags

	https://git.kernel.org/stable/c/44d9c94b7a3f29a3e07c4753603a35e9b28842a3
	https://git.kernel.org/stable/c/38ac76fc06bc6826a3e4b12a98efbe98432380a9
	https://git.kernel.org/stable/c/d5d33f01b86af44b23eea61ee309e4ef22c0cdfe
	https://git.kernel.org/stable/c/b1f8453b8ff1ab79a03820ef608256c499769cb6
	https://git.kernel.org/stable/c/e24c1551059268b37f6f40639883eafb281b8b9c

Impacted products

Vendor

Product

Version

►

Linux

Version: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1
Version: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1
Version: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1
Version: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1
Version: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/iova_bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "44d9c94b7a3f29a3e07c4753603a35e9b28842a3",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "38ac76fc06bc6826a3e4b12a98efbe98432380a9",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "d5d33f01b86af44b23eea61ee309e4ef22c0cdfe",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "b1f8453b8ff1ab79a03820ef608256c499769cb6",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "e24c1551059268b37f6f40639883eafb281b8b9c",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/iova_bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()\n\nResolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()\nwhere shifting the constant \"1\" (of type int) by bitmap-\u003emapped.pgshift\n(an unsigned long value) could result in undefined behavior.\n\nThe constant \"1\" defaults to a 32-bit \"int\", and when \"pgshift\" exceeds\n31 (e.g., pgshift = 63) the shift operation overflows, as the result\ncannot be represented in a 32-bit type.\n\nTo resolve this, the constant is updated to \"1UL\", promoting it to an\nunsigned long type to match the operand\u0027s type."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:48.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/44d9c94b7a3f29a3e07c4753603a35e9b28842a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/38ac76fc06bc6826a3e4b12a98efbe98432380a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5d33f01b86af44b23eea61ee309e4ef22c0cdfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1f8453b8ff1ab79a03820ef608256c499769cb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e24c1551059268b37f6f40639883eafb281b8b9c"
        }
      ],
      "title": "iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21724",
    "datePublished": "2025-02-27T02:07:31.630Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T07:19:48.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21795 (GCVE-0-2025-21795)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state.

References

►

URL

Tags

	https://git.kernel.org/stable/c/abed68027ea3ab893ac85cc46a00e2e64a324239
	https://git.kernel.org/stable/c/efa8a261c575f816c7e79a87aeb3ef8a0bd6b221
	https://git.kernel.org/stable/c/38d345f612503b850c2973e5a879f88e441b34d7
	https://git.kernel.org/stable/c/23ad7797c74cd8f7f90617f1e59a8703e2b43908
	https://git.kernel.org/stable/c/cedfbb92cf97a6bff3d25633001d9c44442ee854
	https://git.kernel.org/stable/c/e88d2451cd42e025465d6b51fd716a47b0b3800d
	https://git.kernel.org/stable/c/036ac2778f7b28885814c6fbc07e156ad1624d03

Impacted products

Vendor

Product

Version

►

Linux

Version: 67ef9e5fd737eab2495f2586df7e9ea30caa1b77
Version: 26540b8940a2e21582afa61a6fb8af87310bac72
Version: 66af25799940b26efd41ea6e648f75c41a48a2c2
Version: 66af25799940b26efd41ea6e648f75c41a48a2c2
Version: 66af25799940b26efd41ea6e648f75c41a48a2c2
Version: 66af25799940b26efd41ea6e648f75c41a48a2c2
Version: 66af25799940b26efd41ea6e648f75c41a48a2c2

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4callback.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abed68027ea3ab893ac85cc46a00e2e64a324239",
              "status": "affected",
              "version": "67ef9e5fd737eab2495f2586df7e9ea30caa1b77",
              "versionType": "git"
            },
            {
              "lessThan": "efa8a261c575f816c7e79a87aeb3ef8a0bd6b221",
              "status": "affected",
              "version": "26540b8940a2e21582afa61a6fb8af87310bac72",
              "versionType": "git"
            },
            {
              "lessThan": "38d345f612503b850c2973e5a879f88e441b34d7",
              "status": "affected",
              "version": "66af25799940b26efd41ea6e648f75c41a48a2c2",
              "versionType": "git"
            },
            {
              "lessThan": "23ad7797c74cd8f7f90617f1e59a8703e2b43908",
              "status": "affected",
              "version": "66af25799940b26efd41ea6e648f75c41a48a2c2",
              "versionType": "git"
            },
            {
              "lessThan": "cedfbb92cf97a6bff3d25633001d9c44442ee854",
              "status": "affected",
              "version": "66af25799940b26efd41ea6e648f75c41a48a2c2",
              "versionType": "git"
            },
            {
              "lessThan": "e88d2451cd42e025465d6b51fd716a47b0b3800d",
              "status": "affected",
              "version": "66af25799940b26efd41ea6e648f75c41a48a2c2",
              "versionType": "git"
            },
            {
              "lessThan": "036ac2778f7b28885814c6fbc07e156ad1624d03",
              "status": "affected",
              "version": "66af25799940b26efd41ea6e648f75c41a48a2c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4callback.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.220",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.154",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix hang in nfsd4_shutdown_callback\n\nIf nfs4_client is in courtesy state then there is no point to send\nthe callback. This causes nfsd4_shutdown_callback to hang since\ncl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP\nnotifies NFSD that the connection was dropped.\n\nThis patch modifies nfsd4_run_cb_work to skip the RPC call if\nnfs4_client is in courtesy state."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:23.769Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abed68027ea3ab893ac85cc46a00e2e64a324239"
        },
        {
          "url": "https://git.kernel.org/stable/c/efa8a261c575f816c7e79a87aeb3ef8a0bd6b221"
        },
        {
          "url": "https://git.kernel.org/stable/c/38d345f612503b850c2973e5a879f88e441b34d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/23ad7797c74cd8f7f90617f1e59a8703e2b43908"
        },
        {
          "url": "https://git.kernel.org/stable/c/cedfbb92cf97a6bff3d25633001d9c44442ee854"
        },
        {
          "url": "https://git.kernel.org/stable/c/e88d2451cd42e025465d6b51fd716a47b0b3800d"
        },
        {
          "url": "https://git.kernel.org/stable/c/036ac2778f7b28885814c6fbc07e156ad1624d03"
        }
      ],
      "title": "NFSD: fix hang in nfsd4_shutdown_callback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21795",
    "datePublished": "2025-02-27T02:18:31.538Z",
    "dateReserved": "2024-12-29T08:45:45.767Z",
    "dateUpdated": "2025-05-04T07:21:23.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-24928 (GCVE-0-2025-24928)

Vulnerability from cvelistv5

Published

2025-02-18 00:00

Modified

2025-07-23 03:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-121 - Stack-based Buffer Overflow

Summary

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

References

►

URL

Tags

	https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
	https://issues.oss-fuzz.com/issues/392687022

Impacted products

	Vendor	Product	Version
	xmlsoft	libxml2	Version: 0 ≤ Version: 2.13.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24928",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T03:55:31.090Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-21T18:03:53.384Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250321-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.12.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.13.6",
              "status": "affected",
              "version": "2.13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.12.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.6",
                  "versionStartIncluding": "2.13.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-18T22:20:43.285Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/847"
        },
        {
          "url": "https://issues.oss-fuzz.com/issues/392687022"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-24928",
    "datePublished": "2025-02-18T00:00:00.000Z",
    "dateReserved": "2025-01-28T00:00:00.000Z",
    "dateUpdated": "2025-07-23T03:55:31.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57889 (GCVE-0-2024-57889)

Vulnerability from cvelistv5

Published

2025-01-15 13:05

Modified

2025-05-04 10:05

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above.

References

►

URL

Tags

	https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318
	https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0
	https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785
	https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb
	https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec
	https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61
	https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693

Impacted products

Vendor

Product

Version

►

Linux

Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a
Version: 8f38910ba4f662222157ce07a0d5becc4328c46a

Linux

Version: 4.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-mcp23s08.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "788d9e9a41b81893d6bb8faa05f045c975278318",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "c55d186376a87b468c9ee30f2195e0f3857f61a0",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "9372e160d8211a7e17f2abff8370794f182df785",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "0310cbad163a908d09d99c26827859365cd71fcb",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "830f838589522404cd7c2f0f540602f25034af61",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            },
            {
              "lessThan": "a37eecb705f33726f1fb7cd2a67e514a15dfe693",
              "status": "affected",
              "version": "8f38910ba4f662222157ce07a0d5becc4328c46a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/pinctrl-mcp23s08.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking\n\nIf a device uses MCP23xxx IO expander to receive IRQs, the following\nbug can happen:\n\n  BUG: sleeping function called from invalid context\n    at kernel/locking/mutex.c:283\n  in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...\n  preempt_count: 1, expected: 0\n  ...\n  Call Trace:\n  ...\n  __might_resched+0x104/0x10e\n  __might_sleep+0x3e/0x62\n  mutex_lock+0x20/0x4c\n  regmap_lock_mutex+0x10/0x18\n  regmap_update_bits_base+0x2c/0x66\n  mcp23s08_irq_set_type+0x1ae/0x1d6\n  __irq_set_trigger+0x56/0x172\n  __setup_irq+0x1e6/0x646\n  request_threaded_irq+0xb6/0x160\n  ...\n\nWe observed the problem while experimenting with a touchscreen driver which\nused MCP23017 IO expander (I2C).\n\nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from\nconcurrent accesses, which is the default for regmaps without .fast_io,\n.disable_locking, etc.\n\nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter\nlocks the mutex.\n\nHowever, __setup_irq() locks desc-\u003elock spinlock before calling these\nfunctions. As a result, the system tries to lock the mutex whole holding\nthe spinlock.\n\nIt seems, the internal regmap locks are not needed in this driver at all.\nmcp-\u003elock seems to protect the regmap from concurrent accesses already,\nexcept, probably, in mcp_pinconf_get/set.\n\nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under\nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes\nmcp-\u003elock and enables regmap caching, so that the potentially slow I2C\naccesses are deferred until chip_bus_unlock().\n\nThe accesses to the regmap from mcp23s08_probe_one() do not need additional\nlocking.\n\nIn all remaining places where the regmap is accessed, except\nmcp_pinconf_get/set(), the driver already takes mcp-\u003elock.\n\nThis patch adds locking in mcp_pinconf_get/set() and disables internal\nlocking in the regmap config. Among other things, it fixes the sleeping\nin atomic context described above."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:57.500Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/788d9e9a41b81893d6bb8faa05f045c975278318"
        },
        {
          "url": "https://git.kernel.org/stable/c/c55d186376a87b468c9ee30f2195e0f3857f61a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9372e160d8211a7e17f2abff8370794f182df785"
        },
        {
          "url": "https://git.kernel.org/stable/c/0310cbad163a908d09d99c26827859365cd71fcb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/830f838589522404cd7c2f0f540602f25034af61"
        },
        {
          "url": "https://git.kernel.org/stable/c/a37eecb705f33726f1fb7cd2a67e514a15dfe693"
        }
      ],
      "title": "pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57889",
    "datePublished": "2025-01-15T13:05:41.769Z",
    "dateReserved": "2025-01-11T14:45:42.027Z",
    "dateUpdated": "2025-05-04T10:05:57.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22228 (GCVE-0-2025-22228)

Vulnerability from cvelistv5

Published

2025-03-20 05:49

Modified

2025-04-25 23:03

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

References

►

URL

Tags

https://spring.io/security/cve-2025-22228

Impacted products

	Vendor	Product	Version
	Spring	Spring Security	Version: 5.7.x Version: 5.8.x Version: 6.0.x Version: 6.1.x Version: 6.2.x Version: 6.3.x Version: 6.4.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22228",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-21T03:55:17.357088Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-21T16:09:31.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-25T23:03:00.421Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250425-0009/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "Spring Security",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.16",
              "status": "affected",
              "version": "5.7.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "5.8.18",
              "status": "affected",
              "version": "5.8.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.0.16",
              "status": "affected",
              "version": "6.0.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.1.14",
              "status": "affected",
              "version": "6.1.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.2.10",
              "status": "affected",
              "version": "6.2.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.3.8",
              "status": "affected",
              "version": "6.3.x",
              "versionType": "OSS"
            },
            {
              "lessThan": "6.4.4",
              "status": "affected",
              "version": "6.4.x",
              "versionType": "OSS"
            }
          ]
        }
      ],
      "datePublic": "2025-03-19T08:44:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ccode\u003eBCryptPasswordEncoder.matches(CharSequence,String)\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;will incorrectly return \u003c/span\u003e\u003ccode\u003etrue\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;for passwords larger than 72 characters as long as the first 72 characters are the same.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T05:49:19.275Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2025-22228",
    "datePublished": "2025-03-20T05:49:19.275Z",
    "dateReserved": "2025-01-02T04:29:59.191Z",
    "dateUpdated": "2025-04-25T23:03:00.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21708 (GCVE-0-2025-21708)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> Modules linked in: CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 __dev_change_flags+0x561/0x720 net/core/dev.c:8838 dev_change_flags+0x8f/0x160 net/core/dev.c:8910 devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x116/0x280 net/socket.c:1222 sock_ioctl+0x22e/0x6c0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc04ef73d49 ... This change has not been tested on real hardware.

References

►

URL

Tags

	https://git.kernel.org/stable/c/431be4f78220d34ce21d67a6b843b7ca81bd82e9
	https://git.kernel.org/stable/c/8f78a2b9ed4cb1e62c60d0a8905d9a37bc18c20d
	https://git.kernel.org/stable/c/d42168f109f96b5d18812a789086015a435ee667
	https://git.kernel.org/stable/c/e10b392a7495a5dbbb25247e2c17d380d9899263
	https://git.kernel.org/stable/c/3c706829ceb6e347bd4ddfd17f1d3048acd69da2
	https://git.kernel.org/stable/c/f395b7efcee8df54309eb2d4a624ef13f5d88b66
	https://git.kernel.org/stable/c/c843515ad2be7349dd6b60e5fd299d0da0b8458b
	https://git.kernel.org/stable/c/90b7f2961798793275b4844348619b622f983907

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/rtl8150.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "431be4f78220d34ce21d67a6b843b7ca81bd82e9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8f78a2b9ed4cb1e62c60d0a8905d9a37bc18c20d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d42168f109f96b5d18812a789086015a435ee667",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e10b392a7495a5dbbb25247e2c17d380d9899263",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3c706829ceb6e347bd4ddfd17f1d3048acd69da2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f395b7efcee8df54309eb2d4a624ef13f5d88b66",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c843515ad2be7349dd6b60e5fd299d0da0b8458b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "90b7f2961798793275b4844348619b622f983907",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/rtl8150.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: enable basic endpoint checking\n\nSyzkaller reports [1] encountering a common issue of utilizing a wrong\nusb endpoint type during URB submitting stage. This, in turn, triggers\na warning shown below.\n\nFor now, enable simple endpoint checking (specifically, bulk and\ninterrupt eps, testing control one is not essential) to mitigate\nthe issue with a view to do other related cosmetic changes later,\nif they are necessary.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv\u003e\nModules linked in:\nCPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617\u003e\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nCode: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8\u003e\nRSP: 0018:ffffc9000441f740 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9\nRDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001\nRBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c\nFS:  00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733\n __dev_open+0x2d4/0x4e0 net/core/dev.c:1474\n __dev_change_flags+0x561/0x720 net/core/dev.c:8838\n dev_change_flags+0x8f/0x160 net/core/dev.c:8910\n devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177\n inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003\n sock_do_ioctl+0x116/0x280 net/socket.c:1222\n sock_ioctl+0x22e/0x6c0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fc04ef73d49\n...\n\nThis change has not been tested on real hardware."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:26.027Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/431be4f78220d34ce21d67a6b843b7ca81bd82e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f78a2b9ed4cb1e62c60d0a8905d9a37bc18c20d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d42168f109f96b5d18812a789086015a435ee667"
        },
        {
          "url": "https://git.kernel.org/stable/c/e10b392a7495a5dbbb25247e2c17d380d9899263"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c706829ceb6e347bd4ddfd17f1d3048acd69da2"
        },
        {
          "url": "https://git.kernel.org/stable/c/f395b7efcee8df54309eb2d4a624ef13f5d88b66"
        },
        {
          "url": "https://git.kernel.org/stable/c/c843515ad2be7349dd6b60e5fd299d0da0b8458b"
        },
        {
          "url": "https://git.kernel.org/stable/c/90b7f2961798793275b4844348619b622f983907"
        }
      ],
      "title": "net: usb: rtl8150: enable basic endpoint checking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21708",
    "datePublished": "2025-02-27T02:07:21.814Z",
    "dateReserved": "2024-12-29T08:45:45.752Z",
    "dateUpdated": "2025-05-04T07:19:26.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57834 (GCVE-0-2024-57834)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 10:05

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] If dvb->mux is not initialized successfully by vidtv_mux_init() in the vidtv_start_streaming(), it will trigger null pointer dereference about mux in vidtv_mux_stop_thread(). Adjust the timing of streaming initialization and check it before stopping it. [1] KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 get_signal+0x1d3/0x2610 kernel/signal.c:2790 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f

References

►

URL

Tags

	https://git.kernel.org/stable/c/52d3512f9a7a52ef92864679b1e8e8aa16202c6a
	https://git.kernel.org/stable/c/59a707ad952eb2ea8d59457d662b6f4138f17b08
	https://git.kernel.org/stable/c/86307e443c5844f38e1b98e2c51a4195c55576cd
	https://git.kernel.org/stable/c/2c5601b99d79d196fe4a37159e3dfb38e778ea18
	https://git.kernel.org/stable/c/95432a37778c9c5dd105b7b9f19e9695c9e166cf
	https://git.kernel.org/stable/c/904a8323cc8afa7eb9ce3e67303a2b3f2f787306
	https://git.kernel.org/stable/c/1221989555db711578a327a9367f1be46500cb48

Impacted products

Vendor

Product

Version

►

Linux

Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905

Linux

Version: 5.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52d3512f9a7a52ef92864679b1e8e8aa16202c6a",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "59a707ad952eb2ea8d59457d662b6f4138f17b08",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "86307e443c5844f38e1b98e2c51a4195c55576cd",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "2c5601b99d79d196fe4a37159e3dfb38e778ea18",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "95432a37778c9c5dd105b7b9f19e9695c9e166cf",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "904a8323cc8afa7eb9ce3e67303a2b3f2f787306",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "1221989555db711578a327a9367f1be46500cb48",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread\n\nsyzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]\n\nIf dvb-\u003emux is not initialized successfully by vidtv_mux_init() in the\nvidtv_start_streaming(), it will trigger null pointer dereference about mux\nin vidtv_mux_stop_thread().\n\nAdjust the timing of streaming initialization and check it before\nstopping it.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\nCPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471\nCode: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8\nRSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125\nRDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128\nRBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188\nR13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710\nFS:  00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]\n vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252\n dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000\n dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486\n dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3f8/0xb60 fs/file_table.c:450\n task_work_run+0x14e/0x250 kernel/task_work.c:239\n get_signal+0x1d3/0x2610 kernel/signal.c:2790\n arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:18.306Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52d3512f9a7a52ef92864679b1e8e8aa16202c6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/59a707ad952eb2ea8d59457d662b6f4138f17b08"
        },
        {
          "url": "https://git.kernel.org/stable/c/86307e443c5844f38e1b98e2c51a4195c55576cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c5601b99d79d196fe4a37159e3dfb38e778ea18"
        },
        {
          "url": "https://git.kernel.org/stable/c/95432a37778c9c5dd105b7b9f19e9695c9e166cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/904a8323cc8afa7eb9ce3e67303a2b3f2f787306"
        },
        {
          "url": "https://git.kernel.org/stable/c/1221989555db711578a327a9367f1be46500cb48"
        }
      ],
      "title": "media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57834",
    "datePublished": "2025-02-27T02:18:09.085Z",
    "dateReserved": "2025-02-27T02:16:34.111Z",
    "dateUpdated": "2025-05-04T10:05:18.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45306 (GCVE-0-2024-45306)

Vulnerability from cvelistv5

Published

2024-09-02 16:35

Modified

2024-10-04 15:02

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.

References

►

URL

Tags

	https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/396fd1ec2956307755392a1	x_refsource_MISC
	https://github.com/vim/vim/releases/tag/v9.1.0038	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: >= 9.1.0038, < 9.1.0707

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45306",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T13:50:36.282509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T14:11:20.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-10-04T15:02:51.027Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241004-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.1.0038, \u003c 9.1.0707"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of\na line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at\nthe specified cursor position. It\u0027s not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That\u0027s why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-02T16:35:17.444Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr"
        },
        {
          "name": "https://github.com/vim/vim/commit/396fd1ec2956307755392a1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/396fd1ec2956307755392a1"
        },
        {
          "name": "https://github.com/vim/vim/releases/tag/v9.1.0038",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/releases/tag/v9.1.0038"
        }
      ],
      "source": {
        "advisory": "GHSA-wxf9-c5gx-qrwr",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow in Vim"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45306",
    "datePublished": "2024-09-02T16:35:17.444Z",
    "dateReserved": "2024-08-26T18:25:35.443Z",
    "dateUpdated": "2024-10-04T15:02:51.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58051 (GCVE-0-2024-58051)

Vulnerability from cvelistv5

Published

2025-03-06 15:53

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: Add check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1a8a17c5ce9cb5a82797602bff9819ac732d2ff5
	https://git.kernel.org/stable/c/caac520350546e736894d14e051b64a9edb3600c
	https://git.kernel.org/stable/c/eb288ab33fd87579789cb331209ff09e988ff4f7
	https://git.kernel.org/stable/c/312a6445036d692bc5665307eeafa4508c33c4b5
	https://git.kernel.org/stable/c/4c9caf86d04dcb10e9fd8cd9db8eb79b5bfcc4d8
	https://git.kernel.org/stable/c/e529fbcf1f35f5fc3c839df7f06c3e3d02579715
	https://git.kernel.org/stable/c/a63284d415d4d114abd8be6e66a9558f3ca0702d
	https://git.kernel.org/stable/c/2378bd0b264ad3a1f76bd957caf33ee0c7945351

Impacted products

Vendor

Product

Version

►

Linux

Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2
Version: 51bd6f291583684f495ea498984dfc22049d7fd2

Linux

Version: 5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmb_dev_int.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1a8a17c5ce9cb5a82797602bff9819ac732d2ff5",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "caac520350546e736894d14e051b64a9edb3600c",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "eb288ab33fd87579789cb331209ff09e988ff4f7",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "312a6445036d692bc5665307eeafa4508c33c4b5",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "4c9caf86d04dcb10e9fd8cd9db8eb79b5bfcc4d8",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "e529fbcf1f35f5fc3c839df7f06c3e3d02579715",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "a63284d415d4d114abd8be6e66a9558f3ca0702d",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            },
            {
              "lessThan": "2378bd0b264ad3a1f76bd957caf33ee0c7945351",
              "status": "affected",
              "version": "51bd6f291583684f495ea498984dfc22049d7fd2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmb_dev_int.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ipmb: Add check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this\nreturned value is not checked."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:44.123Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1a8a17c5ce9cb5a82797602bff9819ac732d2ff5"
        },
        {
          "url": "https://git.kernel.org/stable/c/caac520350546e736894d14e051b64a9edb3600c"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb288ab33fd87579789cb331209ff09e988ff4f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/312a6445036d692bc5665307eeafa4508c33c4b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c9caf86d04dcb10e9fd8cd9db8eb79b5bfcc4d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e529fbcf1f35f5fc3c839df7f06c3e3d02579715"
        },
        {
          "url": "https://git.kernel.org/stable/c/a63284d415d4d114abd8be6e66a9558f3ca0702d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2378bd0b264ad3a1f76bd957caf33ee0c7945351"
        }
      ],
      "title": "ipmi: ipmb: Add check devm_kasprintf() returned value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58051",
    "datePublished": "2025-03-06T15:53:56.175Z",
    "dateReserved": "2025-03-06T15:52:09.178Z",
    "dateUpdated": "2025-05-04T10:08:44.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21718 (GCVE-0-2025-21718)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>

References

►

URL

Tags

	https://git.kernel.org/stable/c/52f5aff33ca73b2c2fa93f40a3de308012e63cf4
	https://git.kernel.org/stable/c/0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1
	https://git.kernel.org/stable/c/1409b45d4690308c502c6caf22f01c3c205b4717
	https://git.kernel.org/stable/c/f55c88e3ca5939a6a8a329024aed8f3d98eea8e4
	https://git.kernel.org/stable/c/51c128ba038cf1b79d605cbee325919b45ab95a5
	https://git.kernel.org/stable/c/1992fb261c90e9827cf5dc3115d89bb0853252c9
	https://git.kernel.org/stable/c/58051a284ac18a3bb815aac6289a679903ddcc3f
	https://git.kernel.org/stable/c/5de7665e0a0746b5ad7943554b34db8f8614a196

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52f5aff33ca73b2c2fa93f40a3de308012e63cf4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1409b45d4690308c502c6caf22f01c3c205b4717",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f55c88e3ca5939a6a8a329024aed8f3d98eea8e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "51c128ba038cf1b79d605cbee325919b45ab95a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1992fb261c90e9827cf5dc3115d89bb0853252c9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "58051a284ac18a3bb815aac6289a679903ddcc3f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5de7665e0a0746b5ad7943554b34db8f8614a196",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRose timers only acquire the socket spinlock, without\nchecking if the socket is owned by one user thread.\n\nAdd a check and rearm the timers if needed.\n\nBUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\nRead of size 2 at addr ffff88802f09b82a by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\n  call_timer_fn+0x187/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430\n  run_timer_base kernel/time/timer.c:2439 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449\n  handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n  __do_softirq kernel/softirq.c:595 [inline]\n  invoke_softirq kernel/softirq.c:435 [inline]\n  __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049\n \u003c/IRQ\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:42.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52f5aff33ca73b2c2fa93f40a3de308012e63cf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1409b45d4690308c502c6caf22f01c3c205b4717"
        },
        {
          "url": "https://git.kernel.org/stable/c/f55c88e3ca5939a6a8a329024aed8f3d98eea8e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/51c128ba038cf1b79d605cbee325919b45ab95a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1992fb261c90e9827cf5dc3115d89bb0853252c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/58051a284ac18a3bb815aac6289a679903ddcc3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5de7665e0a0746b5ad7943554b34db8f8614a196"
        }
      ],
      "title": "net: rose: fix timer races against user threads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21718",
    "datePublished": "2025-02-27T02:07:27.971Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-05-04T07:19:42.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21862 (GCVE-0-2025-21862)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.

References

►

URL

Tags

	https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182
	https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8
	https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4
	https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c
	https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282
	https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a
	https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58
	https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea

Impacted products

Vendor

Product

Version

►

Linux

Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72

Linux

Version: 2.6.30

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6e9e0f224ffd8b819da3ea247dda404795fdd182",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "29f9cdcab3d96d5207a5c92b52c40ad75e5915d8",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "872c7c7e57a746046796ddfead529c9d37b9f6b4",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "fcfc00bfec7bb6661074cb21356d05a4c9470a3c",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "b7859e8643e75619b2705b4fcac93ffd94d72b4a",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "219a47d0e6195bd202f22855e35f25bd15bc4d58",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: \u003cnone\u003e/-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G            E     5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let\u0027s place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:45.225Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182"
        },
        {
          "url": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58"
        },
        {
          "url": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea"
        }
      ],
      "title": "drop_monitor: fix incorrect initialization order",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21862",
    "datePublished": "2025-03-12T09:42:19.881Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:45.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21772 (GCVE-0-2025-21772)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp().

References

►

URL

Tags

	https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124
	https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625
	https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f
	https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5
	https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b
	https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f
	https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27
	https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3e77da9f843e4ab93917d30c314f0283e28c124",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "213ba5bd81b7e97ac6e6190b8f3bc6ba76123625",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "40a35d14f3c0dc72b689061ec72fc9b193f37d1f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "27a39d006f85e869be68c1d5d2ce05e5d6445bf5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "92527100be38ede924768f4277450dfe8a40e16b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6578717ebca91678131d2b1f4ba4258e60536e9f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fa9706722882f634090bfc9af642bf9ed719e27",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "80e648042e512d5a767da251d44132553fe04ae0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n   preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n   (which results in partition table entries straddling sector boundaries),\n   bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n   termination - use strnlen() and strncmp() instead of strlen() and\n   strcmp()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:46.575Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
        },
        {
          "url": "https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625"
        },
        {
          "url": "https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27"
        },
        {
          "url": "https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0"
        }
      ],
      "title": "partitions: mac: fix handling of bogus partition table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21772",
    "datePublished": "2025-02-27T02:18:19.528Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-05-04T07:20:46.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21847 (GCVE-0-2025-21847)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offset() function. Assuming that it is not NULL if sps->stream is NULL is incorrect and can lead to NULL pointer dereference.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2b3878baf90918a361a3dfd3513025100b1b40b6
	https://git.kernel.org/stable/c/62ab1ae5511c59b5f0bf550136ff321331adca9f
	https://git.kernel.org/stable/c/6c18f5eb2043ebf4674c08a9690218dc818a11ab
	https://git.kernel.org/stable/c/d8d99c3b5c485f339864aeaa29f76269cc0ea975

Impacted products

Vendor

Product

Version

►

Linux

Version: 090349a9feba3ceee3997d31d68ffe54e5b57acb
Version: 090349a9feba3ceee3997d31d68ffe54e5b57acb
Version: 090349a9feba3ceee3997d31d68ffe54e5b57acb
Version: 090349a9feba3ceee3997d31d68ffe54e5b57acb

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/stream-ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b3878baf90918a361a3dfd3513025100b1b40b6",
              "status": "affected",
              "version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
              "versionType": "git"
            },
            {
              "lessThan": "62ab1ae5511c59b5f0bf550136ff321331adca9f",
              "status": "affected",
              "version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
              "versionType": "git"
            },
            {
              "lessThan": "6c18f5eb2043ebf4674c08a9690218dc818a11ab",
              "status": "affected",
              "version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
              "versionType": "git"
            },
            {
              "lessThan": "d8d99c3b5c485f339864aeaa29f76269cc0ea975",
              "status": "affected",
              "version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/sof/stream-ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()\n\nThe nullity of sps-\u003ecstream should be checked similarly as it is done in\nsof_set_stream_data_offset() function.\nAssuming that it is not NULL if sps-\u003estream is NULL is incorrect and can\nlead to NULL pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:27.708Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b3878baf90918a361a3dfd3513025100b1b40b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/62ab1ae5511c59b5f0bf550136ff321331adca9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c18f5eb2043ebf4674c08a9690218dc818a11ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8d99c3b5c485f339864aeaa29f76269cc0ea975"
        }
      ],
      "title": "ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21847",
    "datePublished": "2025-03-12T09:42:03.568Z",
    "dateReserved": "2024-12-29T08:45:45.778Z",
    "dateUpdated": "2025-05-04T07:22:27.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21763 (GCVE-0-2025-21763)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e1aed6be381bcd7f46d4ca9d7ef0f5f3d6a1be32
	https://git.kernel.org/stable/c/8666e9aab801328c1408a19fbf4070609dc0695a
	https://git.kernel.org/stable/c/40d8f2f2a373b6c294ffac394d2bb814b572ead1
	https://git.kernel.org/stable/c/784eb2376270e086f7db136d154b8404edacf97b
	https://git.kernel.org/stable/c/1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379
	https://git.kernel.org/stable/c/cdd5c2a12ddad8a77ce1838ff9f29aa587de82df
	https://git.kernel.org/stable/c/559307d25235e24b5424778c7332451b6c741159
	https://git.kernel.org/stable/c/becbd5850c03ed33b232083dd66c6e38c0c0e569

Impacted products

Vendor

Product

Version

►

Linux

Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320
Version: 426b5303eb435d98b9bee37a807be386bc2b3320

Linux

Version: 2.6.25

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21763",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:24.552153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.961Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/neighbour.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1aed6be381bcd7f46d4ca9d7ef0f5f3d6a1be32",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "8666e9aab801328c1408a19fbf4070609dc0695a",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "40d8f2f2a373b6c294ffac394d2bb814b572ead1",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "784eb2376270e086f7db136d154b8404edacf97b",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "cdd5c2a12ddad8a77ce1838ff9f29aa587de82df",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "559307d25235e24b5424778c7332451b6c741159",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            },
            {
              "lessThan": "becbd5850c03ed33b232083dd66c6e38c0c0e569",
              "status": "affected",
              "version": "426b5303eb435d98b9bee37a807be386bc2b3320",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/neighbour.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: use RCU protection in __neigh_notify()\n\n__neigh_notify() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:35.809Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1aed6be381bcd7f46d4ca9d7ef0f5f3d6a1be32"
        },
        {
          "url": "https://git.kernel.org/stable/c/8666e9aab801328c1408a19fbf4070609dc0695a"
        },
        {
          "url": "https://git.kernel.org/stable/c/40d8f2f2a373b6c294ffac394d2bb814b572ead1"
        },
        {
          "url": "https://git.kernel.org/stable/c/784eb2376270e086f7db136d154b8404edacf97b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd5c2a12ddad8a77ce1838ff9f29aa587de82df"
        },
        {
          "url": "https://git.kernel.org/stable/c/559307d25235e24b5424778c7332451b6c741159"
        },
        {
          "url": "https://git.kernel.org/stable/c/becbd5850c03ed33b232083dd66c6e38c0c0e569"
        }
      ],
      "title": "neighbour: use RCU protection in __neigh_notify()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21763",
    "datePublished": "2025-02-27T02:18:15.078Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:35.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-54683 (GCVE-0-2024-54683)

Vulnerability from cvelistv5

Published

2025-01-11 12:29

Modified

2025-05-04 09:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: IDLETIMER: Fix for possible ABBA deadlock Deletion of the last rule referencing a given idletimer may happen at the same time as a read of its file in sysfs: | ====================================================== | WARNING: possible circular locking dependency detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | ------------------------------------------------------ | iptables/3303 is trying to acquire lock: | ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 | | but task is already holding lock: | ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] | | which lock already depends on the new lock. A simple reproducer is: | #!/bin/bash | | while true; do | iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | done & | while true; do | cat /sys/class/xt_idletimer/timers/testme >/dev/null | done Avoid this by freeing list_mutex right after deleting the element from the list, then continuing with the teardown.

References

►

URL

Tags

	https://git.kernel.org/stable/c/8c2c8445cda8f59c38dec7dc10509bcb23ae26a0
	https://git.kernel.org/stable/c/45fe76573a2557f632e248cc141342233f422b9a
	https://git.kernel.org/stable/c/f36b01994d68ffc253c8296e2228dfe6e6431c03

Impacted products

Vendor

Product

Version

►

Linux

Version: 0902b469bd25065aa0688c3cee6f11744c817e7c
Version: 0902b469bd25065aa0688c3cee6f11744c817e7c
Version: 0902b469bd25065aa0688c3cee6f11744c817e7c

Linux

Version: 2.6.36

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c2c8445cda8f59c38dec7dc10509bcb23ae26a0",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            },
            {
              "lessThan": "45fe76573a2557f632e248cc141342233f422b9a",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            },
            {
              "lessThan": "f36b01994d68ffc253c8296e2228dfe6e6431c03",
              "status": "affected",
              "version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: IDLETIMER: Fix for possible ABBA deadlock\n\nDeletion of the last rule referencing a given idletimer may happen at\nthe same time as a read of its file in sysfs:\n\n| ======================================================\n| WARNING: possible circular locking dependency detected\n| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted\n| ------------------------------------------------------\n| iptables/3303 is trying to acquire lock:\n| ffff8881057e04b8 (kn-\u003eactive#48){++++}-{0:0}, at: __kernfs_remove+0x20\n|\n| but task is already holding lock:\n| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]\n|\n| which lock already depends on the new lock.\n\nA simple reproducer is:\n\n| #!/bin/bash\n|\n| while true; do\n|         iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n|         iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| done \u0026\n| while true; do\n|         cat /sys/class/xt_idletimer/timers/testme \u003e/dev/null\n| done\n\nAvoid this by freeing list_mutex right after deleting the element from\nthe list, then continuing with the teardown."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:57:10.479Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c2c8445cda8f59c38dec7dc10509bcb23ae26a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fe76573a2557f632e248cc141342233f422b9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f36b01994d68ffc253c8296e2228dfe6e6431c03"
        }
      ],
      "title": "netfilter: IDLETIMER: Fix for possible ABBA deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-54683",
    "datePublished": "2025-01-11T12:29:54.407Z",
    "dateReserved": "2025-01-09T09:49:29.693Z",
    "dateUpdated": "2025-05-04T09:57:10.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21828 (GCVE-0-2025-21828)

Vulnerability from cvelistv5

Published

2025-03-06 16:04

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSS scenarios) and insertion fails, the station is freed. In this case, the driver never knew about the station, so trying to flush it is unexpected and may crash. Check if the sta was uploaded to the driver before and fix this.

References

►

URL

Tags

	https://git.kernel.org/stable/c/cf21ef3d430847ba864bbc9b2774fffcc03ce321
	https://git.kernel.org/stable/c/cd10b7fcb95a6a86c67adc54304c59a578ab16af
	https://git.kernel.org/stable/c/9efb5531271fa7ebae993b2a33a705d9947c7ce6
	https://git.kernel.org/stable/c/aa3ce3f8fafa0b8fb062f28024855ea8cb3f3450

Impacted products

Vendor

Product

Version

►

Linux

Version: d00800a289c9349bb659a698cbd7bc04521dc927
Version: d00800a289c9349bb659a698cbd7bc04521dc927
Version: d00800a289c9349bb659a698cbd7bc04521dc927
Version: d00800a289c9349bb659a698cbd7bc04521dc927

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/driver-ops.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf21ef3d430847ba864bbc9b2774fffcc03ce321",
              "status": "affected",
              "version": "d00800a289c9349bb659a698cbd7bc04521dc927",
              "versionType": "git"
            },
            {
              "lessThan": "cd10b7fcb95a6a86c67adc54304c59a578ab16af",
              "status": "affected",
              "version": "d00800a289c9349bb659a698cbd7bc04521dc927",
              "versionType": "git"
            },
            {
              "lessThan": "9efb5531271fa7ebae993b2a33a705d9947c7ce6",
              "status": "affected",
              "version": "d00800a289c9349bb659a698cbd7bc04521dc927",
              "versionType": "git"
            },
            {
              "lessThan": "aa3ce3f8fafa0b8fb062f28024855ea8cb3f3450",
              "status": "affected",
              "version": "d00800a289c9349bb659a698cbd7bc04521dc927",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/driver-ops.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don\u0027t flush non-uploaded STAs\n\nIf STA state is pre-moved to AUTHORIZED (such as in IBSS\nscenarios) and insertion fails, the station is freed.\nIn this case, the driver never knew about the station,\nso trying to flush it is unexpected and may crash.\n\nCheck if the sta was uploaded to the driver before and\nfix this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:00.907Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf21ef3d430847ba864bbc9b2774fffcc03ce321"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd10b7fcb95a6a86c67adc54304c59a578ab16af"
        },
        {
          "url": "https://git.kernel.org/stable/c/9efb5531271fa7ebae993b2a33a705d9947c7ce6"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa3ce3f8fafa0b8fb062f28024855ea8cb3f3450"
        }
      ],
      "title": "wifi: mac80211: don\u0027t flush non-uploaded STAs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21828",
    "datePublished": "2025-03-06T16:04:33.641Z",
    "dateReserved": "2024-12-29T08:45:45.776Z",
    "dateUpdated": "2025-05-04T07:22:00.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27220 (GCVE-0-2025-27220)

Vulnerability from cvelistv5

Published

2025-03-03 00:00

Modified

2025-03-04 16:40

Severity ?

4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Summary

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

References

►

URL

Tags

	https://hackerone.com/reports/2890322
	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml

Impacted products

	Vendor	Product	Version
	ruby-lang	CGI	Version: 0 < 0.3.5.1 Version: 0.3.6 < 0.3.7 Version: 0.4.0 < 0.4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27220",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T16:39:36.614961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T16:40:22.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CGI",
          "vendor": "ruby-lang",
          "versions": [
            {
              "lessThan": "0.3.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "0.3.7",
              "status": "affected",
              "version": "0.3.6",
              "versionType": "custom"
            },
            {
              "lessThan": "0.4.2",
              "status": "affected",
              "version": "0.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.7",
                  "versionStartIncluding": "0.3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.4.2",
                  "versionStartIncluding": "0.4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-03T23:46:21.977Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2890322"
        },
        {
          "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27220",
    "datePublished": "2025-03-03T00:00:00.000Z",
    "dateReserved": "2025-02-20T00:00:00.000Z",
    "dateUpdated": "2025-03-04T16:40:22.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21744 (GCVE-0-2025-21744)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_proto_detach() function is called providing the following sequence: brcmf_detach() brcmf_proto_detach() brcmf_proto_msgbuf_detach() brcmf_flowring_detach() brcmf_msgbuf_delete_flowring() brcmf_msgbuf_remove_flowring() brcmf_flowring_delete() brcmf_get_ifp() brcmf_txfinalize() Since brcmf_get_ip() can and actually will return NULL in this case the call to brcmf_txfinalize() will result in a NULL pointer dereference inside brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. This will only happen if a flowring still has an skb. Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2326e19190e176fd72bb542b837a9d2b7fcb8693
	https://git.kernel.org/stable/c/59ff4fa653ff6db07c61152516ffba79c2a74bda
	https://git.kernel.org/stable/c/61541d9b5a23df33934fcc620a3a81f246b1b240
	https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b
	https://git.kernel.org/stable/c/3877fc67bd3d5566cc12763bce39710ceb74a97d
	https://git.kernel.org/stable/c/fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58
	https://git.kernel.org/stable/c/a2beefc4fa49ebc22e664dc6b39dbd054f8488f9
	https://git.kernel.org/stable/c/68abd0c4ebf24cd499841a488b97a6873d5efabb

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2326e19190e176fd72bb542b837a9d2b7fcb8693",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "59ff4fa653ff6db07c61152516ffba79c2a74bda",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "61541d9b5a23df33934fcc620a3a81f246b1b240",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4e51d6d093e763348916e69d06d87e0a5593661b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3877fc67bd3d5566cc12763bce39710ceb74a97d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a2beefc4fa49ebc22e664dc6b39dbd054f8488f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "68abd0c4ebf24cd499841a488b97a6873d5efabb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()\n\nOn removal of the device or unloading of the kernel module a potential NULL\npointer dereference occurs.\n\nThe following sequence deletes the interface:\n\n  brcmf_detach()\n    brcmf_remove_interface()\n      brcmf_del_if()\n\nInside the brcmf_del_if() function the drvr-\u003eif2bss[ifidx] is updated to\nBRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.\n\nAfter brcmf_remove_interface() call the brcmf_proto_detach() function is\ncalled providing the following sequence:\n\n  brcmf_detach()\n    brcmf_proto_detach()\n      brcmf_proto_msgbuf_detach()\n        brcmf_flowring_detach()\n          brcmf_msgbuf_delete_flowring()\n            brcmf_msgbuf_remove_flowring()\n              brcmf_flowring_delete()\n                brcmf_get_ifp()\n                brcmf_txfinalize()\n\nSince brcmf_get_ip() can and actually will return NULL in this case the\ncall to brcmf_txfinalize() will result in a NULL pointer dereference inside\nbrcmf_txfinalize() when trying to update ifp-\u003endev-\u003estats.tx_errors.\n\nThis will only happen if a flowring still has an skb.\n\nAlthough the NULL pointer dereference has only been seen when trying to\nupdate the tx statistic, all other uses of the ifp pointer have been\nguarded as well with an early return if ifp is NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:11.828Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2326e19190e176fd72bb542b837a9d2b7fcb8693"
        },
        {
          "url": "https://git.kernel.org/stable/c/59ff4fa653ff6db07c61152516ffba79c2a74bda"
        },
        {
          "url": "https://git.kernel.org/stable/c/61541d9b5a23df33934fcc620a3a81f246b1b240"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3877fc67bd3d5566cc12763bce39710ceb74a97d"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2beefc4fa49ebc22e664dc6b39dbd054f8488f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/68abd0c4ebf24cd499841a488b97a6873d5efabb"
        }
      ],
      "title": "wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21744",
    "datePublished": "2025-02-27T02:12:17.259Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:11.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21794 (GCVE-0-2025-21794)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad

References

►

URL

Tags

	https://git.kernel.org/stable/c/436f48c864186e9413d1b7c6e91767cc9e1a65b8
	https://git.kernel.org/stable/c/f3ce05283f6cb6e19c220f5382def43dc5bd56b9
	https://git.kernel.org/stable/c/cdd9a1ea23ff1a272547217100663e8de4eada40
	https://git.kernel.org/stable/c/73e36a699b9f46322ffb81f072a24e64f728dba7
	https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e

Impacted products

Vendor

Product

Version

►

Linux

Version: 220883fba32549a34f0734e4859d07f4dcd56992
Version: ae730deded66150204c494282969bfa98dc3ae67
Version: e5bcae4212a6a4b4204f46a1b8bcba08909d2007
Version: 816e84602900f7f951458d743fa12769635ebfd5
Version: 50420d7c79c37a3efe4010ff9b1bb14bc61ebccf

Linux

Version: 6.6.76   ≤
Version: 6.12.13   ≤
Version: 6.13.2   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "436f48c864186e9413d1b7c6e91767cc9e1a65b8",
              "status": "affected",
              "version": "220883fba32549a34f0734e4859d07f4dcd56992",
              "versionType": "git"
            },
            {
              "lessThan": "f3ce05283f6cb6e19c220f5382def43dc5bd56b9",
              "status": "affected",
              "version": "ae730deded66150204c494282969bfa98dc3ae67",
              "versionType": "git"
            },
            {
              "lessThan": "cdd9a1ea23ff1a272547217100663e8de4eada40",
              "status": "affected",
              "version": "e5bcae4212a6a4b4204f46a1b8bcba08909d2007",
              "versionType": "git"
            },
            {
              "lessThan": "73e36a699b9f46322ffb81f072a24e64f728dba7",
              "status": "affected",
              "version": "816e84602900f7f951458d743fa12769635ebfd5",
              "versionType": "git"
            },
            {
              "lessThan": "0b43d98ff29be3144e86294486b1373b5df74c0e",
              "status": "affected",
              "version": "50420d7c79c37a3efe4010ff9b1bb14bc61ebccf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.6.79",
              "status": "affected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.16",
              "status": "affected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThan": "6.13.4",
              "status": "affected",
              "version": "6.13.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()\n\nSyzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from\nhid-thrustmaster driver. This array is passed to usb_check_int_endpoints\nfunction from usb.c core driver, which executes a for loop that iterates\nover the elements of the passed array. Not finding a null element at the end of\nthe array, it tries to read the next, non-existent element, crashing the kernel.\n\nTo fix this, a 0 element was added at the end of the array to break the for\nloop.\n\n[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:22.682Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/436f48c864186e9413d1b7c6e91767cc9e1a65b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3ce05283f6cb6e19c220f5382def43dc5bd56b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd9a1ea23ff1a272547217100663e8de4eada40"
        },
        {
          "url": "https://git.kernel.org/stable/c/73e36a699b9f46322ffb81f072a24e64f728dba7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e"
        }
      ],
      "title": "HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21794",
    "datePublished": "2025-02-27T02:18:30.907Z",
    "dateReserved": "2024-12-29T08:45:45.767Z",
    "dateUpdated": "2025-05-04T07:21:22.682Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50036 (GCVE-0-2024-50036)

Vulnerability from cvelistv5

Published

2024-10-21 19:39

Modified

2025-05-04 12:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels.

References

►

URL

Tags

	https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a
	https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96
	https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f
	https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd
	https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc
	https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d

Impacted products

Vendor

Product

Version

►

Linux

Version: f88649721268999bdff09777847080a52004f691
Version: f88649721268999bdff09777847080a52004f691
Version: f88649721268999bdff09777847080a52004f691
Version: f88649721268999bdff09777847080a52004f691
Version: f88649721268999bdff09777847080a52004f691
Version: f88649721268999bdff09777847080a52004f691
Version: 86e48c03d774e01ccd71ecba4fc4b5c2bc0b5b41
Version: 591b1e1bb40152e22cee757f493046a0ca946bf8
Version: df90819dafcd6b97fc665f63a15752a570e227a2
Version: 9a4fe697023dbe6c25caa1f8b2153af869a29bd2

Linux

Version: 3.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50036",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:25:25.259782Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:28:44.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dst.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "547087307bc19417b4f2bc85ba9664a3e8db5a6a",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "lessThan": "e3915f028b1f1c37e87542e5aadd33728c259d96",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "lessThan": "a60db84f772fc3a906c6c4072f9207579c41166f",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "lessThan": "eae7435b48ffc8e9be0ff9cfeae40af479a609dd",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "lessThan": "3c7c918ec0aa3555372c5a57f18780b7a96c5cfc",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "lessThan": "ac888d58869bb99753e7652be19a151df9ecb35d",
              "status": "affected",
              "version": "f88649721268999bdff09777847080a52004f691",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "86e48c03d774e01ccd71ecba4fc4b5c2bc0b5b41",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "591b1e1bb40152e22cee757f493046a0ca946bf8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df90819dafcd6b97fc665f63a15752a570e227a2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9a4fe697023dbe6c25caa1f8b2153af869a29bd2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dst.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.172",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.230",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.172",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.57",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.15.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n   dst_release_immediate(child), this might also cause UAF\n   if the child does not have DST_NOCOUNT set.\n   IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n   which might happen in future kernels."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:21.930Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96"
        },
        {
          "url": "https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f"
        },
        {
          "url": "https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d"
        }
      ],
      "title": "net: do not delay dst_entries_add() in dst_release()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50036",
    "datePublished": "2024-10-21T19:39:37.135Z",
    "dateReserved": "2024-10-21T12:17:06.070Z",
    "dateUpdated": "2025-05-04T12:59:21.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21838 (GCVE-0-2025-21838)

Vulnerability from cvelistv5

Published

2025-03-07 09:09

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: device_del() gadget_unbind_driver() usb_gadget_disconnect_locked() dwc3_gadget_pullup() dwc3_gadget_soft_disconnect() usb_gadget_set_state() schedule_work(&gadget->work) Move flush_work() after device_del() to ensure the workqueue is cleaned up.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266
	https://git.kernel.org/stable/c/859cb45aefa6de823b2fa7f229fe6d9562c9f3b7
	https://git.kernel.org/stable/c/f894448f3904d7ad66fecef8f01fe0172629e091
	https://git.kernel.org/stable/c/97695b5a1b5467a4f91194db12160f56da445dfe
	https://git.kernel.org/stable/c/399a45e5237ca14037120b1b895bd38a3b4492ea

Impacted products

Vendor

Product

Version

►

Linux

Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Version: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15

Linux

Version: 3.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266",
              "status": "affected",
              "version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
              "versionType": "git"
            },
            {
              "lessThan": "859cb45aefa6de823b2fa7f229fe6d9562c9f3b7",
              "status": "affected",
              "version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
              "versionType": "git"
            },
            {
              "lessThan": "f894448f3904d7ad66fecef8f01fe0172629e091",
              "status": "affected",
              "version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
              "versionType": "git"
            },
            {
              "lessThan": "97695b5a1b5467a4f91194db12160f56da445dfe",
              "status": "affected",
              "version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
              "versionType": "git"
            },
            {
              "lessThan": "399a45e5237ca14037120b1b895bd38a3b4492ea",
              "status": "affected",
              "version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: core: flush gadget workqueue after device removal\n\ndevice_del() can lead to new work being scheduled in gadget-\u003ework\nworkqueue. This is observed, for example, with the dwc3 driver with the\nfollowing call stack:\n  device_del()\n    gadget_unbind_driver()\n      usb_gadget_disconnect_locked()\n        dwc3_gadget_pullup()\n\t  dwc3_gadget_soft_disconnect()\n\t    usb_gadget_set_state()\n\t      schedule_work(\u0026gadget-\u003ework)\n\nMove flush_work() after device_del() to ensure the workqueue is cleaned\nup."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:17.406Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266"
        },
        {
          "url": "https://git.kernel.org/stable/c/859cb45aefa6de823b2fa7f229fe6d9562c9f3b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f894448f3904d7ad66fecef8f01fe0172629e091"
        },
        {
          "url": "https://git.kernel.org/stable/c/97695b5a1b5467a4f91194db12160f56da445dfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/399a45e5237ca14037120b1b895bd38a3b4492ea"
        }
      ],
      "title": "usb: gadget: core: flush gadget workqueue after device removal",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21838",
    "datePublished": "2025-03-07T09:09:57.515Z",
    "dateReserved": "2024-12-29T08:45:45.777Z",
    "dateUpdated": "2025-05-04T07:22:17.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-0395 (GCVE-0-2025-0395)

Vulnerability from cvelistv5

Published

2025-01-22 13:11

Modified

2025-04-30 05:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-131 - Incorrect Calculation of Buffer Size

Summary

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

References

►

URL

Tags

	https://www.openwall.com/lists/oss-security/2025/01/22/4
	https://sourceware.org/bugzilla/show_bug.cgi?id=32582
	https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001
	https://sourceware.org/pipermail/libc-announce/2025/000044.html

Impacted products

	Vendor	Product	Version
	The GNU C Library	glibc	Version: 2.13 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-30T05:03:13.011Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/22/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/23/2"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250228-0006/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/13/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/24/7"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00039.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-0395",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-22T14:32:21.692600Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T19:39:12.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "glibc",
          "vendor": "The GNU C Library",
          "versions": [
            {
              "lessThanOrEqual": "2.40",
              "status": "affected",
              "version": "2.13",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qualys Security Advisory"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.\u003cbr\u003e"
            }
          ],
          "value": "When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-131",
              "description": "CWE-131 Incorrect Calculation of Buffer Size",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-22T15:29:51.366Z",
        "orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
        "shortName": "glibc"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/01/22/4"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32582"
        },
        {
          "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001"
        },
        {
          "url": "https://sourceware.org/pipermail/libc-announce/2025/000044.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
    "assignerShortName": "glibc",
    "cveId": "CVE-2025-0395",
    "datePublished": "2025-01-22T13:11:30.406Z",
    "dateReserved": "2025-01-11T15:00:14.787Z",
    "dateUpdated": "2025-04-30T05:03:13.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56770 (GCVE-0-2024-56770)

Vulnerability from cvelistv5

Published

2025-01-08 16:36

Modified

2025-05-04 10:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev <oif> Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics.

References

►

URL

Tags

	https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31
	https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76
	https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4
	https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427
	https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e
	https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9
	https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027

Impacted products

Vendor

Product

Version

►

Linux

Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe
Version: 50612537e9ab29693122fab20fc1eed235054ffe

Linux

Version: 3.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "216509dda290f6db92c816dd54b83c1df9da9e76",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "c2047b0e216c8edce227d7c42f99ac2877dad0e4",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "10df49cfca73dfbbdb6c4150d859f7e8926ae427",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "3824c5fad18eeb7abe0c4fc966f29959552dca3e",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "356078a5c55ec8d2061fcc009fb8599f5b0527f9",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            },
            {
              "lessThan": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
              "status": "affected",
              "version": "50612537e9ab29693122fab20fc1eed235054ffe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.288",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.232",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.288",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.232",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.175",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: netem: account for backlog updates from child qdisc\n\nIn general, \u0027qlen\u0027 of any classful qdisc should keep track of the\nnumber of packets that the qdisc itself and all of its children holds.\nIn case of netem, \u0027qlen\u0027 only accounts for the packets in its internal\ntfifo. When netem is used with a child qdisc, the child qdisc can use\n\u0027qdisc_tree_reduce_backlog\u0027 to inform its parent, netem, about created\nor dropped SKBs. This function updates \u0027qlen\u0027 and the backlog statistics\nof netem, but netem does not account for changes made by a child qdisc.\n\u0027qlen\u0027 then indicates the wrong number of packets in the tfifo.\nIf a child qdisc creates new SKBs during enqueue and informs its parent\nabout this, netem\u0027s \u0027qlen\u0027 value is increased. When netem dequeues the\nnewly created SKBs from the child, the \u0027qlen\u0027 in netem is not updated.\nIf \u0027qlen\u0027 reaches the configured sch-\u003elimit, the enqueue function stops\nworking, even though the tfifo is not full.\n\nReproduce the bug:\nEnsure that the sender machine has GSO enabled. Configure netem as root\nqdisc and tbf as its child on the outgoing interface of the machine\nas follows:\n$ tc qdisc add dev \u003coif\u003e root handle 1: netem delay 100ms limit 100\n$ tc qdisc add dev \u003coif\u003e parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms\n\nSend bulk TCP traffic out via this interface, e.g., by running an iPerf3\nclient on the machine. Check the qdisc statistics:\n$ tc -s qdisc show dev \u003coif\u003e\n\nStatistics after 10s of iPerf3 TCP test before the fix (note that\nnetem\u0027s backlog \u003e limit, netem stopped accepting packets):\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)\n backlog 4294528236b 1155p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)\n backlog 0b 0p requeues 0\n\nStatistics after the fix:\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)\n backlog 0b 0p requeues 0\n\ntbf segments the GSO SKBs (tbf_segment) and updates the netem\u0027s \u0027qlen\u0027.\nThe interface fully stops transferring packets and \"locks\". In this case,\nthe child qdisc and tfifo are empty, but \u0027qlen\u0027 indicates the tfifo is at\nits limit and no more packets are accepted.\n\nThis patch adds a counter for the entries in the tfifo. Netem\u0027s \u0027qlen\u0027 is\nonly decreased when a packet is returned by its dequeue function, and not\nduring enqueuing into the child qdisc. External updates to \u0027qlen\u0027 are thus\naccounted for and only the behavior of the backlog statistics changes. As\nin other qdiscs, \u0027qlen\u0027 then keeps track of  how many packets are held in\nnetem and all of its children. As before, sch-\u003elimit remains as the\nmaximum number of packets in the tfifo. The same applies to netem\u0027s\nbacklog statistics."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:19.387Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31"
        },
        {
          "url": "https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427"
        },
        {
          "url": "https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027"
        }
      ],
      "title": "net/sched: netem: account for backlog updates from child qdisc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56770",
    "datePublished": "2025-01-08T16:36:59.315Z",
    "dateReserved": "2024-12-29T11:26:39.763Z",
    "dateUpdated": "2025-05-04T10:04:19.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41055 (GCVE-0-2024-41055)

Vulnerability from cvelistv5

Published

2024-07-29 14:32

Modified

2025-05-04 12:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982
	https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503
	https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509
	https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7
	https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63
	https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e

Impacted products

Vendor

Product

Version

►

Linux

Version: 90ad17575d26874287271127d43ef3c2af876cea
Version: b448de2459b6d62a53892487ab18b7d823ff0529
Version: 68ed9e33324021e9d6b798e9db00ca3093d2012a
Version: 70064241f2229f7ba7b9599a98f68d9142e81a97
Version: 5ec8e8ea8b7783fab150cf86404fc38cb4db8800
Version: 5ec8e8ea8b7783fab150cf86404fc38cb4db8800
Version: 3a01daace71b521563c38bbbf874e14c3e58adb7

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:46:52.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41055",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:22:28.194623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:01.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mmzone.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0100aeb8a12d51950418e685f879cc80cb8e5982",
              "status": "affected",
              "version": "90ad17575d26874287271127d43ef3c2af876cea",
              "versionType": "git"
            },
            {
              "lessThan": "bc17f2377818dca643a74499c3f5333500c90503",
              "status": "affected",
              "version": "b448de2459b6d62a53892487ab18b7d823ff0529",
              "versionType": "git"
            },
            {
              "lessThan": "941e816185661bf2b44b488565d09444ae316509",
              "status": "affected",
              "version": "68ed9e33324021e9d6b798e9db00ca3093d2012a",
              "versionType": "git"
            },
            {
              "lessThan": "797323d1cf92d09b7a017cfec576d9babf99cde7",
              "status": "affected",
              "version": "70064241f2229f7ba7b9599a98f68d9142e81a97",
              "versionType": "git"
            },
            {
              "lessThan": "adccdf702b4ea913ded5ff512239e382d7473b63",
              "status": "affected",
              "version": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800",
              "versionType": "git"
            },
            {
              "lessThan": "82f0b6f041fad768c28b4ad05a683065412c226e",
              "status": "affected",
              "version": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3a01daace71b521563c38bbbf874e14c3e58adb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mmzone.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.222",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.222",
                  "versionStartIncluding": "5.10.210",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.163",
                  "versionStartIncluding": "5.15.149",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.100",
                  "versionStartIncluding": "6.1.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.41",
                  "versionStartIncluding": "6.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section-\u003eusage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms-\u003eusage\" to fix a race with section_deactivate() where\nms-\u003eusage can be cleared.  The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference.  We need to check its value before\ndereferencing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:57:33.295Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503"
        },
        {
          "url": "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509"
        },
        {
          "url": "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7"
        },
        {
          "url": "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63"
        },
        {
          "url": "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e"
        }
      ],
      "title": "mm: prevent derefencing NULL ptr in pfn_section_valid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41055",
    "datePublished": "2024-07-29T14:32:10.672Z",
    "dateReserved": "2024-07-12T12:17:45.627Z",
    "dateUpdated": "2025-05-04T12:57:33.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50126 (GCVE-0-2024-50126)

Vulnerability from cvelistv5

Published

2024-11-05 17:10

Modified

2025-05-04 09:46

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20

References

►

URL

Tags

	https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1
	https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536
	https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d
	https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3

Impacted products

Vendor

Product

Version

►

Linux

Version: 18cdd2f0998a4967b1fff4c43ed9aef049e42c39
Version: 18cdd2f0998a4967b1fff4c43ed9aef049e42c39
Version: 18cdd2f0998a4967b1fff4c43ed9aef049e42c39
Version: 18cdd2f0998a4967b1fff4c43ed9aef049e42c39

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50126",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:28:25.069183Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:33.520Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_taprio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b911fa9e92ee586e36479ad57b88f20471acaca1",
              "status": "affected",
              "version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
              "versionType": "git"
            },
            {
              "lessThan": "5d282467245f267c0b9ada3f7f309ff838521536",
              "status": "affected",
              "version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
              "versionType": "git"
            },
            {
              "lessThan": "e4369cb6acf6b895ac2453cc1cdf2f4326122c6d",
              "status": "affected",
              "version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
              "versionType": "git"
            },
            {
              "lessThan": "b22db8b8befe90b61c98626ca1a2fbb0505e9fe3",
              "status": "affected",
              "version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_taprio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in \u0027taprio_dump()\u0027 by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862]  dump_backtrace+0x20c/0x220\n[T15862]  show_stack+0x2c/0x40\n[T15862]  dump_stack_lvl+0xf8/0x174\n[T15862]  print_report+0x170/0x4d8\n[T15862]  kasan_report+0xb8/0x1d4\n[T15862]  __asan_report_load4_noabort+0x20/0x2c\n[T15862]  taprio_dump+0xa0c/0xbb0\n[T15862]  tc_fill_qdisc+0x540/0x1020\n[T15862]  qdisc_notify.isra.0+0x330/0x3a0\n[T15862]  tc_modify_qdisc+0x7b8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_alloc_info+0x40/0x60\n[T15862]  __kasan_kmalloc+0xd4/0xe0\n[T15862]  __kmalloc_cache_noprof+0x194/0x334\n[T15862]  taprio_change+0x45c/0x2fe0\n[T15862]  tc_modify_qdisc+0x6a8/0x1838\n[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862]  netlink_rcv_skb+0x1f8/0x3d4\n[T15862]  rtnetlink_rcv+0x28/0x40\n[T15862]  netlink_unicast+0x51c/0x790\n[T15862]  netlink_sendmsg+0x79c/0xc20\n[T15862]  __sock_sendmsg+0xe0/0x1a0\n[T15862]  ____sys_sendmsg+0x6c0/0x840\n[T15862]  ___sys_sendmsg+0x1ac/0x1f0\n[T15862]  __sys_sendmsg+0x110/0x1d0\n[T15862]  __arm64_sys_sendmsg+0x74/0xb0\n[T15862]  invoke_syscall+0x88/0x2e0\n[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862]  do_el0_svc+0x44/0x60\n[T15862]  el0_svc+0x50/0x184\n[T15862]  el0t_64_sync_handler+0x120/0x12c\n[T15862]  el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862]  kasan_save_stack+0x3c/0x70\n[T15862]  kasan_save_track+0x20/0x3c\n[T15862]  kasan_save_free_info+0x4c/0x80\n[T15862]  poison_slab_object+0x110/0x160\n[T15862]  __kasan_slab_free+0x3c/0x74\n[T15862]  kfree+0x134/0x3c0\n[T15862]  taprio_free_sched_cb+0x18c/0x220\n[T15862]  rcu_core+0x920/0x1b7c\n[T15862]  rcu_core_si+0x10/0x1c\n[T15862]  handle_softirqs+0x2e8/0xd64\n[T15862]  __do_softirq+0x14/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:46:38.705Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"
        }
      ],
      "title": "net: sched: use RCU read-side critical section in taprio_dump()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50126",
    "datePublished": "2024-11-05T17:10:53.741Z",
    "dateReserved": "2024-10-21T19:36:19.954Z",
    "dateUpdated": "2025-05-04T09:46:38.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-8176 (GCVE-0-2024-8176)

Vulnerability from cvelistv5

Published

2025-03-14 08:19

Modified

2025-08-14 15:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion

Summary

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:13681	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:3531	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:3734	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:3913	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:4048	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:4446	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:4447	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:4448	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:4449	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7444	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:7512	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8385	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-8176	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2310137	issue-tracking, x_refsource_REDHAT
	https://github.com/libexpat/libexpat/issues/893

Impacted products

Vendor

Product

Version

►

Version: 0 ≤

Red Hat	Red Hat Enterprise Linux 10	Unaffected: 0:2.7.1-1.el10_0 < * cpe:/o:redhat:enterprise_linux:10.0
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:2.2.5-17.el8_10 < * cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:1.51.0-11.el8_10 < * cpe:/o:redhat:enterprise_linux:8::baseos cpe:/a:redhat:enterprise_linux:8::crb
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	Unaffected: 0:1.51.0-5.el8_2.2 < * cpe:/o:redhat:rhel_aus:8.2::baseos
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Unaffected: 0:1.51.0-5.el8_4.2 < * cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_e4s:8.4::baseos cpe:/o:redhat:rhel_tus:8.4::baseos
Red Hat	Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Unaffected: 0:1.51.0-5.el8_4.2 < * cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_e4s:8.4::baseos cpe:/o:redhat:rhel_tus:8.4::baseos
Red Hat	Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Unaffected: 0:1.51.0-5.el8_4.2 < * cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_e4s:8.4::baseos cpe:/o:redhat:rhel_tus:8.4::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	Unaffected: 0:1.51.0-6.el8_6.1 < * cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	Unaffected: 0:1.51.0-6.el8_6.1 < * cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	Unaffected: 0:1.51.0-6.el8_6.1 < * cpe:/o:redhat:rhel_tus:8.6::baseos cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.8 Extended Update Support	Unaffected: 0:1.51.0-8.el8_8.1 < * cpe:/o:redhat:rhel_eus:8.8::baseos cpe:/a:redhat:rhel_eus:8.8::crb
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:2.5.0-3.el9_5.3 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:2.5.0-5.el9_6 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:2.5.0-3.el9_5.3 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:2.5.0-5.el9_6 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat JBoss Core Services 2.4.62.SP1	cpe:/a:redhat:jboss_core_services:1
Red Hat	DevWorkspace Operator 0.33	Unaffected: sha256:b41c498da32fde3fa636594ef93d2206ca1a3bc306e401eaae035dc18d30654a < * cpe:/a:redhat:devworkspace:0.33::el9
Red Hat	Red Hat Discovery 1.14	Unaffected: sha256:f33991d766b618a128fb99fbe4f9b61c5004f7c6aa73b2b38e28d59e56c64d63 < * cpe:/a:redhat:discovery:1.14::el9
Red Hat	Red Hat Discovery 1.14	Unaffected: sha256:492e412759cf0eedfa5b557f7b0865f8864f84d0ed75e11dc8d7a840837d9644 < * cpe:/a:redhat:discovery:1.14::el9
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8176",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-14T13:13:22.690073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T13:14:00.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-09T13:10:25.026Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/15/1"
          },
          {
            "url": "https://blog.hartwork.org/posts/expat-2-7-0-released/"
          },
          {
            "url": "https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52"
          },
          {
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1239618"
          },
          {
            "url": "https://ubuntu.com/security/CVE-2024-8176"
          },
          {
            "url": "https://security-tracker.debian.org/tracker/CVE-2024-8176"
          },
          {
            "url": "https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0009/"
          },
          {
            "url": "https://www.kb.cert.org/vuls/id/760160"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/libexpat/libexpat/",
          "defaultStatus": "unaffected",
          "packageName": "libexpat",
          "versions": [
            {
              "lessThan": "2.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10.0"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.7.1-1.el10_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.5-17.el8_10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos",
            "cpe:/a:redhat:enterprise_linux:8::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-11.el8_10",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.2::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-5.el8_2.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.4::baseos",
            "cpe:/o:redhat:rhel_e4s:8.4::baseos",
            "cpe:/o:redhat:rhel_tus:8.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-5.el8_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.4::baseos",
            "cpe:/o:redhat:rhel_e4s:8.4::baseos",
            "cpe:/o:redhat:rhel_tus:8.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-5.el8_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_aus:8.4::baseos",
            "cpe:/o:redhat:rhel_e4s:8.4::baseos",
            "cpe:/o:redhat:rhel_tus:8.4::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-5.el8_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-6.el8_6.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-6.el8_6.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_tus:8.6::baseos",
            "cpe:/o:redhat:rhel_aus:8.6::baseos",
            "cpe:/o:redhat:rhel_e4s:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-6.el8_6.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.8::baseos",
            "cpe:/a:redhat:rhel_eus:8.8::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "xmlrpc-c",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.51.0-8.el8_8.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.5.0-3.el9_5.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.5.0-5.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.5.0-3.el9_5.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.5.0-5.el9_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_core_services:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "expat",
          "product": "Red Hat JBoss Core Services 2.4.62.SP1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:devworkspace:0.33::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/devworkspace/devworkspace-project-clone-rhel9",
          "product": "DevWorkspace Operator 0.33",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:b41c498da32fde3fa636594ef93d2206ca1a3bc306e401eaae035dc18d30654a",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:1.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/discovery/discovery-server-rhel9",
          "product": "Red Hat Discovery 1.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:f33991d766b618a128fb99fbe4f9b61c5004f7c6aa73b2b38e28d59e56c64d63",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:discovery:1.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "registry.redhat.io/discovery/discovery-ui-rhel9",
          "product": "Red Hat Discovery 1.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "sha256:492e412759cf0eedfa5b557f7b0865f8864f84d0ed75e11dc8d7a840837d9644",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "compat-expat1",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "expat",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "lua-expat",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "mingw-expat",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "firefox:flatpak/firefox",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "thunderbird:flatpak/thunderbird",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Jann Horn (Google Project Zero), Sandipan Roy (Red Hat), Sebastian Pipping (libexpat), and Tomas Korbar (Red Hat)."
        }
      ],
      "datePublic": "2025-03-13T13:51:54.957Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T15:28:59.969Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:13681",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:13681"
        },
        {
          "name": "RHSA-2025:3531",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:3531"
        },
        {
          "name": "RHSA-2025:3734",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:3734"
        },
        {
          "name": "RHSA-2025:3913",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:3913"
        },
        {
          "name": "RHSA-2025:4048",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4048"
        },
        {
          "name": "RHSA-2025:4446",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4446"
        },
        {
          "name": "RHSA-2025:4447",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4447"
        },
        {
          "name": "RHSA-2025:4448",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4448"
        },
        {
          "name": "RHSA-2025:4449",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4449"
        },
        {
          "name": "RHSA-2025:7444",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7444"
        },
        {
          "name": "RHSA-2025:7512",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7512"
        },
        {
          "name": "RHSA-2025:8385",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8385"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-8176"
        },
        {
          "name": "RHBZ#2310137",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310137"
        },
        {
          "url": "https://github.com/libexpat/libexpat/issues/893"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-06-12T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-03-13T13:51:54.957000+00:00",
          "value": "Made public."
        }
      ],
      "title": "Libexpat: expat: improper restriction of xml entity expansion depth in libexpat",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-674: Uncontrolled Recursion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-8176",
    "datePublished": "2025-03-14T08:19:48.962Z",
    "dateReserved": "2024-08-26T12:36:40.985Z",
    "dateUpdated": "2025-08-14T15:28:59.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58009 (GCVE-0-2024-58009)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6
	https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd
	https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0
	https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785
	https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
	https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e
	https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1
	https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1

Impacted products

Vendor

Product

Version

►

Linux

Version: f6ad641646b67f29c7578dcd6c25813c7dcbf51e
Version: daa13175a6dea312a76099066cb4cbd4fc959a84
Version: a8677028dd5123e5e525b8195483994d87123de4
Version: bb2f2342a6ddf7c04f9aefbbfe86104cd138e629
Version: 8ad09ddc63ace3950ac43db6fbfe25b40f589dd6
Version: 61686abc2f3c2c67822aa23ce6f160467ec83d35
Version: 7c4f78cdb8e7501e9f92d291a7d956591bf73be9
Version: 7c4f78cdb8e7501e9f92d291a7d956591bf73be9

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9a7672fc1a0fe18502493936ccb06413ab89ea6",
              "status": "affected",
              "version": "f6ad641646b67f29c7578dcd6c25813c7dcbf51e",
              "versionType": "git"
            },
            {
              "lessThan": "8e605f580a97530e5a3583beea458a3fa4cbefbd",
              "status": "affected",
              "version": "daa13175a6dea312a76099066cb4cbd4fc959a84",
              "versionType": "git"
            },
            {
              "lessThan": "cf601a24120c674cd7c907ea695f92617af6abd0",
              "status": "affected",
              "version": "a8677028dd5123e5e525b8195483994d87123de4",
              "versionType": "git"
            },
            {
              "lessThan": "297ce7f544aa675b0d136d788cad0710cdfb0785",
              "status": "affected",
              "version": "bb2f2342a6ddf7c04f9aefbbfe86104cd138e629",
              "versionType": "git"
            },
            {
              "lessThan": "245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22",
              "status": "affected",
              "version": "8ad09ddc63ace3950ac43db6fbfe25b40f589dd6",
              "versionType": "git"
            },
            {
              "lessThan": "691218a50c3139f7f57ffa79fb89d932eda9571e",
              "status": "affected",
              "version": "61686abc2f3c2c67822aa23ce6f160467ec83d35",
              "versionType": "git"
            },
            {
              "lessThan": "49c0d55d59662430f1829ae85b969619573d0fa1",
              "status": "affected",
              "version": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
              "versionType": "git"
            },
            {
              "lessThan": "5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1",
              "status": "affected",
              "version": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.287",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.231",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.174",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.6.66",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.12.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc\n\nA NULL sock pointer is passed into l2cap_sock_alloc() when it is called\nfrom l2cap_sock_new_connection_cb() and the error handling paths should\nalso be aware of it.\n\nSeemingly a more elegant solution would be to swap bt_sock_alloc() and\nl2cap_chan_create() calls since they are not interdependent to that moment\nbut then l2cap_chan_create() adds the soon to be deallocated and still\ndummy-initialized channel to the global list accessible by many L2CAP\npaths. The channel would be removed from the list in short period of time\nbut be a bit more straight-forward here and just check for NULL instead of\nchanging the order of function calls.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:19.816Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785"
        },
        {
          "url": "https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22"
        },
        {
          "url": "https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e"
        },
        {
          "url": "https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1"
        }
      ],
      "title": "Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58009",
    "datePublished": "2025-02-27T02:12:04.637Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-04T10:08:19.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21732 (GCVE-0-2025-21732)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error This patch addresses a race condition for an ODP MR that can result in a CQE with an error on the UMR QP. During the __mlx5_ib_dereg_mr() flow, the following sequence of calls occurs: mlx5_revoke_mr() mlx5r_umr_revoke_mr() mlx5r_umr_post_send_wait() At this point, the lkey is freed from the hardware's perspective. However, concurrently, mlx5_ib_invalidate_range() might be triggered by another task attempting to invalidate a range for the same freed lkey. This task will: - Acquire the umem_odp->umem_mutex lock. - Call mlx5r_umr_update_xlt() on the UMR QP. - Since the lkey has already been freed, this can lead to a CQE error, causing the UMR QP to enter an error state [1]. To resolve this race condition, the umem_odp->umem_mutex lock is now also acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke, we set umem_odp->private which points to that MR to NULL, preventing any further invalidation attempts on its lkey. [1] From dmesg: infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2 WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] [..] Call Trace: <TASK> mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib] mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib] __mmu_notifier_invalidate_range_start+0x1e1/0x240 zap_page_range_single+0xf1/0x1a0 madvise_vma_behavior+0x677/0x6e0 do_madvise+0x1a2/0x4b0 __x64_sys_madvise+0x25/0x30 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e

References

►

URL

Tags

	https://git.kernel.org/stable/c/b13d32786acabf70a7b04ed24b7468fc3c82977c
	https://git.kernel.org/stable/c/5297f5ddffef47b94172ab0d3d62270002a3dcc1
	https://git.kernel.org/stable/c/abb604a1a9c87255c7a6f3b784410a9707baf467

Impacted products

Vendor

Product

Version

►

Linux

Version: e6fb246ccafbdfc86e0750af021628132fdbceac
Version: e6fb246ccafbdfc86e0750af021628132fdbceac
Version: e6fb246ccafbdfc86e0750af021628132fdbceac

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c",
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b13d32786acabf70a7b04ed24b7468fc3c82977c",
              "status": "affected",
              "version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
              "versionType": "git"
            },
            {
              "lessThan": "5297f5ddffef47b94172ab0d3d62270002a3dcc1",
              "status": "affected",
              "version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
              "versionType": "git"
            },
            {
              "lessThan": "abb604a1a9c87255c7a6f3b784410a9707baf467",
              "status": "affected",
              "version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c",
            "drivers/infiniband/hw/mlx5/odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error\n\nThis patch addresses a race condition for an ODP MR that can result in a\nCQE with an error on the UMR QP.\n\nDuring the __mlx5_ib_dereg_mr() flow, the following sequence of calls\noccurs:\n\nmlx5_revoke_mr()\n mlx5r_umr_revoke_mr()\n mlx5r_umr_post_send_wait()\n\nAt this point, the lkey is freed from the hardware\u0027s perspective.\n\nHowever, concurrently, mlx5_ib_invalidate_range() might be triggered by\nanother task attempting to invalidate a range for the same freed lkey.\n\nThis task will:\n - Acquire the umem_odp-\u003eumem_mutex lock.\n - Call mlx5r_umr_update_xlt() on the UMR QP.\n - Since the lkey has already been freed, this can lead to a CQE error,\n   causing the UMR QP to enter an error state [1].\n\nTo resolve this race condition, the umem_odp-\u003eumem_mutex lock is now also\nacquired as part of the mlx5_revoke_mr() scope.  Upon successful revoke,\nwe set umem_odp-\u003eprivate which points to that MR to NULL, preventing any\nfurther invalidation attempts on its lkey.\n\n[1] From dmesg:\n\n   infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error\n   cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2\n\n   WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n   Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\n   CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n   RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n   [..]\n   Call Trace:\n   \u003cTASK\u003e\n   mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]\n   mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]\n   __mmu_notifier_invalidate_range_start+0x1e1/0x240\n   zap_page_range_single+0xf1/0x1a0\n   madvise_vma_behavior+0x677/0x6e0\n   do_madvise+0x1a2/0x4b0\n   __x64_sys_madvise+0x25/0x30\n   do_syscall_64+0x6b/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:58.200Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b13d32786acabf70a7b04ed24b7468fc3c82977c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5297f5ddffef47b94172ab0d3d62270002a3dcc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb604a1a9c87255c7a6f3b784410a9707baf467"
        }
      ],
      "title": "RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21732",
    "datePublished": "2025-02-27T02:12:10.626Z",
    "dateReserved": "2024-12-29T08:45:45.756Z",
    "dateUpdated": "2025-05-04T07:19:58.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21776 (GCVE-0-2025-21776)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: USB: hub: Ignore non-compliant devices with too many configs or interfaces Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer: Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 ... Call Trace: <TASK> ? die_addr+0x31/0x80 ? exc_general_protection+0x1b4/0x3c0 ? asm_exc_general_protection+0x26/0x30 ? usb_hub_adjust_deviceremovable+0x78/0x110 hub_probe+0x7c7/0xab0 usb_probe_interface+0x14b/0x350 really_probe+0xd0/0x2d0 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x6e/0x110 driver_probe_device+0x1a/0x90 __device_attach_driver+0x7e/0xc0 bus_for_each_drv+0x7f/0xd0 __device_attach+0xaa/0x1a0 bus_probe_device+0x8b/0xa0 device_add+0x62e/0x810 usb_set_configuration+0x65d/0x990 usb_generic_driver_probe+0x4b/0x70 usb_probe_device+0x36/0xd0 The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usb_hub_to_struct_hub() looks. We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface.

References

►

URL

Tags

	https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218
	https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566
	https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c
	https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897
	https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e
	https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef
	https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490
	https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/core/hub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49f077106fa07919a6a6dda99bb490dd1d1a8218",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d343fe0fad5c1d689775f2dda24a85ce98e29566",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d3a67adb365cdfdac4620daf38a82e57ca45806c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c3720b04df84b5459050ae4e03ec7d545652f897",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e905a0fca7bff0855d312c16f71e60e1773b393e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "62d8f4c5454dd39aded4f343720d1c5a1803cfef",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5b9778e1fe715700993ce436c152dc3b7df0b490",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2240fed37afbcdb5e8b627bc7ad986891100e05d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/core/hub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: hub: Ignore non-compliant devices with too many configs or interfaces\n\nRobert Morris created a test program which can cause\nusb_hub_to_struct_hub() to dereference a NULL or inappropriate\npointer:\n\nOops: general protection fault, probably for non-canonical address\n0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI\nCPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14\nHardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x31/0x80\n ? exc_general_protection+0x1b4/0x3c0\n ? asm_exc_general_protection+0x26/0x30\n ? usb_hub_adjust_deviceremovable+0x78/0x110\n hub_probe+0x7c7/0xab0\n usb_probe_interface+0x14b/0x350\n really_probe+0xd0/0x2d0\n ? __pfx___device_attach_driver+0x10/0x10\n __driver_probe_device+0x6e/0x110\n driver_probe_device+0x1a/0x90\n __device_attach_driver+0x7e/0xc0\n bus_for_each_drv+0x7f/0xd0\n __device_attach+0xaa/0x1a0\n bus_probe_device+0x8b/0xa0\n device_add+0x62e/0x810\n usb_set_configuration+0x65d/0x990\n usb_generic_driver_probe+0x4b/0x70\n usb_probe_device+0x36/0xd0\n\nThe cause of this error is that the device has two interfaces, and the\nhub driver binds to interface 1 instead of interface 0, which is where\nusb_hub_to_struct_hub() looks.\n\nWe can prevent the problem from occurring by refusing to accept hub\ndevices that violate the USB spec by having more than one\nconfiguration or interface."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:56.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218"
        },
        {
          "url": "https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897"
        },
        {
          "url": "https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e"
        },
        {
          "url": "https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490"
        },
        {
          "url": "https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d"
        }
      ],
      "title": "USB: hub: Ignore non-compliant devices with too many configs or interfaces",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21776",
    "datePublished": "2025-02-27T02:18:21.503Z",
    "dateReserved": "2024-12-29T08:45:45.763Z",
    "dateUpdated": "2025-05-04T07:20:56.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21766 (GCVE-0-2025-21766)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear.

References

►

URL

Tags

	https://git.kernel.org/stable/c/ce3c6165fce0f06305c806696882a3ad4b90e33f
	https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e
	https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4
	https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a
	https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e
	https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41

Impacted products

Vendor

Product

Version

►

Linux

Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6
Version: f415c264176e6095e9dee823e09c5bdd0ee0d337
Version: 98776a365da509ad923083ae54b38ee521c52742
Version: 860e2cc78c697c95bc749abb20047239fa1722ea
Version: 2b1be6c925cdf4638811765a9160796291494b89

Linux

Version: 5.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce3c6165fce0f06305c806696882a3ad4b90e33f",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "ea07480b23225942208f1b754fea1e7ec486d37e",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "4583748b65dee4d61bd50a2214715b4237bc152a",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "a39f61d212d822b3062d7f70fa0588e50e55664e",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "139512191bd06f1b496117c76372b2ce372c9a41",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f415c264176e6095e9dee823e09c5bdd0ee0d337",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "98776a365da509ad923083ae54b38ee521c52742",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "860e2cc78c697c95bc749abb20047239fa1722ea",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2b1be6c925cdf4638811765a9160796291494b89",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.200",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.8.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:29.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce3c6165fce0f06305c806696882a3ad4b90e33f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e"
        },
        {
          "url": "https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41"
        }
      ],
      "title": "ipv4: use RCU protection in __ip_rt_update_pmtu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21766",
    "datePublished": "2025-02-27T02:18:16.570Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-05-04T13:06:29.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49571 (GCVE-0-2024-49571)

Vulnerability from cvelistv5

Published

2025-01-11 12:35

Modified

2025-05-04 09:39

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg When receiving proposal msg in server, the field iparea_offset and the field ipv6_prefixes_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field iparea_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks iparea_offset and ipv6_prefixes_cnt before using them.

References

►

URL

Tags

	https://git.kernel.org/stable/c/846bada23bfcdeb83621b045ed85dc06c7833ff0
	https://git.kernel.org/stable/c/f10635268a0a49ee902a3b63b5dbb76f4fed498e
	https://git.kernel.org/stable/c/62056d1592e63d85e82357ee2ae6a6a294f440b0
	https://git.kernel.org/stable/c/91a7c27c1444ed4677b83fd5308d2cf03f5f0851
	https://git.kernel.org/stable/c/47ce46349672a7e0c361bfe39ed0b22e824ef4fb
	https://git.kernel.org/stable/c/a29e220d3c8edbf0e1beb0f028878a4a85966556

Impacted products

Vendor

Product

Version

►

Linux

Version: e7b7a64a8493d47433fd003efbe6543e3f676294
Version: e7b7a64a8493d47433fd003efbe6543e3f676294
Version: e7b7a64a8493d47433fd003efbe6543e3f676294
Version: e7b7a64a8493d47433fd003efbe6543e3f676294
Version: e7b7a64a8493d47433fd003efbe6543e3f676294
Version: e7b7a64a8493d47433fd003efbe6543e3f676294

Linux

Version: 4.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "846bada23bfcdeb83621b045ed85dc06c7833ff0",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            },
            {
              "lessThan": "f10635268a0a49ee902a3b63b5dbb76f4fed498e",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            },
            {
              "lessThan": "62056d1592e63d85e82357ee2ae6a6a294f440b0",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            },
            {
              "lessThan": "91a7c27c1444ed4677b83fd5308d2cf03f5f0851",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            },
            {
              "lessThan": "47ce46349672a7e0c361bfe39ed0b22e824ef4fb",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            },
            {
              "lessThan": "a29e220d3c8edbf0e1beb0f028878a4a85966556",
              "status": "affected",
              "version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg\n\nWhen receiving proposal msg in server, the field iparea_offset\nand the field ipv6_prefixes_cnt in proposal msg are from the\nremote client and can not be fully trusted. Especially the\nfield iparea_offset, once exceed the max value, there has the\nchance to access wrong address, and crash may happen.\n\nThis patch checks iparea_offset and ipv6_prefixes_cnt before using them."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:39:27.664Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/846bada23bfcdeb83621b045ed85dc06c7833ff0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f10635268a0a49ee902a3b63b5dbb76f4fed498e"
        },
        {
          "url": "https://git.kernel.org/stable/c/62056d1592e63d85e82357ee2ae6a6a294f440b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/91a7c27c1444ed4677b83fd5308d2cf03f5f0851"
        },
        {
          "url": "https://git.kernel.org/stable/c/47ce46349672a7e0c361bfe39ed0b22e824ef4fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a29e220d3c8edbf0e1beb0f028878a4a85966556"
        }
      ],
      "title": "net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49571",
    "datePublished": "2025-01-11T12:35:36.957Z",
    "dateReserved": "2025-01-11T12:33:33.704Z",
    "dateUpdated": "2025-05-04T09:39:27.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50140 (GCVE-0-2024-50140)

Vulnerability from cvelistv5

Published

2024-11-07 09:31

Modified

2025-05-04 09:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/core: Disable page allocation in task_tick_mm_cid() With KASAN and PREEMPT_RT enabled, calling task_work_add() in task_tick_mm_cid() may cause the following splat. [ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, expected: 0 [ 63.696416] RCU nest depth: 1, expected: 1 This problem is caused by the following call trace. sched_tick() [ acquire rq->__lock ] -> task_tick_mm_cid() -> task_work_add() -> __kasan_record_aux_stack() -> kasan_save_stack() -> stack_depot_save_flags() -> alloc_pages_mpol_noprof() -> __alloc_pages_noprof() -> get_page_from_freelist() -> rmqueue() -> rmqueue_pcplist() -> __rmqueue_pcplist() -> rmqueue_bulk() -> rt_spin_lock() The rq lock is a raw_spinlock_t. We can't sleep while holding it. IOW, we can't call alloc_pages() in stack_depot_save_flags(). The task_tick_mm_cid() function with its task_work_add() call was introduced by commit 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") in v6.4 kernel. Fortunately, there is a kasan_record_aux_stack_noalloc() variant that calls stack_depot_save_flags() while not allowing it to allocate new pages. To allow task_tick_mm_cid() to use task_work without page allocation, a new TWAF_NO_ALLOC flag is added to enable calling kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack() if set. The task_tick_mm_cid() function is modified to add this new flag. The possible downside is the missing stack trace in a KASAN report due to new page allocation required when task_work_add_noallloc() is called which should be rare.

References

►

URL

Tags

	https://git.kernel.org/stable/c/509c29d0d26f68a6f6d0a05cb1a89725237e2b87
	https://git.kernel.org/stable/c/ce0241ef83eed55f675376e8a3605d23de53d875
	https://git.kernel.org/stable/c/73ab05aa46b02d96509cb029a8d04fca7bbde8c7

Impacted products

Vendor

Product

Version

►

Linux

Version: 223baf9d17f25e2608dbdff7232c095c1e612268
Version: 223baf9d17f25e2608dbdff7232c095c1e612268
Version: 223baf9d17f25e2608dbdff7232c095c1e612268

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/task_work.h",
            "kernel/sched/core.c",
            "kernel/task_work.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
              "status": "affected",
              "version": "223baf9d17f25e2608dbdff7232c095c1e612268",
              "versionType": "git"
            },
            {
              "lessThan": "ce0241ef83eed55f675376e8a3605d23de53d875",
              "status": "affected",
              "version": "223baf9d17f25e2608dbdff7232c095c1e612268",
              "versionType": "git"
            },
            {
              "lessThan": "73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
              "status": "affected",
              "version": "223baf9d17f25e2608dbdff7232c095c1e612268",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/task_work.h",
            "kernel/sched/core.c",
            "kernel/task_work.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Disable page allocation in task_tick_mm_cid()\n\nWith KASAN and PREEMPT_RT enabled, calling task_work_add() in\ntask_tick_mm_cid() may cause the following splat.\n\n[   63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[   63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe\n[   63.696416] preempt_count: 10001, expected: 0\n[   63.696416] RCU nest depth: 1, expected: 1\n\nThis problem is caused by the following call trace.\n\n  sched_tick() [ acquire rq-\u003e__lock ]\n   -\u003e task_tick_mm_cid()\n    -\u003e task_work_add()\n     -\u003e __kasan_record_aux_stack()\n      -\u003e kasan_save_stack()\n       -\u003e stack_depot_save_flags()\n        -\u003e alloc_pages_mpol_noprof()\n         -\u003e __alloc_pages_noprof()\n\t  -\u003e get_page_from_freelist()\n\t   -\u003e rmqueue()\n\t    -\u003e rmqueue_pcplist()\n\t     -\u003e __rmqueue_pcplist()\n\t      -\u003e rmqueue_bulk()\n\t       -\u003e rt_spin_lock()\n\nThe rq lock is a raw_spinlock_t. We can\u0027t sleep while holding\nit. IOW, we can\u0027t call alloc_pages() in stack_depot_save_flags().\n\nThe task_tick_mm_cid() function with its task_work_add() call was\nintroduced by commit 223baf9d17f2 (\"sched: Fix performance regression\nintroduced by mm_cid\") in v6.4 kernel.\n\nFortunately, there is a kasan_record_aux_stack_noalloc() variant that\ncalls stack_depot_save_flags() while not allowing it to allocate\nnew pages.  To allow task_tick_mm_cid() to use task_work without\npage allocation, a new TWAF_NO_ALLOC flag is added to enable calling\nkasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()\nif set. The task_tick_mm_cid() function is modified to add this new flag.\n\nThe possible downside is the missing stack trace in a KASAN report due\nto new page allocation required when task_work_add_noallloc() is called\nwhich should be rare."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:47:05.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/509c29d0d26f68a6f6d0a05cb1a89725237e2b87"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce0241ef83eed55f675376e8a3605d23de53d875"
        },
        {
          "url": "https://git.kernel.org/stable/c/73ab05aa46b02d96509cb029a8d04fca7bbde8c7"
        }
      ],
      "title": "sched/core: Disable page allocation in task_tick_mm_cid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50140",
    "datePublished": "2024-11-07T09:31:17.379Z",
    "dateReserved": "2024-10-21T19:36:19.956Z",
    "dateUpdated": "2025-05-04T09:47:05.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21700 (GCVE-0-2025-21700)

Vulnerability from cvelistv5

Published

2025-02-13 11:30

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>

References

►

URL

Tags

	https://git.kernel.org/stable/c/cd796e269123e1994bfc4e99dd76680ba0946a97
	https://git.kernel.org/stable/c/fe18c21d67dc7d1bcce1bba56515b1b0306db19b
	https://git.kernel.org/stable/c/38646749d6e12f9d80a08d21ca39f0beca20230d
	https://git.kernel.org/stable/c/deda09c0543a66fa51554abc5ffd723d99b191bf
	https://git.kernel.org/stable/c/7e2bd8c13b07e29a247c023c7444df23f9a79fd8
	https://git.kernel.org/stable/c/73c7e1d6898ccbeee126194dcc05f58b8a795e70
	https://git.kernel.org/stable/c/46c59ec33ec98aba20c15117630cae43a01404cc
	https://git.kernel.org/stable/c/bc50835e83f60f56e9bec2b392fb5544f250fb6f

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21700",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:51:43.457867Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T13:51:59.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cd796e269123e1994bfc4e99dd76680ba0946a97",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fe18c21d67dc7d1bcce1bba56515b1b0306db19b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "38646749d6e12f9d80a08d21ca39f0beca20230d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "deda09c0543a66fa51554abc5ffd723d99b191bf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7e2bd8c13b07e29a247c023c7444df23f9a79fd8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "73c7e1d6898ccbeee126194dcc05f58b8a795e70",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "46c59ec33ec98aba20c15117630cae43a01404cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bc50835e83f60f56e9bec2b392fb5544f250fb6f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: Disallow replacing of child qdisc from one parent to another\n\nLion Ackermann was able to create a UAF which can be abused for privilege\nescalation with the following script\n\nStep 1. create root qdisc\ntc qdisc add dev lo root handle 1:0 drr\n\nstep2. a class for packet aggregation do demonstrate uaf\ntc class add dev lo classid 1:1 drr\n\nstep3. a class for nesting\ntc class add dev lo classid 1:2 drr\n\nstep4. a class to graft qdisc to\ntc class add dev lo classid 1:3 drr\n\nstep5.\ntc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024\n\nstep6.\ntc qdisc add dev lo parent 1:2 handle 3:0 drr\n\nstep7.\ntc class add dev lo classid 3:1 drr\n\nstep 8.\ntc qdisc add dev lo parent 3:1 handle 4:0 pfifo\n\nstep 9. Display the class/qdisc layout\n\ntc class ls dev lo\n class drr 1:1 root leaf 2: quantum 64Kb\n class drr 1:2 root leaf 3: quantum 64Kb\n class drr 3:1 root leaf 4: quantum 64Kb\n\ntc qdisc ls\n qdisc drr 1: dev lo root refcnt 2\n qdisc plug 2: dev lo parent 1:1\n qdisc pfifo 4: dev lo parent 3:1 limit 1000p\n qdisc drr 3: dev lo parent 1:2\n\nstep10. trigger the bug \u003c=== prevented by this patch\ntc qdisc replace dev lo parent 1:3 handle 4:0\n\nstep 11. Redisplay again the qdiscs/classes\n\ntc class ls dev lo\n class drr 1:1 root leaf 2: quantum 64Kb\n class drr 1:2 root leaf 3: quantum 64Kb\n class drr 1:3 root leaf 4: quantum 64Kb\n class drr 3:1 root leaf 4: quantum 64Kb\n\ntc qdisc ls\n qdisc drr 1: dev lo root refcnt 2\n qdisc plug 2: dev lo parent 1:1\n qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p\n qdisc drr 3: dev lo parent 1:2\n\nObserve that a) parent for 4:0 does not change despite the replace request.\nThere can only be one parent.  b) refcount has gone up by two for 4:0 and\nc) both class 1:3 and 3:1 are pointing to it.\n\nStep 12.  send one packet to plug\necho \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))\nstep13.  send one packet to the grafted fifo\necho \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))\n\nstep14. lets trigger the uaf\ntc class delete dev lo classid 1:3\ntc class delete dev lo classid 1:1\n\nThe semantics of \"replace\" is for a del/add _on the same node_ and not\na delete from one node(3:1) and add to another node (1:3) as in step10.\nWhile we could \"fix\" with a more complex approach there could be\nconsequences to expectations so the patch takes the preventive approach of\n\"disallow such config\".\n\nJoint work with Lion Ackermann \u003cnnamrec@gmail.com\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:16.975Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cd796e269123e1994bfc4e99dd76680ba0946a97"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe18c21d67dc7d1bcce1bba56515b1b0306db19b"
        },
        {
          "url": "https://git.kernel.org/stable/c/38646749d6e12f9d80a08d21ca39f0beca20230d"
        },
        {
          "url": "https://git.kernel.org/stable/c/deda09c0543a66fa51554abc5ffd723d99b191bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e2bd8c13b07e29a247c023c7444df23f9a79fd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/73c7e1d6898ccbeee126194dcc05f58b8a795e70"
        },
        {
          "url": "https://git.kernel.org/stable/c/46c59ec33ec98aba20c15117630cae43a01404cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc50835e83f60f56e9bec2b392fb5544f250fb6f"
        }
      ],
      "title": "net: sched: Disallow replacing of child qdisc from one parent to another",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21700",
    "datePublished": "2025-02-13T11:30:19.003Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2025-05-04T07:19:16.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58072 (GCVE-0-2024-58072)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures. Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f801e754efa21bd61b3cc15ec7565696165b272f
	https://git.kernel.org/stable/c/1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9
	https://git.kernel.org/stable/c/8e2fcc68fbaab3ad9f5671fee2be0956134b740a
	https://git.kernel.org/stable/c/1e39b0486cdb496cdfba3bc89886150e46acf6f4
	https://git.kernel.org/stable/c/465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1
	https://git.kernel.org/stable/c/543e3e9f2e9e47ded774c74e680f28a0ca362aee
	https://git.kernel.org/stable/c/006e803af7408c3fc815b0654fc5ab43d34f0154
	https://git.kernel.org/stable/c/2fdac64c3c35858aa8ac5caa70b232e03456e120

Impacted products

Vendor

Product

Version

►

Linux

Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd
Version: 26634c4b1868323f49f8cd24c3493b57819867fd

Linux

Version: 3.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/base.c",
            "drivers/net/wireless/realtek/rtlwifi/base.h",
            "drivers/net/wireless/realtek/rtlwifi/pci.c",
            "drivers/net/wireless/realtek/rtlwifi/wifi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f801e754efa21bd61b3cc15ec7565696165b272f",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "8e2fcc68fbaab3ad9f5671fee2be0956134b740a",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "1e39b0486cdb496cdfba3bc89886150e46acf6f4",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "543e3e9f2e9e47ded774c74e680f28a0ca362aee",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "006e803af7408c3fc815b0654fc5ab43d34f0154",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "2fdac64c3c35858aa8ac5caa70b232e03456e120",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/base.c",
            "drivers/net/wireless/realtek/rtlwifi/base.h",
            "drivers/net/wireless/realtek/rtlwifi/pci.c",
            "drivers/net/wireless/realtek/rtlwifi/wifi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: remove unused check_buddy_priv\n\nCommit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global\nlist of private data structures.\n\nLater on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match\nvendor version 2013.02.07\") started adding the private data to that list at\nprobe time and added a hook, check_buddy_priv to find the private data from\na similar device.\n\nHowever, that function was never used.\n\nBesides, though there is a lock for that list, it is never used. And when\nthe probe fails, the private data is never removed from the list. This\nwould cause a second probe to access freed memory.\n\nRemove the unused hook, structures and members, which will prevent the\npotential race condition on the list and its corruption during a second\nprobe when probe fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:20.322Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f801e754efa21bd61b3cc15ec7565696165b272f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e2fcc68fbaab3ad9f5671fee2be0956134b740a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e39b0486cdb496cdfba3bc89886150e46acf6f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/543e3e9f2e9e47ded774c74e680f28a0ca362aee"
        },
        {
          "url": "https://git.kernel.org/stable/c/006e803af7408c3fc815b0654fc5ab43d34f0154"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fdac64c3c35858aa8ac5caa70b232e03456e120"
        }
      ],
      "title": "wifi: rtlwifi: remove unused check_buddy_priv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58072",
    "datePublished": "2025-03-06T15:54:11.665Z",
    "dateReserved": "2025-03-06T15:52:09.182Z",
    "dateUpdated": "2025-05-04T10:09:20.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43802 (GCVE-0-2024-43802)

Vulnerability from cvelistv5

Published

2024-08-26 18:48

Modified

2024-10-04 15:02

Severity ?

4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.

References

►

URL

Tags

	https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh	x_refsource_CONFIRM
	https://github.com/vim/vim/commit/322ba9108612bead5eb	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vim	vim	Version: < 9.1.0697

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T14:28:07.231057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T14:28:30.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-10-04T15:02:49.926Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241004-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.1.0697"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters.  So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It\u0027s not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T18:48:11.979Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh"
        },
        {
          "name": "https://github.com/vim/vim/commit/322ba9108612bead5eb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/322ba9108612bead5eb"
        }
      ],
      "source": {
        "advisory": "GHSA-4ghr-c62x-cqfh",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow in ins_typebuf() in Vim \u003c 9.1.0697"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43802",
    "datePublished": "2024-08-26T18:48:11.979Z",
    "dateReserved": "2024-08-16T14:20:37.326Z",
    "dateUpdated": "2024-10-04T15:02:49.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53147 (GCVE-0-2024-53147)

Vulnerability from cvelistv5

Published

2024-12-24 11:28

Modified

2025-05-04 09:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a0120d6463368378539ef928cf067d02372efb8c
	https://git.kernel.org/stable/c/3ddd1cb2b458ff6a193bc845f408dfff217db29e
	https://git.kernel.org/stable/c/184fa506e392eb78364d9283c961217ff2c0617b

Impacted products

Vendor

Product

Version

►

Linux

Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003
Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003
Version: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a0120d6463368378539ef928cf067d02372efb8c",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "3ddd1cb2b458ff6a193bc845f408dfff217db29e",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "184fa506e392eb78364d9283c961217ff2c0617b",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix out-of-bounds access of directory entries\n\nIn the case of the directory size is greater than or equal to\nthe cluster size, if start_clu becomes an EOF cluster(an invalid\ncluster) due to file system corruption, then the directory entry\nwhere ei-\u003ehint_femp.eidx hint is outside the directory, resulting\nin an out-of-bounds access, which may cause further file system\ncorruption.\n\nThis commit adds a check for start_clu, if it is an invalid cluster,\nthe file or directory will be treated as empty."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:14.255Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a0120d6463368378539ef928cf067d02372efb8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ddd1cb2b458ff6a193bc845f408dfff217db29e"
        },
        {
          "url": "https://git.kernel.org/stable/c/184fa506e392eb78364d9283c961217ff2c0617b"
        }
      ],
      "title": "exfat: fix out-of-bounds access of directory entries",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53147",
    "datePublished": "2024-12-24T11:28:47.695Z",
    "dateReserved": "2024-11-19T17:17:24.998Z",
    "dateUpdated": "2025-05-04T09:54:14.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52426 (GCVE-0-2023-52426)

Vulnerability from cvelistv5

Published

2024-02-04 00:00

Modified

2025-06-17 15:19

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

n/a

Summary

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

References

►

URL

Tags

	https://github.com/libexpat/libexpat/pull/777
	https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404
	https://cwe.mitre.org/data/definitions/776.html
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240307-0005/

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52426",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-26T15:54:28.451554Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-776",
                "description": "CWE-776 Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T15:19:48.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:55:41.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/libexpat/libexpat/pull/777"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cwe.mitre.org/data/definitions/776.html"
          },
          {
            "name": "FEDORA-2024-fbe1f0c1aa",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"
          },
          {
            "name": "FEDORA-2024-b8656bc059",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240307-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-07T17:06:55.610Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/libexpat/libexpat/pull/777"
        },
        {
          "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/776.html"
        },
        {
          "name": "FEDORA-2024-fbe1f0c1aa",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"
        },
        {
          "name": "FEDORA-2024-b8656bc059",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240307-0005/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-52426",
    "datePublished": "2024-02-04T00:00:00.000Z",
    "dateReserved": "2024-02-04T00:00:00.000Z",
    "dateUpdated": "2025-06-17T15:19:48.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-24813 (GCVE-0-2025-24813)

Vulnerability from cvelistv5

Published

2025-03-10 16:44

Modified

2025-08-08 11:39

Severity ?

CWE

CWE-44 - Path Equivalence: 'file.name' (Internal Dot)
CWE-502 - Deserialization of Untrusted Data

Summary

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

References

►

URL

Tags

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 11.0.0-M1 ≤ 11.0.2 Version: 10.1.0-M1 ≤ 10.1.34 Version: 9.0.0.M1 ≤ 9.0.98 Version: 8.5.0 ≤ 8.5.100

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-07-21T17:13:17.168Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250321-0001/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-24813",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-01T19:37:06.207441Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-04-01",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:36:18.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-04-01T00:00:00+00:00",
            "value": "CVE-2025-24813 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.2",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.34",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.98",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unknown",
              "version": "3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "COSCO Shipping Lines DIC"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "sw0rd1ight (https://github.com/sw0rd1ight)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePath Equivalence: \u0027file.Name\u0027 (Internal Dot) leading to\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eRemote Code Execution and/or Information disclosure\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eand/or malicious content added to uploaded files via write enabled\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eDefault Servlet\u003c/span\u003e\u0026nbsp;in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\u003cbr\u003e-\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewrites enabled for the default servlet (disabled by default)\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- support for partial PUT (enabled by default)\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- a target URL for security sensitive uploads that was a sub-directory of\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ea target URL for public uploads\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eattacker knowledge of the names of security sensitive files being\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003euploaded\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe security sensitive files also being uploaded via partial PUT\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIf all of the following were true, a malicious user was able to\u003c/span\u003e       perform remote code execution:\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- writes enabled for the default servlet (disabled by default)\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003esupport for partial PUT (enabled by default)\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eapplication was using Tomcat\u0027s file based session persistence with the\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003edefault storage location\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eapplication included a library that may be leveraged in a\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003edeserialization attack\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Path Equivalence: \u0027file.Name\u0027 (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to       perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat\u0027s file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-44",
              "description": "CWE-44 Path Equivalence: \u0027file.name\u0027 (Internal Dot)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T11:39:52.257Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-24813",
    "datePublished": "2025-03-10T16:44:03.715Z",
    "dateReserved": "2025-01-24T08:51:50.296Z",
    "dateUpdated": "2025-08-08T11:39:52.257Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58052 (GCVE-0-2024-58052)

Vulnerability from cvelistv5

Published

2025-03-06 15:53

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table The function atomctrl_get_smc_sclk_range_table() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve SMU_Info table, it returns NULL which is later dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE. In practice this should never happen as this code only gets called on polaris chips and the vbios data table will always be present on those chips.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a713ba7167c2d74c477dd7764dbbdbe3199f17f4
	https://git.kernel.org/stable/c/c47066ed7c8f3b320ef87fa6217a2b8b24e127cc
	https://git.kernel.org/stable/c/2396bc91935c6da0588ce07850d07897974bd350
	https://git.kernel.org/stable/c/ae522ad211ec4b72eaf742b25f24b0a406afcba1
	https://git.kernel.org/stable/c/6a30634a2e0f1dd3c6b39fd0f114c32893a9907a
	https://git.kernel.org/stable/c/0b97cd8a61b2b40fd73cf92a4bb2256462d22adb
	https://git.kernel.org/stable/c/396350adf0e5ad4bf05f01e4d79bfb82f0f6c41a
	https://git.kernel.org/stable/c/357445e28ff004d7f10967aa93ddb4bffa5c3688

Impacted products

Vendor

Product

Version

►

Linux

Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c

Linux

Version: 4.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a713ba7167c2d74c477dd7764dbbdbe3199f17f4",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "c47066ed7c8f3b320ef87fa6217a2b8b24e127cc",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "2396bc91935c6da0588ce07850d07897974bd350",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "ae522ad211ec4b72eaf742b25f24b0a406afcba1",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "6a30634a2e0f1dd3c6b39fd0f114c32893a9907a",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "0b97cd8a61b2b40fd73cf92a4bb2256462d22adb",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "396350adf0e5ad4bf05f01e4d79bfb82f0f6c41a",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            },
            {
              "lessThan": "357445e28ff004d7f10967aa93ddb4bffa5c3688",
              "status": "affected",
              "version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table\n\nThe function atomctrl_get_smc_sclk_range_table() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to\nretrieve SMU_Info table, it returns NULL which is later dereferenced.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nIn practice this should never happen as this code only gets called\non polaris chips and the vbios data table will always be present on\nthose chips."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:45.473Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a713ba7167c2d74c477dd7764dbbdbe3199f17f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c47066ed7c8f3b320ef87fa6217a2b8b24e127cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2396bc91935c6da0588ce07850d07897974bd350"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae522ad211ec4b72eaf742b25f24b0a406afcba1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a30634a2e0f1dd3c6b39fd0f114c32893a9907a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b97cd8a61b2b40fd73cf92a4bb2256462d22adb"
        },
        {
          "url": "https://git.kernel.org/stable/c/396350adf0e5ad4bf05f01e4d79bfb82f0f6c41a"
        },
        {
          "url": "https://git.kernel.org/stable/c/357445e28ff004d7f10967aa93ddb4bffa5c3688"
        }
      ],
      "title": "drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58052",
    "datePublished": "2025-03-06T15:53:56.877Z",
    "dateReserved": "2025-03-06T15:52:09.178Z",
    "dateUpdated": "2025-05-04T10:08:45.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21790 (GCVE-0-2025-21790)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vxlan: check vxlan_vnigroup_init() return value vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot. Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 unregister_netdevice_many net/core/dev.c:11866 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] __rtnl_newlink net/core/rtnetlink.c:3906 [inline]

References

►

URL

Tags

	https://git.kernel.org/stable/c/79aea5e55156c87dc570e43fcd8bba01b9d6ab3f
	https://git.kernel.org/stable/c/a303649b99b64858d62ce7428125d8e71675d2b6
	https://git.kernel.org/stable/c/e860f847787fbbf0d8dacd638c019c7c3d4a9bd3
	https://git.kernel.org/stable/c/3215f5aafc49aaa993991633833854694e73b439
	https://git.kernel.org/stable/c/5805402dcc56241987bca674a1b4da79a249bab7

Impacted products

Vendor

Product

Version

►

Linux

Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9
Version: f9c4bb0b245cee35ef66f75bf409c9573d934cf9

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "79aea5e55156c87dc570e43fcd8bba01b9d6ab3f",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "a303649b99b64858d62ce7428125d8e71675d2b6",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "e860f847787fbbf0d8dacd638c019c7c3d4a9bd3",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "3215f5aafc49aaa993991633833854694e73b439",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            },
            {
              "lessThan": "5805402dcc56241987bca674a1b4da79a249bab7",
              "status": "affected",
              "version": "f9c4bb0b245cee35ef66f75bf409c9573d934cf9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: check vxlan_vnigroup_init() return value\n\nvxlan_init() must check vxlan_vnigroup_init() success\notherwise a crash happens later, spotted by syzbot.\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167]\nCPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912\nCode: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00\nRSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb\nRDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18\nRBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000\nR13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000\nFS:  00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942\n  unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824\n  unregister_netdevice_many net/core/dev.c:11866 [inline]\n  unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736\n  register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901\n  __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981\n  vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407\n  rtnl_newlink_create net/core/rtnetlink.c:3795 [inline]\n  __rtnl_newlink net/core/rtnetlink.c:3906 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:17.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/79aea5e55156c87dc570e43fcd8bba01b9d6ab3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a303649b99b64858d62ce7428125d8e71675d2b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e860f847787fbbf0d8dacd638c019c7c3d4a9bd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3215f5aafc49aaa993991633833854694e73b439"
        },
        {
          "url": "https://git.kernel.org/stable/c/5805402dcc56241987bca674a1b4da79a249bab7"
        }
      ],
      "title": "vxlan: check vxlan_vnigroup_init() return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21790",
    "datePublished": "2025-02-27T02:18:28.375Z",
    "dateReserved": "2024-12-29T08:45:45.766Z",
    "dateUpdated": "2025-05-04T07:21:17.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21855 (GCVE-0-2025-21855)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================

References

►

URL

Tags

	https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306
	https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597
	https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9
	https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09
	https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9

Impacted products

Vendor

Product

Version

►

Linux

Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
Version: 032c5e82847a2214c3196a90f0aeba0ce252de58
Version: 032c5e82847a2214c3196a90f0aeba0ce252de58

Linux

Version: 4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21855",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T15:22:53.080311Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T15:32:00.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "501ac6a7e21b82e05207c6b4449812d82820f306",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "093b0e5c90592773863f300b908b741622eef597",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "25dddd01dcc8ef3acff964dbb32eeb0d89f098e9",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "abaff2717470e4b5b7c0c3a90e128b211a23da09",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "bdf5d13aa05ec314d4385b31ac974d6c7e0997c9",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don\u0027t reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb-\u003elen\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n \u003c...\u003e\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n \u003c...\u003e\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n \u003c...\u003e\n The buggy address belongs to the object at c00000024eb48a00 which\n  belongs to the cache skbuff_head_cache of size 224\n=================================================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:37.482Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306"
        },
        {
          "url": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597"
        },
        {
          "url": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
        }
      ],
      "title": "ibmvnic: Don\u0027t reference skb after sending to VIOS",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21855",
    "datePublished": "2025-03-12T09:42:09.251Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:37.482Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56633 (GCVE-0-2024-56633)

Vulnerability from cvelistv5

Published

2024-12-27 15:02

Modified

2025-05-04 10:00

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here.

References

►

URL

Tags

	https://git.kernel.org/stable/c/905d82e6e77d16ec3e089c92b7b59a14899dfc1a
	https://git.kernel.org/stable/c/dbedc7e142df5ea238a46fdd7462c1c42cd36a10
	https://git.kernel.org/stable/c/0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12
	https://git.kernel.org/stable/c/456f08d24afa51b5eb816c42e4ca1c44a247bd42
	https://git.kernel.org/stable/c/206d56f41a1509cadd06e2178c26cb830e45057d
	https://git.kernel.org/stable/c/5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56
	https://git.kernel.org/stable/c/ca70b8baf2bd125b2a4d96e76db79375c07d7ff2

Impacted products

Vendor

Product

Version

►

Linux

Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c

Linux

Version: 4.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_bpf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "905d82e6e77d16ec3e089c92b7b59a14899dfc1a",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "dbedc7e142df5ea238a46fdd7462c1c42cd36a10",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "456f08d24afa51b5eb816c42e4ca1c44a247bd42",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "206d56f41a1509cadd06e2178c26cb830e45057d",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "ca70b8baf2bd125b2a4d96e76db79375c07d7ff2",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_bpf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg\n\nThe current sk memory accounting logic in __SK_REDIRECT is pre-uncharging\ntosend bytes, which is either msg-\u003esg.size or a smaller value apply_bytes.\n\nPotential problems with this strategy are as follows:\n\n- If the actual sent bytes are smaller than tosend, we need to charge some\n  bytes back, as in line 487, which is okay but seems not clean.\n\n- When tosend is set to apply_bytes, as in line 417, and (ret \u003c 0), we may\n  miss uncharging (msg-\u003esg.size - apply_bytes) bytes.\n\n[...]\n415 tosend = msg-\u003esg.size;\n416 if (psock-\u003eapply_bytes \u0026\u0026 psock-\u003eapply_bytes \u003c tosend)\n417   tosend = psock-\u003eapply_bytes;\n[...]\n443 sk_msg_return(sk, msg, tosend);\n444 release_sock(sk);\n446 origsize = msg-\u003esg.size;\n447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,\n448                             msg, tosend, flags);\n449 sent = origsize - msg-\u003esg.size;\n[...]\n454 lock_sock(sk);\n455 if (unlikely(ret \u003c 0)) {\n456   int free = sk_msg_free_nocharge(sk, msg);\n458   if (!cork)\n459     *copied -= free;\n460 }\n[...]\n487 if (eval == __SK_REDIRECT)\n488   sk_mem_charge(sk, tosend - sent);\n[...]\n\nWhen running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply,\nthe following warning will be reported:\n\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0\nModules linked in:\nCPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nWorkqueue: events sk_psock_destroy\nRIP: 0010:inet_sock_destruct+0x190/0x1a0\nRSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206\nRAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800\nRDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900\nRBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0\nR10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400\nR13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100\nFS:  0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x89/0x130\n? inet_sock_destruct+0x190/0x1a0\n? report_bug+0xfc/0x1e0\n? handle_bug+0x5c/0xa0\n? exc_invalid_op+0x17/0x70\n? asm_exc_invalid_op+0x1a/0x20\n? inet_sock_destruct+0x190/0x1a0\n__sk_destruct+0x25/0x220\nsk_psock_destroy+0x2b2/0x310\nprocess_scheduled_works+0xa3/0x3e0\nworker_thread+0x117/0x240\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcf/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x40\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\nIn __SK_REDIRECT, a more concise way is delaying the uncharging after sent\nbytes are finalized, and uncharge this value. When (ret \u003c 0), we shall\ninvoke sk_msg_free.\n\nSame thing happens in case __SK_DROP, when tosend is set to apply_bytes,\nwe may miss uncharging (msg-\u003esg.size - apply_bytes) bytes. The same\nwarning will be reported in selftest.\n\n[...]\n468 case __SK_DROP:\n469 default:\n470 sk_msg_free_partial(sk, msg, tosend);\n471 sk_msg_apply_bytes(psock, tosend);\n472 *copied -= (tosend + delta);\n473 return -EACCES;\n[...]\n\nSo instead of sk_msg_free_partial we can do sk_msg_free here."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:36.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/905d82e6e77d16ec3e089c92b7b59a14899dfc1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbedc7e142df5ea238a46fdd7462c1c42cd36a10"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d6cd1151e26fc7c2d5daa85e8984aaa685a1a12"
        },
        {
          "url": "https://git.kernel.org/stable/c/456f08d24afa51b5eb816c42e4ca1c44a247bd42"
        },
        {
          "url": "https://git.kernel.org/stable/c/206d56f41a1509cadd06e2178c26cb830e45057d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c9e3bb43a354a2245caebbbbb4a5b8c034fdd56"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca70b8baf2bd125b2a4d96e76db79375c07d7ff2"
        }
      ],
      "title": "tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56633",
    "datePublished": "2024-12-27T15:02:31.273Z",
    "dateReserved": "2024-12-27T15:00:39.838Z",
    "dateUpdated": "2025-05-04T10:00:36.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58063 (GCVE-0-2024-58063)

Vulnerability from cvelistv5

Published

2025-03-06 15:54

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").

References

►

URL

Tags

	https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df
	https://git.kernel.org/stable/c/455e0f40b5352186a9095f2135d5c89255e7c39a
	https://git.kernel.org/stable/c/b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7
	https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47
	https://git.kernel.org/stable/c/624cea89a0865a2bc3e00182a6b0f954a94328b4
	https://git.kernel.org/stable/c/32acebca0a51f5e372536bfdc0d7d332ab749013
	https://git.kernel.org/stable/c/6b76bab5c257463302c9e97f5d84d524457468eb
	https://git.kernel.org/stable/c/e7ceefbfd8d447abc8aca8ab993a942803522c06

Impacted products

Vendor

Product

Version

►

Linux

Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d

Linux

Version: 2.6.38

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "455e0f40b5352186a9095f2135d5c89255e7c39a",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "624cea89a0865a2bc3e00182a6b0f954a94328b4",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "32acebca0a51f5e372536bfdc0d7d332ab749013",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "6b76bab5c257463302c9e97f5d84d524457468eb",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "e7ceefbfd8d447abc8aca8ab993a942803522c06",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: fix memory leaks and invalid access at probe error path\n\nDeinitialize at reverse order when probe fails.\n\nWhen init_sw_vars fails, rtl_deinit_core should not be called, specially\nnow that it destroys the rtl_wq workqueue.\n\nAnd call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be\nleaked.\n\nRemove pci_set_drvdata call as it will already be cleaned up by the core\ndriver code and could lead to memory leaks too. cf. commit 8d450935ae7f\n(\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and\ncommit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:07.007Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df"
        },
        {
          "url": "https://git.kernel.org/stable/c/455e0f40b5352186a9095f2135d5c89255e7c39a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47"
        },
        {
          "url": "https://git.kernel.org/stable/c/624cea89a0865a2bc3e00182a6b0f954a94328b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/32acebca0a51f5e372536bfdc0d7d332ab749013"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b76bab5c257463302c9e97f5d84d524457468eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7ceefbfd8d447abc8aca8ab993a942803522c06"
        }
      ],
      "title": "wifi: rtlwifi: fix memory leaks and invalid access at probe error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58063",
    "datePublished": "2025-03-06T15:54:05.258Z",
    "dateReserved": "2025-03-06T15:52:09.181Z",
    "dateUpdated": "2025-05-04T10:09:07.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21810 (GCVE-0-2025-21810)

Vulnerability from cvelistv5

Published

2025-02-27 20:01

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().

References

►

URL

Tags

	https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87
	https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c
	https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7
	https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1

Impacted products

Vendor

Product

Version

►

Linux

Version: 7b884b7f24b42fa25e92ed724ad82f137610afaf
Version: 7b884b7f24b42fa25e92ed724ad82f137610afaf
Version: 7b884b7f24b42fa25e92ed724ad82f137610afaf
Version: 7b884b7f24b42fa25e92ed724ad82f137610afaf

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/class.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4b9bc823b0cfdebfed479c0e87d6939c7562e87",
              "status": "affected",
              "version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
              "versionType": "git"
            },
            {
              "lessThan": "1614e75d1a1b63db6421c7a4bf37004720c7376c",
              "status": "affected",
              "version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
              "versionType": "git"
            },
            {
              "lessThan": "5c504e9767b947cf7d4e29b811c0c8b3c53242b7",
              "status": "affected",
              "version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
              "versionType": "git"
            },
            {
              "lessThan": "e128f82f7006991c99a58114f70ef61e937b1ac1",
              "status": "affected",
              "version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/class.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: class: Fix wild pointer dereferences in API class_dev_iter_next()\n\nThere are a potential wild pointer dereferences issue regarding APIs\nclass_dev_iter_(init|next|exit)(), as explained by below typical usage:\n\n// All members of @iter are wild pointers.\nstruct class_dev_iter iter;\n\n// class_dev_iter_init(@iter, @class, ...) checks parameter @class for\n// potential class_to_subsys() error, and it returns void type and does\n// not initialize its output parameter @iter, so caller can not detect\n// the error and continues to invoke class_dev_iter_next(@iter) even if\n// @iter still contains wild pointers.\nclass_dev_iter_init(\u0026iter, ...);\n\n// Dereference these wild pointers in @iter here once suffer the error.\nwhile (dev = class_dev_iter_next(\u0026iter)) { ... };\n\n// Also dereference these wild pointers here.\nclass_dev_iter_exit(\u0026iter);\n\nActually, all callers of these APIs have such usage pattern in kernel tree.\nFix by:\n- Initialize output parameter @iter by memset() in class_dev_iter_init()\n  and give callers prompt by pr_crit() for the error.\n- Check if @iter is valid in class_dev_iter_next()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:40.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87"
        },
        {
          "url": "https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1"
        }
      ],
      "title": "driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21810",
    "datePublished": "2025-02-27T20:01:01.630Z",
    "dateReserved": "2024-12-29T08:45:45.772Z",
    "dateUpdated": "2025-05-04T07:21:40.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58055 (GCVE-0-2024-58055)

Vulnerability from cvelistv5

Published

2025-03-06 15:53

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694
	https://git.kernel.org/stable/c/38229c35a6d7875697dfb293356407330cfcd23e
	https://git.kernel.org/stable/c/bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a
	https://git.kernel.org/stable/c/f0c33e7d387ccbb6870e73a43c558fefede06614
	https://git.kernel.org/stable/c/16907219ad6763f401700e1b57b2da4f3e07f047
	https://git.kernel.org/stable/c/929b69810eec132b284ffd19047a85d961df9e4d
	https://git.kernel.org/stable/c/e6693595bd1b55af62d057a4136a89d5c2ddf0e9
	https://git.kernel.org/stable/c/c225d006a31949d673e646d585d9569bc28feeb9

Impacted products

Vendor

Product

Version

►

Linux

Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_tcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "38229c35a6d7875697dfb293356407330cfcd23e",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "f0c33e7d387ccbb6870e73a43c558fefede06614",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "16907219ad6763f401700e1b57b2da4f3e07f047",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "929b69810eec132b284ffd19047a85d961df9e4d",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "e6693595bd1b55af62d057a4136a89d5c2ddf0e9",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            },
            {
              "lessThan": "c225d006a31949d673e646d585d9569bc28feeb9",
              "status": "affected",
              "version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_tcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Don\u0027t free command immediately\n\nDon\u0027t prematurely free the command. Wait for the status completion of\nthe sense status. It can be freed then. Otherwise we will double-free\nthe command."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:50.223Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694"
        },
        {
          "url": "https://git.kernel.org/stable/c/38229c35a6d7875697dfb293356407330cfcd23e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0c33e7d387ccbb6870e73a43c558fefede06614"
        },
        {
          "url": "https://git.kernel.org/stable/c/16907219ad6763f401700e1b57b2da4f3e07f047"
        },
        {
          "url": "https://git.kernel.org/stable/c/929b69810eec132b284ffd19047a85d961df9e4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6693595bd1b55af62d057a4136a89d5c2ddf0e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c225d006a31949d673e646d585d9569bc28feeb9"
        }
      ],
      "title": "usb: gadget: f_tcm: Don\u0027t free command immediately",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58055",
    "datePublished": "2025-03-06T15:53:58.951Z",
    "dateReserved": "2025-03-06T15:52:09.179Z",
    "dateUpdated": "2025-05-04T10:08:50.223Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21850 (GCVE-0-2025-21850)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix crash when a namespace is disabled The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport): [ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] [ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180 as the queue is already torn down when calling submit_bio(); So we need to init the percpu counter in nvmet_ns_enable(), and wait for it to drop to zero in nvmet_ns_disable() to avoid having I/O pending after the namespace has been disabled.

References

►

URL

Tags

	https://git.kernel.org/stable/c/cc0607594f6813342b27c752c6fb6f6eb9980cb5
	https://git.kernel.org/stable/c/4082326807072b71496501b6a0c55ffe8d5092a5

Impacted products

Vendor

Product

Version

►

Linux

Version: 74d16965d7ac378d28ebd833ae6d6a097186a4ec
Version: 74d16965d7ac378d28ebd833ae6d6a097186a4ec

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cc0607594f6813342b27c752c6fb6f6eb9980cb5",
              "status": "affected",
              "version": "74d16965d7ac378d28ebd833ae6d6a097186a4ec",
              "versionType": "git"
            },
            {
              "lessThan": "4082326807072b71496501b6a0c55ffe8d5092a5",
              "status": "affected",
              "version": "74d16965d7ac378d28ebd833ae6d6a097186a4ec",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Fix crash when a namespace is disabled\n\nThe namespace percpu counter protects pending I/O, and we can\nonly safely diable the namespace once the counter drop to zero.\nOtherwise we end up with a crash when running blktests/nvme/058\n(eg for loop transport):\n\n[ 2352.930426] [  T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 2352.930431] [  T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 2352.930434] [  T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G        W          6.13.0-rc6 #232\n[ 2352.930438] [  T53909] Tainted: [W]=WARN\n[ 2352.930440] [  T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[ 2352.930443] [  T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\n[ 2352.930449] [  T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180\n\nas the queue is already torn down when calling submit_bio();\n\nSo we need to init the percpu counter in nvmet_ns_enable(), and\nwait for it to drop to zero in nvmet_ns_disable() to avoid having\nI/O pending after the namespace has been disabled."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:31.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cc0607594f6813342b27c752c6fb6f6eb9980cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4082326807072b71496501b6a0c55ffe8d5092a5"
        }
      ],
      "title": "nvmet: Fix crash when a namespace is disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21850",
    "datePublished": "2025-03-12T09:42:05.761Z",
    "dateReserved": "2024-12-29T08:45:45.779Z",
    "dateUpdated": "2025-05-04T07:22:31.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21735 (GCVE-0-2025-21735)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate().

References

►

URL

Tags

	https://git.kernel.org/stable/c/bd249109d266f1d52548c46634a15b71656e0d44
	https://git.kernel.org/stable/c/674e17c5933779a8bf5c15d596fdfcb5ccdebbc2
	https://git.kernel.org/stable/c/10b3f947b609713e04022101f492d288a014ddfa
	https://git.kernel.org/stable/c/d5a461c315e5ff92657f84d8ba50caa5abf5c22a
	https://git.kernel.org/stable/c/172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e
	https://git.kernel.org/stable/c/2ae4bade5a64d126bd18eb66bd419005c5550218
	https://git.kernel.org/stable/c/59c7ed20217c0939862fbf8145bc49d5b3a13f4f
	https://git.kernel.org/stable/c/110b43ef05342d5a11284cc8b21582b698b4ef1c

Impacted products

Vendor

Product

Version

►

Linux

Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f
Version: a1b0b9415817c14d207921582f269d03f848b69f

Linux

Version: 4.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/nci/hci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bd249109d266f1d52548c46634a15b71656e0d44",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "674e17c5933779a8bf5c15d596fdfcb5ccdebbc2",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "10b3f947b609713e04022101f492d288a014ddfa",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "d5a461c315e5ff92657f84d8ba50caa5abf5c22a",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "2ae4bade5a64d126bd18eb66bd419005c5550218",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "59c7ed20217c0939862fbf8145bc49d5b3a13f4f",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            },
            {
              "lessThan": "110b43ef05342d5a11284cc8b21582b698b4ef1c",
              "status": "affected",
              "version": "a1b0b9415817c14d207921582f269d03f848b69f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/nci/hci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Add bounds checking in nci_hci_create_pipe()\n\nThe \"pipe\" variable is a u8 which comes from the network.  If it\u0027s more\nthan 127, then it results in memory corruption in the caller,\nnci_hci_connect_gate()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:02.409Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bd249109d266f1d52548c46634a15b71656e0d44"
        },
        {
          "url": "https://git.kernel.org/stable/c/674e17c5933779a8bf5c15d596fdfcb5ccdebbc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/10b3f947b609713e04022101f492d288a014ddfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5a461c315e5ff92657f84d8ba50caa5abf5c22a"
        },
        {
          "url": "https://git.kernel.org/stable/c/172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ae4bade5a64d126bd18eb66bd419005c5550218"
        },
        {
          "url": "https://git.kernel.org/stable/c/59c7ed20217c0939862fbf8145bc49d5b3a13f4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/110b43ef05342d5a11284cc8b21582b698b4ef1c"
        }
      ],
      "title": "NFC: nci: Add bounds checking in nci_hci_create_pipe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21735",
    "datePublished": "2025-02-27T02:12:12.202Z",
    "dateReserved": "2024-12-29T08:45:45.756Z",
    "dateUpdated": "2025-05-04T07:20:02.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21705 (GCVE-0-2025-21705)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.

References

►

URL

Tags

	https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884
	https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d
	https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a
	https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079
	https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71

Impacted products

Vendor

Product

Version

►

Linux

Version: b7bb71dfb541df376c21c24451369fea83c4f327
Version: c2b2ae3925b65070adb27d5a31a31c376f26dec7
Version: c2b2ae3925b65070adb27d5a31a31c376f26dec7
Version: c2b2ae3925b65070adb27d5a31a31c376f26dec7
Version: c2b2ae3925b65070adb27d5a31a31c376f26dec7
Version: 9c998d59a6b1359ad43d1ef38538af5f55fd01a2

Linux

Version: 6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "73e268b4be27b36ae68ea10755cb003f43b38884",
              "status": "affected",
              "version": "b7bb71dfb541df376c21c24451369fea83c4f327",
              "versionType": "git"
            },
            {
              "lessThan": "0263fb2e7b7b88075a5d86e74c4384ee4400828d",
              "status": "affected",
              "version": "c2b2ae3925b65070adb27d5a31a31c376f26dec7",
              "versionType": "git"
            },
            {
              "lessThan": "84ac44d9fed3a56440971cbd7600a02b70b5b32a",
              "status": "affected",
              "version": "c2b2ae3925b65070adb27d5a31a31c376f26dec7",
              "versionType": "git"
            },
            {
              "lessThan": "6ec806762318a4adde0ea63342d42d0feae95079",
              "status": "affected",
              "version": "c2b2ae3925b65070adb27d5a31a31c376f26dec7",
              "versionType": "git"
            },
            {
              "lessThan": "619af16b3b57a3a4ee50b9a30add9ff155541e71",
              "status": "affected",
              "version": "c2b2ae3925b65070adb27d5a31a31c376f26dec7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c998d59a6b1359ad43d1ef38538af5f55fd01a2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n  WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n  RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 \u003c0f\u003e 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n  RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n  RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n  R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n  R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n  FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n   mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n   release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n   inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n   __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n   mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n   mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f6e86ebfe69\n  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n  RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n  RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n  R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n   \u003c/TASK\u003e\n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:24.726Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884"
        },
        {
          "url": "https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d"
        },
        {
          "url": "https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079"
        },
        {
          "url": "https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71"
        }
      ],
      "title": "mptcp: handle fastopen disconnect correctly",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21705",
    "datePublished": "2025-02-27T02:07:19.764Z",
    "dateReserved": "2024-12-29T08:45:45.751Z",
    "dateUpdated": "2025-05-04T13:06:24.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21857 (GCVE-0-2025-21857)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced. Example trace: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower]

References

►

URL

Tags

	https://git.kernel.org/stable/c/de4b679aa3b4da7ec34f639df068b914f20e3c3c
	https://git.kernel.org/stable/c/3e4c56cf41876ef2a82f0877fe2a67648f8632b8
	https://git.kernel.org/stable/c/3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a
	https://git.kernel.org/stable/c/071ed42cff4fcdd89025d966d48eabef59913bf2

Impacted products

Vendor

Product

Version

►

Linux

Version: 80cd22c35c9001fe72bf614d29439de41933deca
Version: 80cd22c35c9001fe72bf614d29439de41933deca
Version: 80cd22c35c9001fe72bf614d29439de41933deca
Version: 80cd22c35c9001fe72bf614d29439de41933deca

Linux

Version: 6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de4b679aa3b4da7ec34f639df068b914f20e3c3c",
              "status": "affected",
              "version": "80cd22c35c9001fe72bf614d29439de41933deca",
              "versionType": "git"
            },
            {
              "lessThan": "3e4c56cf41876ef2a82f0877fe2a67648f8632b8",
              "status": "affected",
              "version": "80cd22c35c9001fe72bf614d29439de41933deca",
              "versionType": "git"
            },
            {
              "lessThan": "3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a",
              "status": "affected",
              "version": "80cd22c35c9001fe72bf614d29439de41933deca",
              "versionType": "git"
            },
            {
              "lessThan": "071ed42cff4fcdd89025d966d48eabef59913bf2",
              "status": "affected",
              "version": "80cd22c35c9001fe72bf614d29439de41933deca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: fix error handling causing NULL dereference\n\ntcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can\nreturn 1 if the allocation succeeded after wrapping. This was treated as\nan error, with value 1 returned to caller tcf_exts_init_ex() which sets\nexts-\u003eactions to NULL and returns 1 to caller fl_change().\n\nfl_change() treats err == 1 as success, calling tcf_exts_validate_ex()\nwhich calls tcf_action_init() with exts-\u003eactions as argument, where it\nis dereferenced.\n\nExample trace:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1\nRIP: 0010:tcf_action_init+0x1f8/0x2c0\nCall Trace:\n tcf_action_init+0x1f8/0x2c0\n tcf_exts_validate_ex+0x175/0x190\n fl_change+0x537/0x1120 [cls_flower]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:39.626Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de4b679aa3b4da7ec34f639df068b914f20e3c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e4c56cf41876ef2a82f0877fe2a67648f8632b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/071ed42cff4fcdd89025d966d48eabef59913bf2"
        }
      ],
      "title": "net/sched: cls_api: fix error handling causing NULL dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21857",
    "datePublished": "2025-03-12T09:42:10.622Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:39.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21731 (GCVE-0-2025-21731)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
	https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
	https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
	https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
	https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
	https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
	https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
	https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1

Impacted products

Vendor

Product

Version

►

Linux

Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd

Linux

Version: 4.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21731",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:00.860096Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.838Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e70a578487a47d7cf058904141e586684d1c3381",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "6bef6222a3f6c7adb6396f77f25a3579d821b09a",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "e3be8862d73cac833e0fb7602636c19c6cb94b11",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "e7343fa33751cb07c1c56b666bf37cfca357130e",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "d208d2c52b652913b5eefc8ca434b0d6b757f68f",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            },
            {
              "lessThan": "844b8cdc681612ff24df62cdefddeab5772fadf1",
              "status": "affected",
              "version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don\u0027t allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n  nbd_genl_disconnect\n   nbd_disconnect_and_put\n    nbd_disconnect\n     flush_workqueue(nbd-\u003erecv_workq)\n    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n     nbd_config_put\n     -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n  nbd_genl_reconfigure\n   config = nbd_get_config_unlocked(nbd)\n   if (!config)\n   -\u003e succeed\n   if (!test_bit(NBD_RT_BOUND, ...))\n   -\u003e succeed\n   nbd_reconnect_socket\n    queue_work(nbd-\u003erecv_workq, \u0026args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n  recv_work\n   nbd_config_put(nbd)\n   -\u003e nbd_config is freed\n   atomic_dec(\u0026config-\u003erecv_threads)\n   -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:56.650Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739"
        },
        {
          "url": "https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302"
        },
        {
          "url": "https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1"
        }
      ],
      "title": "nbd: don\u0027t allow reconnect after disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21731",
    "datePublished": "2025-02-27T02:07:35.927Z",
    "dateReserved": "2024-12-29T08:45:45.755Z",
    "dateUpdated": "2025-05-04T07:19:56.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21733 (GCVE-0-2025-21733)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix resetting of tracepoints If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD disabled, but then that option is enabled and timerlat is removed, the tracepoints that were enabled on timerlat registration do not get disabled. If the option is disabled again and timelat is started, then it triggers a warning in the tracepoint code due to registering the tracepoint again without ever disabling it. Do not use the same user space defined options to know to disable the tracepoints when timerlat is removed. Instead, set a global flag when it is enabled and use that flag to know to disable the events. ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo nop > /sys/kernel/tracing/current_tracer ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer Triggers: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 Modules linked in: CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __warn.cold+0xb7/0x14d ? tracepoint_add_func+0x3b6/0x3f0 ? report_bug+0xea/0x170 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? tracepoint_add_func+0x3b6/0x3f0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? __pfx_trace_sched_migrate_callback+0x10/0x10 tracepoint_probe_register+0x78/0xb0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 osnoise_workload_start+0x2b5/0x370 timerlat_tracer_init+0x76/0x1b0 tracing_set_tracer+0x244/0x400 tracing_set_trace_write+0xa0/0xe0 vfs_write+0xfc/0x570 ? do_sys_openat2+0x9c/0xe0 ksys_write+0x72/0xf0 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

References

►

URL

Tags

	https://git.kernel.org/stable/c/ee8c4c39a8f97467d63adfe03bcd45139d8c8b53
	https://git.kernel.org/stable/c/b45707c3c0671d9c49fa7b94c197a508aa55d16f
	https://git.kernel.org/stable/c/e482cecd2305be1e3e6a8ee70c9b86c511484f7b
	https://git.kernel.org/stable/c/e3ff4245928f948f3eb2e852aa350b870421c358

Impacted products

Vendor

Product

Version

►

Linux

Version: e88ed227f639ebcb31ed4e5b88756b47d904584b
Version: e88ed227f639ebcb31ed4e5b88756b47d904584b
Version: e88ed227f639ebcb31ed4e5b88756b47d904584b
Version: e88ed227f639ebcb31ed4e5b88756b47d904584b

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_osnoise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee8c4c39a8f97467d63adfe03bcd45139d8c8b53",
              "status": "affected",
              "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
              "versionType": "git"
            },
            {
              "lessThan": "b45707c3c0671d9c49fa7b94c197a508aa55d16f",
              "status": "affected",
              "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
              "versionType": "git"
            },
            {
              "lessThan": "e482cecd2305be1e3e6a8ee70c9b86c511484f7b",
              "status": "affected",
              "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
              "versionType": "git"
            },
            {
              "lessThan": "e3ff4245928f948f3eb2e852aa350b870421c358",
              "status": "affected",
              "version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_osnoise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix resetting of tracepoints\n\nIf a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD\ndisabled, but then that option is enabled and timerlat is removed, the\ntracepoints that were enabled on timerlat registration do not get\ndisabled. If the option is disabled again and timelat is started, then it\ntriggers a warning in the tracepoint code due to registering the\ntracepoint again without ever disabling it.\n\nDo not use the same user space defined options to know to disable the\ntracepoints when timerlat is removed. Instead, set a global flag when it\nis enabled and use that flag to know to disable the events.\n\n ~# echo NO_OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo timerlat \u003e /sys/kernel/tracing/current_tracer\n ~# echo OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo nop \u003e /sys/kernel/tracing/current_tracer\n ~# echo NO_OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo timerlat \u003e /sys/kernel/tracing/current_tracer\n\nTriggers:\n\n ------------[ cut here ]------------\n WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0\n Modules linked in:\n CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:tracepoint_add_func+0x3b6/0x3f0\n Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff \u003c0f\u003e 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b\n RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202\n RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410\n RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002\n R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001\n R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008\n FS:  00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  ? __warn.cold+0xb7/0x14d\n  ? tracepoint_add_func+0x3b6/0x3f0\n  ? report_bug+0xea/0x170\n  ? handle_bug+0x58/0x90\n  ? exc_invalid_op+0x17/0x70\n  ? asm_exc_invalid_op+0x1a/0x20\n  ? __pfx_trace_sched_migrate_callback+0x10/0x10\n  ? tracepoint_add_func+0x3b6/0x3f0\n  ? __pfx_trace_sched_migrate_callback+0x10/0x10\n  ? __pfx_trace_sched_migrate_callback+0x10/0x10\n  tracepoint_probe_register+0x78/0xb0\n  ? __pfx_trace_sched_migrate_callback+0x10/0x10\n  osnoise_workload_start+0x2b5/0x370\n  timerlat_tracer_init+0x76/0x1b0\n  tracing_set_tracer+0x244/0x400\n  tracing_set_trace_write+0xa0/0xe0\n  vfs_write+0xfc/0x570\n  ? do_sys_openat2+0x9c/0xe0\n  ksys_write+0x72/0xf0\n  do_syscall_64+0x79/0x1c0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:59.585Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee8c4c39a8f97467d63adfe03bcd45139d8c8b53"
        },
        {
          "url": "https://git.kernel.org/stable/c/b45707c3c0671d9c49fa7b94c197a508aa55d16f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e482cecd2305be1e3e6a8ee70c9b86c511484f7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3ff4245928f948f3eb2e852aa350b870421c358"
        }
      ],
      "title": "tracing/osnoise: Fix resetting of tracepoints",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21733",
    "datePublished": "2025-02-27T02:12:11.145Z",
    "dateReserved": "2024-12-29T08:45:45.756Z",
    "dateUpdated": "2025-05-04T07:19:59.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52926 (GCVE-0-2023-52926)

Vulnerability from cvelistv5

Published

2025-02-24 09:01

Modified

2025-05-04 07:46

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context.

References

►

URL

Tags

	https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007
	https://git.kernel.org/stable/c/6c27fc6a783c8a77c756dd5461b15e465020d075
	https://git.kernel.org/stable/c/a08d195b586a217d76b42062f88f375a3eedda4d

Impacted products

Vendor

Product

Version

►

Linux

Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e
Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e
Version: 2b188cc1bb857a9d4701ae59aa7768b5124e262e

Linux

Version: 5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T16:27:48.354683Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T17:35:11.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "72060434a14caea20925e492310d6e680e3f9007",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            },
            {
              "lessThan": "6c27fc6a783c8a77c756dd5461b15e465020d075",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            },
            {
              "lessThan": "a08d195b586a217d76b42062f88f375a3eedda4d",
              "status": "affected",
              "version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIORING_OP_READ did not correctly consume the provided buffer list when\nread i/o returned \u003c 0 (except for -EAGAIN and -EIOCBQUEUED return).\nThis can lead to a potential use-after-free when the completion via\nio_rw_done runs at separate context."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:46:08.905Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c27fc6a783c8a77c756dd5461b15e465020d075"
        },
        {
          "url": "https://git.kernel.org/stable/c/a08d195b586a217d76b42062f88f375a3eedda4d"
        }
      ],
      "title": "io_uring/rw: split io_read() into a helper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52926",
    "datePublished": "2025-02-24T09:01:19.209Z",
    "dateReserved": "2024-08-21T06:07:11.018Z",
    "dateUpdated": "2025-05-04T07:46:08.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56640 (GCVE-0-2024-56640)

Vulnerability from cvelistv5

Published

2024-12-27 15:02

Modified

2025-05-04 10:00

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b
	https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295
	https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226
	https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb
	https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7

Impacted products

Vendor

Product

Version

►

Linux

Version: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8
Version: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8
Version: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8
Version: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8
Version: 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8

Linux

Version: 4.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56640",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:41:51.231757Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:45:22.074Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f502a88fdd415647a1f2dc45fac71b9c522a052b",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "0cf598548a6c36d90681d53c6b77d52363f2f295",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "673d606683ac70bc074ca6676b938bff18635226",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "6f0ae06a234a78ae137064f2c89135ac078a00eb",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            },
            {
              "lessThan": "2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7",
              "status": "affected",
              "version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n  refcount_warn_saturate+0x9c/0x140\n  __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n  smc_lgr_terminate_work+0x28/0x30 [smc]\n  process_one_work+0x1b8/0x420\n  worker_thread+0x158/0x510\n  kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n  refcount_warn_saturate+0xf0/0x140\n  smcr_link_put+0x1cc/0x1d8 [smc]\n  smc_conn_free+0x110/0x1b0 [smc]\n  smc_conn_abort+0x50/0x60 [smc]\n  smc_listen_find_device+0x75c/0x790 [smc]\n  smc_listen_work+0x368/0x8a0 [smc]\n  process_one_work+0x1b8/0x420\n  worker_thread+0x158/0x510\n  kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock        | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk)               | smc_conn_abort\nsmc_conn_free               | \\- smc_conn_free\n\\- smcr_link_put            |    \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:00:47.260Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295"
        },
        {
          "url": "https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7"
        }
      ],
      "title": "net/smc: fix LGR and link use-after-free issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56640",
    "datePublished": "2024-12-27T15:02:42.253Z",
    "dateReserved": "2024-12-27T15:00:39.839Z",
    "dateUpdated": "2025-05-04T10:00:47.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57807 (GCVE-0-2024-57807)

Vulnerability from cvelistv5

Published

2025-01-11 12:39

Modified

2025-05-04 10:05

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix for a potential deadlock This fixes a 'possible circular locking dependency detected' warning CPU0 CPU1 ---- ---- lock(&instance->reset_mutex); lock(&shost->scan_mutex); lock(&instance->reset_mutex); lock(&shost->scan_mutex); Fix this by temporarily releasing the reset_mutex.

References

►

URL

Tags

	https://git.kernel.org/stable/c/78afb9bfad00c4aa58a424111d7edbcab9452f2b
	https://git.kernel.org/stable/c/f36d024bd15ed356a80dda3ddc46d0a62aa55815
	https://git.kernel.org/stable/c/3c654998a3e8167a58b6c6fede545fe400a4b554
	https://git.kernel.org/stable/c/edadc693bfcc0f1ea08b8fa041c9361fd042410d
	https://git.kernel.org/stable/c/f50783148ec98a1d38b87422e2ceaf2380b7b606
	https://git.kernel.org/stable/c/466ca39dbf5d0ba71c16b15c27478a9c7d4022a8
	https://git.kernel.org/stable/c/50740f4dc78b41dec7c8e39772619d5ba841ddd7

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/megaraid/megaraid_sas_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78afb9bfad00c4aa58a424111d7edbcab9452f2b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f36d024bd15ed356a80dda3ddc46d0a62aa55815",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3c654998a3e8167a58b6c6fede545fe400a4b554",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "edadc693bfcc0f1ea08b8fa041c9361fd042410d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f50783148ec98a1d38b87422e2ceaf2380b7b606",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "466ca39dbf5d0ba71c16b15c27478a9c7d4022a8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "50740f4dc78b41dec7c8e39772619d5ba841ddd7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/megaraid/megaraid_sas_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.289",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.123",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.69",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix for a potential deadlock\n\nThis fixes a \u0027possible circular locking dependency detected\u0027 warning\n      CPU0                    CPU1\n      ----                    ----\n lock(\u0026instance-\u003ereset_mutex);\n                              lock(\u0026shost-\u003escan_mutex);\n                              lock(\u0026instance-\u003ereset_mutex);\n lock(\u0026shost-\u003escan_mutex);\n\nFix this by temporarily releasing the reset_mutex."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:15.485Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78afb9bfad00c4aa58a424111d7edbcab9452f2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f36d024bd15ed356a80dda3ddc46d0a62aa55815"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c654998a3e8167a58b6c6fede545fe400a4b554"
        },
        {
          "url": "https://git.kernel.org/stable/c/edadc693bfcc0f1ea08b8fa041c9361fd042410d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f50783148ec98a1d38b87422e2ceaf2380b7b606"
        },
        {
          "url": "https://git.kernel.org/stable/c/466ca39dbf5d0ba71c16b15c27478a9c7d4022a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/50740f4dc78b41dec7c8e39772619d5ba841ddd7"
        }
      ],
      "title": "scsi: megaraid_sas: Fix for a potential deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57807",
    "datePublished": "2025-01-11T12:39:53.645Z",
    "dateReserved": "2025-01-11T12:33:33.728Z",
    "dateUpdated": "2025-05-04T10:05:15.485Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21667 (GCVE-0-2025-21667)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem.

References

►

URL

Tags

	https://git.kernel.org/stable/c/7ca4bd6b754913910151acce00be093f03642725
	https://git.kernel.org/stable/c/91371922704c8d82049ef7c2ad974d0a2cd1174d
	https://git.kernel.org/stable/c/402ce16421477e27f30b57d6d1a6dc248fa3a4e4
	https://git.kernel.org/stable/c/c13094b894de289514d84b8db56d1f2931a0bade

Impacted products

Vendor

Product

Version

►

Linux

Version: 38be53c3fd7f4f4bd5de319a323d72f9f6beb16d
Version: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78
Version: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78
Version: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/iomap/buffered-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ca4bd6b754913910151acce00be093f03642725",
              "status": "affected",
              "version": "38be53c3fd7f4f4bd5de319a323d72f9f6beb16d",
              "versionType": "git"
            },
            {
              "lessThan": "91371922704c8d82049ef7c2ad974d0a2cd1174d",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            },
            {
              "lessThan": "402ce16421477e27f30b57d6d1a6dc248fa3a4e4",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            },
            {
              "lessThan": "c13094b894de289514d84b8db56d1f2931a0bade",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/iomap/buffered-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "6.1.92",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: avoid avoid truncating 64-bit offset to 32 bits\n\non 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a\n32-bit position due to folio_next_index() returning an unsigned long.\nThis could lead to an infinite loop when writing to an xfs filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:34.496Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ca4bd6b754913910151acce00be093f03642725"
        },
        {
          "url": "https://git.kernel.org/stable/c/91371922704c8d82049ef7c2ad974d0a2cd1174d"
        },
        {
          "url": "https://git.kernel.org/stable/c/402ce16421477e27f30b57d6d1a6dc248fa3a4e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13094b894de289514d84b8db56d1f2931a0bade"
        }
      ],
      "title": "iomap: avoid avoid truncating 64-bit offset to 32 bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21667",
    "datePublished": "2025-01-31T11:25:31.792Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-05-04T07:18:34.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-38606 (GCVE-0-2024-38606)

Vulnerability from cvelistv5

Published

2024-06-19 13:48

Modified

2025-05-04 09:15

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - validate slices count returned by FW The function adf_send_admin_tl_start() enables the telemetry (TL) feature on a QAT device by sending the ICP_QAT_FW_TL_START message to the firmware. This triggers the FW to start writing TL data to a DMA buffer in memory and returns an array containing the number of accelerators of each type (slices) supported by this HW. The pointer to this array is stored in the adf_tl_hw_data data structure called slice_cnt. The array slice_cnt is then used in the function tl_print_dev_data() to report in debugfs only statistics about the supported accelerators. An incorrect value of the elements in slice_cnt might lead to an out of bounds memory read. At the moment, there isn't an implementation of FW that returns a wrong value, but for robustness validate the slice count array returned by FW.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77
	https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82
	https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c

Impacted products

Vendor

Product

Version

►

Linux

Version: 69e7649f7cc2aaa7889174456d39319a623c1a18
Version: 69e7649f7cc2aaa7889174456d39319a623c1a18
Version: 69e7649f7cc2aaa7889174456d39319a623c1a18

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38606",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-24T18:15:45.557603Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-24T18:15:53.748Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:12:25.956Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c",
            "drivers/crypto/intel/qat/qat_common/adf_telemetry.c",
            "drivers/crypto/intel/qat/qat_common/adf_telemetry.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e57ed345e2e6043629fc74aa5be051415dcc4f77",
              "status": "affected",
              "version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
              "versionType": "git"
            },
            {
              "lessThan": "9b284b915e2a5e63ca133353f8c456eff4446f82",
              "status": "affected",
              "version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
              "versionType": "git"
            },
            {
              "lessThan": "483fd65ce29317044d1d00757e3fd23503b6b04c",
              "status": "affected",
              "version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c",
            "drivers/crypto/intel/qat/qat_common/adf_telemetry.c",
            "drivers/crypto/intel/qat/qat_common/adf_telemetry.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.12",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - validate slices count returned by FW\n\nThe function adf_send_admin_tl_start() enables the telemetry (TL)\nfeature on a QAT device by sending the ICP_QAT_FW_TL_START message to\nthe firmware. This triggers the FW to start writing TL data to a DMA\nbuffer in memory and returns an array containing the number of\naccelerators of each type (slices) supported by this HW.\nThe pointer to this array is stored in the adf_tl_hw_data data\nstructure called slice_cnt.\n\nThe array slice_cnt is then used in the function tl_print_dev_data()\nto report in debugfs only statistics about the supported accelerators.\nAn incorrect value of the elements in slice_cnt might lead to an out\nof bounds memory read.\nAt the moment, there isn\u0027t an implementation of FW that returns a wrong\nvalue, but for robustness validate the slice count array returned by FW."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:15:09.243Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82"
        },
        {
          "url": "https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c"
        }
      ],
      "title": "crypto: qat - validate slices count returned by FW",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-38606",
    "datePublished": "2024-06-19T13:48:16.428Z",
    "dateReserved": "2024-06-18T19:36:34.935Z",
    "dateUpdated": "2025-05-04T09:15:09.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21734 (GCVE-0-2025-21734)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead of absolute address.

References

►

URL

Tags

	https://git.kernel.org/stable/c/c56ba3ea8e3c9a69a992aad18f7a65e43e51d623
	https://git.kernel.org/stable/c/c0464bad0e85fcd5d47e4297d1e410097c979e55
	https://git.kernel.org/stable/c/24a79c6bc8de763f7c50f4f84f8b0c183bc25a51
	https://git.kernel.org/stable/c/c3f7161123fcbdc64e90119ccce292d8b66281c4
	https://git.kernel.org/stable/c/e966eae72762ecfdbdb82627e2cda48845b9dd66

Impacted products

Vendor

Product

Version

►

Linux

Version: 02b45b47fbe84e23699bb6bdc74d4c2780e282b4
Version: 02b45b47fbe84e23699bb6bdc74d4c2780e282b4
Version: 02b45b47fbe84e23699bb6bdc74d4c2780e282b4
Version: 02b45b47fbe84e23699bb6bdc74d4c2780e282b4
Version: 02b45b47fbe84e23699bb6bdc74d4c2780e282b4

Linux

Version: 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/fastrpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c56ba3ea8e3c9a69a992aad18f7a65e43e51d623",
              "status": "affected",
              "version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
              "versionType": "git"
            },
            {
              "lessThan": "c0464bad0e85fcd5d47e4297d1e410097c979e55",
              "status": "affected",
              "version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
              "versionType": "git"
            },
            {
              "lessThan": "24a79c6bc8de763f7c50f4f84f8b0c183bc25a51",
              "status": "affected",
              "version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
              "versionType": "git"
            },
            {
              "lessThan": "c3f7161123fcbdc64e90119ccce292d8b66281c4",
              "status": "affected",
              "version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
              "versionType": "git"
            },
            {
              "lessThan": "e966eae72762ecfdbdb82627e2cda48845b9dd66",
              "status": "affected",
              "version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/fastrpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix copy buffer page size\n\nFor non-registered buffer, fastrpc driver copies the buffer and\npass it to the remote subsystem. There is a problem with current\nimplementation of page size calculation which is not considering\nthe offset in the calculation. This might lead to passing of\nimproper and out-of-bounds page size which could result in\nmemory issue. Calculate page start and page end using the offset\nadjusted address instead of absolute address."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:00.916Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c56ba3ea8e3c9a69a992aad18f7a65e43e51d623"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0464bad0e85fcd5d47e4297d1e410097c979e55"
        },
        {
          "url": "https://git.kernel.org/stable/c/24a79c6bc8de763f7c50f4f84f8b0c183bc25a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3f7161123fcbdc64e90119ccce292d8b66281c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e966eae72762ecfdbdb82627e2cda48845b9dd66"
        }
      ],
      "title": "misc: fastrpc: Fix copy buffer page size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21734",
    "datePublished": "2025-02-27T02:12:11.663Z",
    "dateReserved": "2024-12-29T08:45:45.756Z",
    "dateUpdated": "2025-05-04T07:20:00.916Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56579 (GCVE-0-2024-56579)

Vulnerability from cvelistv5

Published

2024-12-27 14:23

Modified

2025-05-04 09:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: amphion: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops.

References

►

URL

Tags

	https://git.kernel.org/stable/c/cfe96c7c3382293179e291f66644d789e39e99f3
	https://git.kernel.org/stable/c/988cc10ddbdee0369fe1f193d389da38ad760492
	https://git.kernel.org/stable/c/182b9edc02c4cbb6fe6b97105c23c7047a3340d2
	https://git.kernel.org/stable/c/8cbb1a7bd5973b57898b26eb804fe44af440bb63

Impacted products

Vendor

Product

Version

►

Linux

Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922
Version: 3cd084519c6f91cbef9d604bcf26844fa81d4922

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/amphion/vpu_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cfe96c7c3382293179e291f66644d789e39e99f3",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "988cc10ddbdee0369fe1f193d389da38ad760492",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "182b9edc02c4cbb6fe6b97105c23c7047a3340d2",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            },
            {
              "lessThan": "8cbb1a7bd5973b57898b26eb804fe44af440bb63",
              "status": "affected",
              "version": "3cd084519c6f91cbef9d604bcf26844fa81d4922",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/amphion/vpu_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: Set video drvdata before register video device\n\nThe video drvdata should be set before the video device is registered,\notherwise video_drvdata() may return NULL in the open() file ops, and led\nto oops."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:54.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cfe96c7c3382293179e291f66644d789e39e99f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/988cc10ddbdee0369fe1f193d389da38ad760492"
        },
        {
          "url": "https://git.kernel.org/stable/c/182b9edc02c4cbb6fe6b97105c23c7047a3340d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cbb1a7bd5973b57898b26eb804fe44af440bb63"
        }
      ],
      "title": "media: amphion: Set video drvdata before register video device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56579",
    "datePublished": "2024-12-27T14:23:21.438Z",
    "dateReserved": "2024-12-27T14:03:05.999Z",
    "dateUpdated": "2025-05-04T09:58:54.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49761 (GCVE-0-2024-49761)

Vulnerability from cvelistv5

Published

2024-10-28 14:10

Modified

2024-12-27 16:03

Severity ?

6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Summary

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

References

►

URL

Tags

	https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m	x_refsource_CONFIRM
	https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f	x_refsource_MISC
	https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ruby	rexml	Version: < 3.3.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ruby:rexml:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rexml",
            "vendor": "ruby",
            "versions": [
              {
                "lessThan": "3.3.9",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49761",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-28T14:57:03.712021Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-28T14:58:24.116Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-12-27T16:03:07.802Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241227-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rexml",
          "vendor": "ruby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.3.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between \u0026# and x...; in a hex numeric character reference (\u0026#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-28T14:10:23.212Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m"
        },
        {
          "name": "https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f"
        },
        {
          "name": "https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761"
        }
      ],
      "source": {
        "advisory": "GHSA-2rxp-v6pw-ch6m",
        "discovery": "UNKNOWN"
      },
      "title": "REXML ReDoS vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-49761",
    "datePublished": "2024-10-28T14:10:23.212Z",
    "dateReserved": "2024-10-18T13:43:23.455Z",
    "dateUpdated": "2024-12-27T16:03:07.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21635 (GCVE-0-2025-21635)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 07:17

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The per-netns structure can be obtained from the table->data using container_of(), then the 'net' one can be retrieved from the listen socket (if available).

References

►

URL

Tags

	https://git.kernel.org/stable/c/de8d6de0ee27be4b2b1e5b06f04aeacbabbba492
	https://git.kernel.org/stable/c/7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c

Impacted products

Vendor

Product

Version

►

Linux

Version: c6a58ffed53612be86b758df1cdb0b0f4305e9cb
Version: c6a58ffed53612be86b758df1cdb0b0f4305e9cb

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rds/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de8d6de0ee27be4b2b1e5b06f04aeacbabbba492",
              "status": "affected",
              "version": "c6a58ffed53612be86b758df1cdb0b0f4305e9cb",
              "versionType": "git"
            },
            {
              "lessThan": "7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c",
              "status": "affected",
              "version": "c6a58ffed53612be86b758df1cdb0b0f4305e9cb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rds/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe per-netns structure can be obtained from the table-\u003edata using\ncontainer_of(), then the \u0027net\u0027 one can be retrieved from the listen\nsocket (if available)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:17:56.511Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de8d6de0ee27be4b2b1e5b06f04aeacbabbba492"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c"
        }
      ],
      "title": "rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21635",
    "datePublished": "2025-01-19T10:17:53.832Z",
    "dateReserved": "2024-12-29T08:45:45.726Z",
    "dateUpdated": "2025-05-04T07:17:56.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21759 (GCVE-0-2025-21759)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.

References

►

URL

Tags

	https://git.kernel.org/stable/c/81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a
	https://git.kernel.org/stable/c/0bf8e2f3768629d437a32cb824149e6e98254381
	https://git.kernel.org/stable/c/8e92d6a413feaf968a33f0b439ecf27404407458
	https://git.kernel.org/stable/c/087c1faa594fa07a66933d750c0b2610aa1a2946

Impacted products

Vendor

Product

Version

►

Linux

Version: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551
Version: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551
Version: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551
Version: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551

Linux

Version: 2.6.26

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:46.460072Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.454Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/mcast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "0bf8e2f3768629d437a32cb824149e6e98254381",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "8e92d6a413feaf968a33f0b439ecf27404407458",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "087c1faa594fa07a66933d750c0b2610aa1a2946",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/mcast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: extend RCU protection in igmp6_send()\n\nigmp6_send() can be called without RTNL or RCU being held.\n\nExtend RCU protection so that we can safely fetch the net pointer\nand avoid a potential UAF.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net-\u003eipv6.igmp_sk\nsocket under RCU protection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:31.433Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bf8e2f3768629d437a32cb824149e6e98254381"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e92d6a413feaf968a33f0b439ecf27404407458"
        },
        {
          "url": "https://git.kernel.org/stable/c/087c1faa594fa07a66933d750c0b2610aa1a2946"
        }
      ],
      "title": "ipv6: mcast: extend RCU protection in igmp6_send()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21759",
    "datePublished": "2025-02-27T02:18:12.994Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:31.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-44974 (GCVE-0-2024-44974)

Vulnerability from cvelistv5

Published

2024-09-04 19:54

Modified

2025-05-04 09:30

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with.

References

►

URL

Tags

	https://git.kernel.org/stable/c/ddee5b4b6a1cc03c1e9921cf34382e094c2009f1
	https://git.kernel.org/stable/c/f2c865e9e3ca44fc06b5f73b29a954775e4dbb38
	https://git.kernel.org/stable/c/2b4f46f9503633dade75cb796dd1949d0e6581a1
	https://git.kernel.org/stable/c/9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8
	https://git.kernel.org/stable/c/0201d65d9806d287a00e0ba96f0321835631f63f
	https://git.kernel.org/stable/c/48e50dcbcbaaf713d82bf2da5c16aeced94ad07d

Impacted products

Vendor

Product

Version

►

Linux

Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6
Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6
Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6
Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6
Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6
Version: 01cacb00b35cb62b139f07d5f84bcf0eeda8eff6

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44974",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:26:21.490934Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:14.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ddee5b4b6a1cc03c1e9921cf34382e094c2009f1",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            },
            {
              "lessThan": "f2c865e9e3ca44fc06b5f73b29a954775e4dbb38",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            },
            {
              "lessThan": "2b4f46f9503633dade75cb796dd1949d0e6581a1",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            },
            {
              "lessThan": "9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            },
            {
              "lessThan": "0201d65d9806d287a00e0ba96f0321835631f63f",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            },
            {
              "lessThan": "48e50dcbcbaaf713d82bf2da5c16aeced94ad07d",
              "status": "affected",
              "version": "01cacb00b35cb62b139f07d5f84bcf0eeda8eff6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.226",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.226",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.167",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.109",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.48",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.7",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: avoid possible UaF when selecting endp\n\nselect_local_address() and select_signal_address() both select an\nendpoint entry from the list inside an RCU protected section, but return\na reference to it, to be read later on. If the entry is dereferenced\nafter the RCU unlock, reading info could cause a Use-after-Free.\n\nA simple solution is to copy the required info while inside the RCU\nprotected section to avoid any risk of UaF later. The address ID might\nneed to be modified later to handle the ID0 case later, so a copy seems\nOK to deal with."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:30:07.102Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ddee5b4b6a1cc03c1e9921cf34382e094c2009f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2c865e9e3ca44fc06b5f73b29a954775e4dbb38"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b4f46f9503633dade75cb796dd1949d0e6581a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0201d65d9806d287a00e0ba96f0321835631f63f"
        },
        {
          "url": "https://git.kernel.org/stable/c/48e50dcbcbaaf713d82bf2da5c16aeced94ad07d"
        }
      ],
      "title": "mptcp: pm: avoid possible UaF when selecting endp",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44974",
    "datePublished": "2024-09-04T19:54:26.917Z",
    "dateReserved": "2024-08-21T05:34:56.669Z",
    "dateUpdated": "2025-05-04T09:30:07.102Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21762 (GCVE-0-2025-21762)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/10f555e3f573d004ae9d89b3276abb58c4ede5c3
	https://git.kernel.org/stable/c/307cd1e2d3cb1cbc6c40c679cada6d7168b18431
	https://git.kernel.org/stable/c/d9366ac2f956a1948b68c0500f84a3462ff2ed8a
	https://git.kernel.org/stable/c/f189654459423d4d48bef2d120b4bfba559e6039
	https://git.kernel.org/stable/c/e9f4dee534eb1b225b0a120395ad9bc2afe164d3
	https://git.kernel.org/stable/c/01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe
	https://git.kernel.org/stable/c/2c331718d3389b6c5f6855078ab7171849e016bd
	https://git.kernel.org/stable/c/a42b69f692165ec39db42d595f4f65a4c8f42e44

Impacted products

Vendor

Product

Version

►

Linux

Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5
Version: 29a26a56803855a79dbd028cd61abee56237d6e5

Linux

Version: 4.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:30.024595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.083Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/arp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10f555e3f573d004ae9d89b3276abb58c4ede5c3",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "307cd1e2d3cb1cbc6c40c679cada6d7168b18431",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "d9366ac2f956a1948b68c0500f84a3462ff2ed8a",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "f189654459423d4d48bef2d120b4bfba559e6039",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "e9f4dee534eb1b225b0a120395ad9bc2afe164d3",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "2c331718d3389b6c5f6855078ab7171849e016bd",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            },
            {
              "lessThan": "a42b69f692165ec39db42d595f4f65a4c8f42e44",
              "status": "affected",
              "version": "29a26a56803855a79dbd028cd61abee56237d6e5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/arp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: use RCU protection in arp_xmit()\n\narp_xmit() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:34.803Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10f555e3f573d004ae9d89b3276abb58c4ede5c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/307cd1e2d3cb1cbc6c40c679cada6d7168b18431"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9366ac2f956a1948b68c0500f84a3462ff2ed8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f189654459423d4d48bef2d120b4bfba559e6039"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9f4dee534eb1b225b0a120395ad9bc2afe164d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c331718d3389b6c5f6855078ab7171849e016bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a42b69f692165ec39db42d595f4f65a4c8f42e44"
        }
      ],
      "title": "arp: use RCU protection in arp_xmit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21762",
    "datePublished": "2025-02-27T02:18:14.600Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:34.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50085 (GCVE-0-2024-50085)

Vulnerability from cvelistv5

Published

2024-10-29 00:50

Modified

2025-05-04 12:59

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/35301636439138b821f1f6169bd00d348ebd388a
	https://git.kernel.org/stable/c/da3343bc0839b180fd9af9c27fa456d8231409f9
	https://git.kernel.org/stable/c/7b2e478abab0b3a33515433a6af563aebba773c1
	https://git.kernel.org/stable/c/a8c36ea4ef9a350816f6556c5c5b63810f84b538
	https://git.kernel.org/stable/c/7decd1f5904a489d3ccdcf131972f94645681689

Impacted products

Vendor

Product

Version

►

Linux

Version: 35b31f5549ede4070566b949781e83495906b43d
Version: 85b866e4c4e63a1d7afb58f1e24273caad03d0b7
Version: d20bf2c96d7ffd171299b32f562f70e5bf5dc608
Version: 1c1f721375989579e46741f59523e39ec9b2a9bd
Version: 1c1f721375989579e46741f59523e39ec9b2a9bd
Version: 2060f1efab370b496c4903b840844ecaff324c3c

Linux

Version: 6.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:26:02.743200Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:34.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35301636439138b821f1f6169bd00d348ebd388a",
              "status": "affected",
              "version": "35b31f5549ede4070566b949781e83495906b43d",
              "versionType": "git"
            },
            {
              "lessThan": "da3343bc0839b180fd9af9c27fa456d8231409f9",
              "status": "affected",
              "version": "85b866e4c4e63a1d7afb58f1e24273caad03d0b7",
              "versionType": "git"
            },
            {
              "lessThan": "7b2e478abab0b3a33515433a6af563aebba773c1",
              "status": "affected",
              "version": "d20bf2c96d7ffd171299b32f562f70e5bf5dc608",
              "versionType": "git"
            },
            {
              "lessThan": "a8c36ea4ef9a350816f6556c5c5b63810f84b538",
              "status": "affected",
              "version": "1c1f721375989579e46741f59523e39ec9b2a9bd",
              "versionType": "git"
            },
            {
              "lessThan": "7decd1f5904a489d3ccdcf131972f94645681689",
              "status": "affected",
              "version": "1c1f721375989579e46741f59523e39ec9b2a9bd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2060f1efab370b496c4903b840844ecaff324c3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.169",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.169",
                  "versionStartIncluding": "5.15.167",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.114",
                  "versionStartIncluding": "6.1.107",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.58",
                  "versionStartIncluding": "6.6.48",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.5",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow\n\nSyzkaller reported this splat:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881\n  Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662\n\n  CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   __dump_stack lib/dump_stack.c:94 [inline]\n   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:377 [inline]\n   print_report+0xc3/0x620 mm/kasan/report.c:488\n   kasan_report+0xd9/0x110 mm/kasan/report.c:601\n   mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881\n   mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline]\n   mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572\n   mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603\n   genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n   netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357\n   netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901\n   sock_sendmsg_nosec net/socket.c:729 [inline]\n   __sock_sendmsg net/socket.c:744 [inline]\n   ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607\n   ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661\n   __sys_sendmsg+0x117/0x1f0 net/socket.c:2690\n   do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n   __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386\n   do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411\n   entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n  RIP: 0023:0xf7fe4579\n  Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 \u003c5d\u003e 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\n  RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172\n  RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000\n  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n   \u003c/TASK\u003e\n\n  Allocated by task 5387:\n   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n   kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n   poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n   __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n   kmalloc_noprof include/linux/slab.h:878 [inline]\n   kzalloc_noprof include/linux/slab.h:1014 [inline]\n   subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803\n   subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956\n   __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline]\n   tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167\n   mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764\n   __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592\n   mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642\n   mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline]\n   mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943\n   mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777\n   process_one_work+0x958/0x1b30 kernel/workqueue.c:3229\n   process_scheduled_works kernel/workqueue.c:3310 [inline]\n   worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n   kthread+0x2c1/0x3a0 kernel/kthread.c:389\n   ret_from_fork+0x45/0x80 arch/x86/ke\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:31.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35301636439138b821f1f6169bd00d348ebd388a"
        },
        {
          "url": "https://git.kernel.org/stable/c/da3343bc0839b180fd9af9c27fa456d8231409f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b2e478abab0b3a33515433a6af563aebba773c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8c36ea4ef9a350816f6556c5c5b63810f84b538"
        },
        {
          "url": "https://git.kernel.org/stable/c/7decd1f5904a489d3ccdcf131972f94645681689"
        }
      ],
      "title": "mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50085",
    "datePublished": "2024-10-29T00:50:28.269Z",
    "dateReserved": "2024-10-21T19:36:19.942Z",
    "dateUpdated": "2025-05-04T12:59:31.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32415 (GCVE-0-2025-32415)

Vulnerability from cvelistv5

Published

2025-04-17 00:00

Modified

2025-04-17 18:38

Severity ?

2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1284 - Improper Validation of Specified Quantity in Input

Summary

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impacted products

	Vendor	Product	Version
	xmlsoft	libxml2	Version: 0 ≤ Version: 2.14.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32415",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T18:38:26.252207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T18:38:30.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxml2",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "2.13.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.14.2",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.13.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.14.2",
                  "versionStartIncluding": "2.14.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-17T17:21:08.467Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-32415",
    "datePublished": "2025-04-17T00:00:00.000Z",
    "dateReserved": "2025-04-08T00:00:00.000Z",
    "dateUpdated": "2025-04-17T18:38:30.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21781 (GCVE-0-2025-21781)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix panic during interface removal Reference counting is used to ensure that batadv_hardif_neigh_node and batadv_hard_iface are not freed before/during batadv_v_elp_throughput_metric_update work is finished. But there isn't a guarantee that the hard if will remain associated with a soft interface up until the work is finished. This fixes a crash triggered by reboot that looks like this: Call trace: batadv_v_mesh_free+0xd0/0x4dc [batman_adv] batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x178/0x398 worker_thread+0x2e8/0x4d0 kthread+0xd8/0xdc ret_from_fork+0x10/0x20 (the batadv_v_mesh_free call is misleading, and does not actually happen) I was able to make the issue happen more reliably by changing hardif_neigh->bat_v.metric_work work to be delayed work. This allowed me to track down and confirm the fix. [sven@narfation.org: prevent entering batadv_v_elp_get_throughput without soft_iface]

References

►

URL

Tags

	https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72
	https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577
	https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af
	https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72
	https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe
	https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7
	https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42
	https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2

Impacted products

Vendor

Product

Version

►

Linux

Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v_elp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "167422a07096a6006599067c8b55884064fa0b72",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "ce3f1545bf8fa28bd05ec113679e8e6cd23af577",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "f0a16c6c79768180333f3e41ce63f32730e3c3af",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "7eb5dd201695645af071592a50026eb780081a72",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "072b2787321903287a126c148e8db87dd7ef96fe",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "522b1596ea19e327853804da2de60aeb9c5d6f42",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "ccb7276a6d26d6f8416e315b43b45e15ee7f29e2",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v_elp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn\u0027t a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh-\u003ebat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:07.674Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af"
        },
        {
          "url": "https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72"
        },
        {
          "url": "https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2"
        }
      ],
      "title": "batman-adv: fix panic during interface removal",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21781",
    "datePublished": "2025-02-27T02:18:24.013Z",
    "dateReserved": "2024-12-29T08:45:45.764Z",
    "dateUpdated": "2025-05-04T07:21:07.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-24855 (GCVE-0-2025-24855)

Vulnerability from cvelistv5

Published

2025-03-14 00:00

Modified

2025-08-02 03:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-416 - Use After Free

Summary

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

References

►

URL

Tags

https://gitlab.gnome.org/GNOME/libxslt/-/issues/128

Impacted products

	Vendor	Product	Version
	xmlsoft	libxslt	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24855",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-02T03:55:44.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libxslt",
          "vendor": "xmlsoft",
          "versions": [
            {
              "lessThan": "1.1.43",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.1.43",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-14T01:12:30.912Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-24855",
    "datePublished": "2025-03-14T00:00:00.000Z",
    "dateReserved": "2025-01-26T00:00:00.000Z",
    "dateUpdated": "2025-08-02T03:55:44.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21701 (GCVE-0-2025-21701)

Vulnerability from cvelistv5

Published

2025-02-13 15:05

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.

References

►

URL

Tags

	https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517
	https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4
	https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3
	https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3
	https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b
	https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f

Impacted products

Vendor

Product

Version

►

Linux

Version: cfd719f04267108f5f5bf802b9d7de69e99a99f9
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa
Version: 7c26da3be1e9843a15b5318f90db8a564479d2ac

Linux

Version: 5.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26bc6076798aa4dc83a07d0a386f9e57c94e8517",
              "status": "affected",
              "version": "cfd719f04267108f5f5bf802b9d7de69e99a99f9",
              "versionType": "git"
            },
            {
              "lessThan": "b1cb37a31a482df3dd35a6ac166282dac47664f4",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "2f29127e94ae9fdc7497331003d6860e9551cdf3",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "b382ab9b885cbb665e0e70a727f101c981b4edf3",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "4dc880245f9b529fa8f476b5553c799d2848b47b",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "lessThan": "12e070eb6964b341b41677fd260af5a305316a1f",
              "status": "affected",
              "version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7c26da3be1e9843a15b5318f90db8a564479d2ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.87",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n  DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n  WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n  CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n  RIP: 0010:__mutex_lock+0xc8a/0x1120\n  Call Trace:\n   \u003cTASK\u003e\n   ethtool_check_max_channel+0x1ea/0x880\n   ethnl_set_channels+0x3c3/0xb10\n   ethnl_default_set_doit+0x306/0x650\n   genl_family_rcv_msg_doit+0x1e3/0x2c0\n   genl_rcv_msg+0x432/0x6f0\n   netlink_rcv_skb+0x13d/0x3b0\n   genl_rcv+0x28/0x40\n   netlink_unicast+0x42e/0x720\n   netlink_sendmsg+0x765/0xc20\n   __sys_sendto+0x3ac/0x420\n   __x64_sys_sendto+0xe0/0x1c0\n   do_syscall_64+0x95/0x180\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:18.444Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b"
        },
        {
          "url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f"
        }
      ],
      "title": "net: avoid race between device unregistration and ethnl ops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21701",
    "datePublished": "2025-02-13T15:05:46.483Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2025-05-04T13:06:18.444Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-26466 (GCVE-0-2025-26466)

Vulnerability from cvelistv5

Published

2025-02-28 21:25

Modified

2025-07-25 07:44

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

References

►

URL

Tags

	https://access.redhat.com/security/cve/CVE-2025-26466	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2345043	issue-tracking, x_refsource_REDHAT
	https://seclists.org/oss-sec/2025/q1/144
	https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

Impacted products

Vendor

Product

Version

►

Version: 9.5p1 <

Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-05T03:48:43.236Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250228-0002/"
          },
          {
            "url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
          },
          {
            "url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
          },
          {
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1237041"
          },
          {
            "url": "https://security-tracker.debian.org/tracker/CVE-2025-26466"
          },
          {
            "url": "https://ubuntu.com/security/CVE-2025-26466"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-26466",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T19:51:35.555196Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T19:51:39.308Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.openssh.com/",
          "defaultStatus": "unaffected",
          "packageName": "OpenSSH",
          "repo": "https://anongit.mindrot.org/openssh.git",
          "versions": [
            {
              "lessThanOrEqual": "9.9p1",
              "status": "affected",
              "version": "9.5p1",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openssh",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-25T07:44:40.029Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-26466"
        },
        {
          "name": "RHBZ#2345043",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345043"
        },
        {
          "url": "https://seclists.org/oss-sec/2025/q1/144"
        },
        {
          "url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-11T19:51:30.375000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-18T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Openssh: denial-of-service in openssh",
      "workarounds": [
        {
          "lang": "en",
          "value": "This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config\n\nMaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts;\n\nPerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server;\n\nLoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection;\n\nAll the three option above needs to be set to implement a full mitigation for this vulnerability."
        }
      ],
      "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-26466",
    "datePublished": "2025-02-28T21:25:28.861Z",
    "dateReserved": "2025-02-10T18:31:47.979Z",
    "dateUpdated": "2025-07-25T07:44:40.029Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47220 (GCVE-0-2024-47220)

Vulnerability from cvelistv5

Published

2024-09-22 00:00

Modified

2025-01-09 17:33

Severity ?

CWE

n/a

Summary

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

References

►

URL

Tags

	https://github.com/ruby/webrick/issues/145
	https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
	https://github.com/ruby/webrick/issues/145#issuecomment-2369994610
	https://github.com/ruby/webrick/issues/145#issuecomment-2372838285

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ruby:webrick:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "webrick",
            "vendor": "ruby",
            "versions": [
              {
                "lessThanOrEqual": "1.8.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47220",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T15:01:28.031073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T17:33:17.696Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., \"GET /admin HTTP/1.1\\r\\n\" inside of a \"POST /user HTTP/1.1\\r\\n\" request. NOTE: the supplier\u0027s position is \"Webrick should not be used in production.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-25T14:15:45.642637",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/ruby/webrick/issues/145"
        },
        {
          "url": "https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841"
        },
        {
          "url": "https://github.com/ruby/webrick/issues/145#issuecomment-2369994610"
        },
        {
          "url": "https://github.com/ruby/webrick/issues/145#issuecomment-2372838285"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-47220",
    "datePublished": "2024-09-22T00:00:00",
    "dateReserved": "2024-09-22T00:00:00",
    "dateUpdated": "2025-01-09T17:33:17.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58013 (GCVE-0-2024-58013)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-06-19 12:56

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

References

►

URL

Tags

	https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827
	https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405
	https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987
	https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68
	https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06

Impacted products

Vendor

Product

Version

►

Linux

Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58013",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-05T21:14:21.847636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-05T21:21:43.873Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "75e65b983c5e2ee51962bfada98a79d805f28827",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "4ebbcb9bc794e5be647ee28fdf14eb1ae0659405",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "26fbd3494a7dd26269cb0817c289267dbcfdec06",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\n\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nAllocated by task 16026:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n sock_write_iter+0x2d7/0x3f0 net/socket.c:1147\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0xaeb/0xd30 fs/read_write.c:679\n ksys_write+0x18f/0x2b0 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 16022:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kfree+0x196/0x420 mm/slub.c:4746\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\n hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1209\n sock_ioctl+0x626/0x8e0 net/socket.c:1328\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:56:43.171Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68"
        },
        {
          "url": "https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06"
        }
      ],
      "title": "Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58013",
    "datePublished": "2025-02-27T02:12:06.735Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-06-19T12:56:43.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58056 (GCVE-0-2024-58056)

Vulnerability from cvelistv5

Published

2025-03-06 15:53

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2cf54928e7e32362215c69b68a6a53d110323bf3
	https://git.kernel.org/stable/c/b32d60a852bb3952886625d0c3b1c9a88c3ceb7c
	https://git.kernel.org/stable/c/f2013d19b7704cd723ab42664b8d9408ea8cc77c
	https://git.kernel.org/stable/c/e9efd9fa4679803fe23188d7b47119cf7bc2de6f
	https://git.kernel.org/stable/c/7378aeb664e5ebc396950b36a1f2dedf5aabec20

Impacted products

Vendor

Product

Version

►

Linux

Version: 08333b911f01862e71e51b7065fb4baca3cd2e67
Version: 08333b911f01862e71e51b7065fb4baca3cd2e67
Version: 08333b911f01862e71e51b7065fb4baca3cd2e67
Version: 08333b911f01862e71e51b7065fb4baca3cd2e67
Version: 08333b911f01862e71e51b7065fb4baca3cd2e67

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2cf54928e7e32362215c69b68a6a53d110323bf3",
              "status": "affected",
              "version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
              "versionType": "git"
            },
            {
              "lessThan": "b32d60a852bb3952886625d0c3b1c9a88c3ceb7c",
              "status": "affected",
              "version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
              "versionType": "git"
            },
            {
              "lessThan": "f2013d19b7704cd723ab42664b8d9408ea8cc77c",
              "status": "affected",
              "version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
              "versionType": "git"
            },
            {
              "lessThan": "e9efd9fa4679803fe23188d7b47119cf7bc2de6f",
              "status": "affected",
              "version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
              "versionType": "git"
            },
            {
              "lessThan": "7378aeb664e5ebc396950b36a1f2dedf5aabec20",
              "status": "affected",
              "version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Fix ida_free call while not allocated\n\nIn the rproc_alloc() function, on error, put_device(\u0026rproc-\u003edev) is\ncalled, leading to the call of the rproc_type_release() function.\nAn error can occurs before ida_alloc is called.\n\nIn such case in rproc_type_release(), the condition (rproc-\u003eindex \u003e= 0) is\ntrue as rproc-\u003eindex has been  initialized to 0.\nida_free() is called reporting a warning:\n[    4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164\n[    4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0\n[    4.188854] ida_free called for id=0 which is not allocated.\n[    4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000\n[    4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)\n[    4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442\n[    4.231481] Hardware name: STM32 (Device Tree Support)\n[    4.236627] Workqueue: events_unbound deferred_probe_work_func\n[    4.242504] Call trace:\n[    4.242522]  unwind_backtrace from show_stack+0x10/0x14\n[    4.250218]  show_stack from dump_stack_lvl+0x50/0x64\n[    4.255274]  dump_stack_lvl from __warn+0x80/0x12c\n[    4.260134]  __warn from warn_slowpath_fmt+0x114/0x188\n[    4.265199]  warn_slowpath_fmt from ida_free+0x100/0x164\n[    4.270565]  ida_free from rproc_type_release+0x38/0x60\n[    4.275832]  rproc_type_release from device_release+0x30/0xa0\n[    4.281601]  device_release from kobject_put+0xc4/0x294\n[    4.286762]  kobject_put from rproc_alloc.part.0+0x208/0x28c\n[    4.292430]  rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4\n[    4.298393]  devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]\n[    4.305575]  stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc\n\nCalling ida_alloc earlier in rproc_alloc ensures that the rproc-\u003eindex is\nproperly set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:51.752Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2cf54928e7e32362215c69b68a6a53d110323bf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b32d60a852bb3952886625d0c3b1c9a88c3ceb7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2013d19b7704cd723ab42664b8d9408ea8cc77c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9efd9fa4679803fe23188d7b47119cf7bc2de6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7378aeb664e5ebc396950b36a1f2dedf5aabec20"
        }
      ],
      "title": "remoteproc: core: Fix ida_free call while not allocated",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58056",
    "datePublished": "2025-03-06T15:53:59.641Z",
    "dateReserved": "2025-03-06T15:52:09.179Z",
    "dateUpdated": "2025-05-04T10:08:51.752Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58006 (GCVE-0-2024-58006)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 10:08

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update inbound map address") set_bar() was modified to support dynamically changing the backing physical address of a BAR that was already configured. This means that set_bar() can be called twice, without ever calling clear_bar() (as calling clear_bar() would clear the BAR's PCI address assigned by the host). This can only be done if the new BAR size/flags does not differ from the existing BAR configuration. Add these missing checks. If we allow set_bar() to set e.g. a new BAR size that differs from the existing BAR size, the new address translation range will be smaller than the BAR size already determined by the host, which would mean that a read past the new BAR size would pass the iATU untranslated, which could allow the host to read memory not belonging to the new struct pci_epf_bar. While at it, add comments which clarifies the support for dynamically changing the physical address of a BAR. (Which was also missing.)

References

►

URL

Tags

	https://git.kernel.org/stable/c/b5cacfd067060c75088363ed3e19779078be2755
	https://git.kernel.org/stable/c/3229c15d6267de8e704b4085df8a82a5af2d63eb
	https://git.kernel.org/stable/c/3708acbd5f169ebafe1faa519cb28adc56295546

Impacted products

Vendor

Product

Version

►

Linux

Version: 4284c88fff0efc4e418abb53d78e02dc4f099d6c
Version: 4284c88fff0efc4e418abb53d78e02dc4f099d6c
Version: 4284c88fff0efc4e418abb53d78e02dc4f099d6c

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pcie-designware-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b5cacfd067060c75088363ed3e19779078be2755",
              "status": "affected",
              "version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
              "versionType": "git"
            },
            {
              "lessThan": "3229c15d6267de8e704b4085df8a82a5af2d63eb",
              "status": "affected",
              "version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
              "versionType": "git"
            },
            {
              "lessThan": "3708acbd5f169ebafe1faa519cb28adc56295546",
              "status": "affected",
              "version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/dwc/pcie-designware-ep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()\n\nIn commit 4284c88fff0e (\"PCI: designware-ep: Allow pci_epc_set_bar() update\ninbound map address\") set_bar() was modified to support dynamically\nchanging the backing physical address of a BAR that was already configured.\n\nThis means that set_bar() can be called twice, without ever calling\nclear_bar() (as calling clear_bar() would clear the BAR\u0027s PCI address\nassigned by the host).\n\nThis can only be done if the new BAR size/flags does not differ from the\nexisting BAR configuration. Add these missing checks.\n\nIf we allow set_bar() to set e.g. a new BAR size that differs from the\nexisting BAR size, the new address translation range will be smaller than\nthe BAR size already determined by the host, which would mean that a read\npast the new BAR size would pass the iATU untranslated, which could allow\nthe host to read memory not belonging to the new struct pci_epf_bar.\n\nWhile at it, add comments which clarifies the support for dynamically\nchanging the physical address of a BAR. (Which was also missing.)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:15.420Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b5cacfd067060c75088363ed3e19779078be2755"
        },
        {
          "url": "https://git.kernel.org/stable/c/3229c15d6267de8e704b4085df8a82a5af2d63eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3708acbd5f169ebafe1faa519cb28adc56295546"
        }
      ],
      "title": "PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58006",
    "datePublished": "2025-02-27T02:12:02.932Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-05-04T10:08:15.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21890 (GCVE-0-2025-21890)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697 [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748) [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261687] ? report_bug (lib/bug.c:?) [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285) [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309) [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf [ 69.261712] __napi_poll (net/core/dev.c:7194) [ 69.261716] net_rx_action (net/core/dev.c:7265) [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293) [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288) [ 69.261726] handle_softirqs (kernel/softirq.c:561)

References

►

URL

Tags

	https://git.kernel.org/stable/c/4279bbebe00ffdbfd1a77567961886e35465cbdc
	https://git.kernel.org/stable/c/57e68f256911f3ab4b997141975561646ccbbb8c
	https://git.kernel.org/stable/c/674fcb4f4a7e3e277417a01788cc6daae47c3804

Impacted products

Vendor

Product

Version

►

Linux

Version: 3a8845af66edb340ba9210bb8a0da040c7d6e590
Version: 3a8845af66edb340ba9210bb8a0da040c7d6e590
Version: 3a8845af66edb340ba9210bb8a0da040c7d6e590

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_txrx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4279bbebe00ffdbfd1a77567961886e35465cbdc",
              "status": "affected",
              "version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
              "versionType": "git"
            },
            {
              "lessThan": "57e68f256911f3ab4b997141975561646ccbbb8c",
              "status": "affected",
              "version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
              "versionType": "git"
            },
            {
              "lessThan": "674fcb4f4a7e3e277417a01788cc6daae47c3804",
              "status": "affected",
              "version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_txrx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix checksums set in idpf_rx_rsc()\n\nidpf_rx_rsc() uses skb_transport_offset(skb) while the transport header\nis not set yet.\n\nThis triggers the following warning for CONFIG_DEBUG_NET=y builds.\n\nDEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))\n\n[   69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[   69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth\n[   69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S      W          6.14.0-smp-DEV #1697\n[   69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[   69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[   69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)\n[   69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[   69.261687] ? report_bug (lib/bug.c:?)\n[   69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)\n[   69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)\n[   69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[   69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf\n[   69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[   69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf\n[   69.261712] __napi_poll (net/core/dev.c:7194)\n[   69.261716] net_rx_action (net/core/dev.c:7265)\n[   69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)\n[   69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)\n[   69.261726] handle_softirqs (kernel/softirq.c:561)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:26.126Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4279bbebe00ffdbfd1a77567961886e35465cbdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/57e68f256911f3ab4b997141975561646ccbbb8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/674fcb4f4a7e3e277417a01788cc6daae47c3804"
        }
      ],
      "title": "idpf: fix checksums set in idpf_rx_rsc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21890",
    "datePublished": "2025-03-27T14:57:16.525Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-05-04T07:23:26.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21820 (GCVE-0-2025-21820)

Vulnerability from cvelistv5

Published

2025-02-27 20:04

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e22a97700901ba5e8bf8db68056a0d50f9440cae
	https://git.kernel.org/stable/c/de5bd24197bd9ee37ec1e379a3d882bbd15c5065
	https://git.kernel.org/stable/c/8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c
	https://git.kernel.org/stable/c/9b88a7c4584ba67267a051069b8abe44fc9595b2
	https://git.kernel.org/stable/c/4410dba9807a17a93f649a9f5870ceaf30a675a3
	https://git.kernel.org/stable/c/b06f388994500297bb91be60ffaf6825ecfd2afe

Impacted products

Vendor

Product

Version

►

Linux

Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852

Linux

Version: 4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/xilinx_uartps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e22a97700901ba5e8bf8db68056a0d50f9440cae",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "de5bd24197bd9ee37ec1e379a3d882bbd15c5065",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "9b88a7c4584ba67267a051069b8abe44fc9595b2",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "4410dba9807a17a93f649a9f5870ceaf30a675a3",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "b06f388994500297bb91be60ffaf6825ecfd2afe",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/xilinx_uartps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: xilinx_uartps: split sysrq handling\n\nlockdep detects the following circular locking dependency:\n\nCPU 0                      CPU 1\n========================== ============================\ncdns_uart_isr()            printk()\n  uart_port_lock(port)       console_lock()\n\t\t\t     cdns_uart_console_write()\n                               if (!port-\u003esysrq)\n                                 uart_port_lock(port)\n  uart_handle_break()\n    port-\u003esysrq = ...\n  uart_handle_sysrq_char()\n    printk()\n      console_lock()\n\nThe fixed commit attempts to avoid this situation by only taking the\nport lock in cdns_uart_console_write if port-\u003esysrq unset. However, if\n(as shown above) cdns_uart_console_write runs before port-\u003esysrq is set,\nthen it will try to take the port lock anyway. This may result in a\ndeadlock.\n\nFix this by splitting sysrq handling into two parts. We use the prepare\nhelper under the port lock and defer handling until we release the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:51.032Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e22a97700901ba5e8bf8db68056a0d50f9440cae"
        },
        {
          "url": "https://git.kernel.org/stable/c/de5bd24197bd9ee37ec1e379a3d882bbd15c5065"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b88a7c4584ba67267a051069b8abe44fc9595b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4410dba9807a17a93f649a9f5870ceaf30a675a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b06f388994500297bb91be60ffaf6825ecfd2afe"
        }
      ],
      "title": "tty: xilinx_uartps: split sysrq handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21820",
    "datePublished": "2025-02-27T20:04:17.930Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:51.032Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-11168 (GCVE-0-2024-11168)

Vulnerability from cvelistv5

Published

2024-11-12 21:22

Modified

2025-04-11 22:03

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N

Summary

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

References

►

URL

Tags

	https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5	patch
	https://github.com/python/cpython/pull/103849	patch
	https://github.com/python/cpython/issues/103848	issue-tracking
	https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/	vendor-advisory
	https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550	patch
	https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e	patch
	https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132	patch

Impacted products

	Vendor	Product	Version
	Python Software Foundation	CPython	Version: 0 Version: 3.10.0 Version: 3.11.0 Version: 3.12.0a1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "cpython",
            "vendor": "python_software_foundation",
            "versions": [
              {
                "lessThan": "3.11.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.12.0b1",
                "status": "affected",
                "version": "3.12.0a1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 3.7,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-11168",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T15:09:42.748084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T17:59:48.232Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-11T22:03:16.211Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250411-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.9.21",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            },
            {
              "lessThan": "3.10.16",
              "status": "affected",
              "version": "3.10.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.11.4",
              "status": "affected",
              "version": "3.11.0",
              "versionType": "python"
            },
            {
              "lessThan": "3.12.0b1",
              "status": "affected",
              "version": "3.12.0a1",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "zer0yu (IPASSLab \u0026\u0026 ZGC Lab)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren\u0027t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.\u003cbr\u003e"
            }
          ],
          "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren\u0027t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-03T20:29:59.700Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/103849"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/103848"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper validation of IPv6 and IPvFuture addresses",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2024-11168",
    "datePublished": "2024-11-12T21:22:23.438Z",
    "dateReserved": "2024-11-12T21:13:15.779Z",
    "dateUpdated": "2025-04-11T22:03:16.211Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21753 (GCVE-0-2025-21753)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753
	https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec
	https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc
	https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec
	https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01
	https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca
	https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7
	https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63

Impacted products

Vendor

Product

Version

►

Linux

Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee
Version: 871383be592ba7e819d27556591e315a0df38cee

Linux

Version: 3.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21753",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:22.911957Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cee55b1219568c80bf0d5dc55066e4a859baf753",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "c7a53757717e68af94a56929d57f1e6daff220ec",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "6ba4663ada6c6315af23a6669d386146634808ec",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "8f5cff471039caa2b088060c074c2bf2081bcb01",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "86d71a026a7f63da905db9add845c8ee88801eca",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "ce628048390dad80320d5a1f74de6ca1e1be91e7",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "e2f0943cf37305dbdeaf9846e3c941451bcdef63",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it\u0027s aborted,\nwe read its \u0027aborted\u0027 field after unlocking fs_info-\u003etrans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its \u0027aborted\u0027 field, leading to a use-after-free.\n\nFix this by reading the \u0027aborted\u0027 field while holding fs_info-\u003etrans_lock\nsince any freeing task must first acquire that lock and set\nfs_info-\u003erunning_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\n   Call Trace:\n    \u003cTASK\u003e\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:378 [inline]\n    print_report+0x169/0x550 mm/kasan/report.c:489\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n    process_one_work kernel/workqueue.c:3236 [inline]\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n    kthread+0x2f0/0x390 kernel/kthread.c:389\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n    \u003c/TASK\u003e\n\n   Allocated by task 5315:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n    kmalloc_noprof include/linux/slab.h:901 [inline]\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n    lookup_open fs/namei.c:3649 [inline]\n    open_last_lookups fs/namei.c:3748 [inline]\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n    do_sys_open fs/open.c:1417 [inline]\n    __do_sys_creat fs/open.c:1495 [inline]\n    __se_sys_creat fs/open.c:1489 [inline]\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n   Freed by task 5336:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n    poison_slab_object mm/kasan/common.c:247 [inline]\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n    kasan_slab_free include/linux/kasan.h:233 [inline]\n    slab_free_hook mm/slub.c:2353 [inline]\n    slab_free mm/slub.c:4613 [inline]\n    kfree+0x196/0x430 mm/slub.c:4761\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n    btrfs_balance+0x992/\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:26.747Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01"
        },
        {
          "url": "https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63"
        }
      ],
      "title": "btrfs: fix use-after-free when attempting to join an aborted transaction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21753",
    "datePublished": "2025-02-27T02:12:23.235Z",
    "dateReserved": "2024-12-29T08:45:45.760Z",
    "dateUpdated": "2025-05-04T07:20:26.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-46782 (GCVE-0-2024-46782)

Vulnerability from cvelistv5

Published

2024-09-18 07:12

Modified

2025-05-04 09:34

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf
	https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc
	https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6
	https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673
	https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c
	https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2
	https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4
	https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466

Impacted products

Vendor

Product

Version

►

Linux

Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd

Linux

Version: 4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46782",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:30:14.976916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-10T13:18:35.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila.h",
            "net/ipv6/ila/ila_main.c",
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "43d34110882b97ba1ec66cc8234b18983efb9abf",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "dcaf4e2216824839d26727a15b638c6a677bd9fc",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "93ee345ba349922834e6a9d1dadabaedcc12dce6",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "bda4d84ac0d5421b346faee720011f58bdb99673",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "925c18a7cff93d8a4320d652351294ff7d0ac93c",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "18a5a16940464b301ea91bf5da3a324aedb347b2",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "47abd8adddbc0aecb8f231269ef659148d5dabe4",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "031ae72825cef43e4650140b800ad58bf7a6a466",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila.h",
            "net/ipv6/ila/ila_main.c",
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.322",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.284",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.226",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.322",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.284",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.226",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.167",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.110",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: call nf_unregister_net_hooks() sooner\n\nsyzbot found an use-after-free Read in ila_nf_input [1]\n\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\nthen call nf_unregister_net_hooks().\n\nIt should be done in the reverse way, with a synchronize_rcu().\n\nThis is a good match for a pre_exit() method.\n\n[1]\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\n\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook include/linux/netfilter.h:269 [inline]\n  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\n  process_backlog+0x662/0x15b0 net/core/dev.c:6108\n  __napi_poll+0xcb/0x490 net/core/dev.c:6772\n  napi_poll net/core/dev.c:6841 [inline]\n  net_rx_action+0x89b/0x1240 net/core/dev.c:6963\n  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\n  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\n  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n  kthread+0x2f0/0x390 kernel/kthread.c:389\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xbfffffff(buddy)\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\n  set_page_owner include/linux/page_owner.h:32 [inline]\n  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\n  prep_new_page mm/page_alloc.c:1501 [inline]\n  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\n  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\n  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\n  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\n  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\n  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\n  __do_kmalloc_node mm/slub.c:4146 [inline]\n  __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\n  __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\n  bucket_table_alloc lib/rhashtable.c:186 [inline]\n  rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\n  ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\n  ops_ini\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:34:10.865Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6"
        },
        {
          "url": "https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673"
        },
        {
          "url": "https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c"
        },
        {
          "url": "https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4"
        },
        {
          "url": "https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466"
        }
      ],
      "title": "ila: call nf_unregister_net_hooks() sooner",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46782",
    "datePublished": "2024-09-18T07:12:38.652Z",
    "dateReserved": "2024-09-11T15:12:18.276Z",
    "dateUpdated": "2025-05-04T09:34:10.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21690 (GCVE-0-2025-21690)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM.

References

►

URL

Tags

	https://git.kernel.org/stable/c/81d4dd05c412ba04f9f6b85b718e6da833be290c
	https://git.kernel.org/stable/c/182a4b7c731e95c08cb47f14b87a272b6ab2b2da
	https://git.kernel.org/stable/c/088bde862f8d3d0fc52e40e66a0484a246837087
	https://git.kernel.org/stable/c/01d1ebdab9ccb73c952e1666a8a80abd194dbc55
	https://git.kernel.org/stable/c/d0f0af1bafef33b3e2aa8c3a4ef44db48df9b0ea
	https://git.kernel.org/stable/c/d2138eab8cde61e0e6f62d0713e45202e8457d6d

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/storvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "81d4dd05c412ba04f9f6b85b718e6da833be290c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "182a4b7c731e95c08cb47f14b87a272b6ab2b2da",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "088bde862f8d3d0fc52e40e66a0484a246837087",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "01d1ebdab9ccb73c952e1666a8a80abd194dbc55",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d0f0af1bafef33b3e2aa8c3a4ef44db48df9b0ea",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d2138eab8cde61e0e6f62d0713e45202e8457d6d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/storvsc_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Ratelimit warning logs to prevent VM denial of service\n\nIf there\u0027s a persistent error in the hypervisor, the SCSI warning for\nfailed I/O can flood the kernel log and max out CPU utilization,\npreventing troubleshooting from the VM side. Ratelimit the warning so\nit doesn\u0027t DoS the VM."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:07.034Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/81d4dd05c412ba04f9f6b85b718e6da833be290c"
        },
        {
          "url": "https://git.kernel.org/stable/c/182a4b7c731e95c08cb47f14b87a272b6ab2b2da"
        },
        {
          "url": "https://git.kernel.org/stable/c/088bde862f8d3d0fc52e40e66a0484a246837087"
        },
        {
          "url": "https://git.kernel.org/stable/c/01d1ebdab9ccb73c952e1666a8a80abd194dbc55"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0f0af1bafef33b3e2aa8c3a4ef44db48df9b0ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2138eab8cde61e0e6f62d0713e45202e8457d6d"
        }
      ],
      "title": "scsi: storvsc: Ratelimit warning logs to prevent VM denial of service",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21690",
    "datePublished": "2025-02-10T15:58:46.392Z",
    "dateReserved": "2024-12-29T08:45:45.741Z",
    "dateUpdated": "2025-05-04T07:19:07.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57986 (GCVE-0-2024-57986)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop in hid_apply_multiplier."), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: * "The Resolution Multiplier control must be contained in the same * Logical Collection as the control(s) to which it is to be applied. ... * If no Logical Collection is * defined, the Resolution Multiplier is associated with all * controls in the report." * HID Usage Table, v1.12, Section 4.3.1, p30 * * Thus, search from the current collection upwards until we find a * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3a002e4029230d9a6be89f869b2328b258612f5c
	https://git.kernel.org/stable/c/05dd7d10675b540b8b7b31035c0a8abb6e6f3b88
	https://git.kernel.org/stable/c/a32ea3f982b389ea43a41ce77b6fb70d74006d9b
	https://git.kernel.org/stable/c/bebf542e8d7c44a18a95f306b1b5dc160c823506
	https://git.kernel.org/stable/c/ed3d3883476423f337aac0f22c521819b3f1e970
	https://git.kernel.org/stable/c/ebaeca33d32c8bdb705a8c88267737a456f354b1
	https://git.kernel.org/stable/c/a5498f1f864ea26f4c613c77f54409c776a95a90
	https://git.kernel.org/stable/c/64f2657b579343cf923aa933f08074e6258eb07b

Impacted products

Vendor

Product

Version

►

Linux

Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc

Linux

Version: 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3a002e4029230d9a6be89f869b2328b258612f5c",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "05dd7d10675b540b8b7b31035c0a8abb6e6f3b88",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "a32ea3f982b389ea43a41ce77b6fb70d74006d9b",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "bebf542e8d7c44a18a95f306b1b5dc160c823506",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "ed3d3883476423f337aac0f22c521819b3f1e970",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "ebaeca33d32c8bdb705a8c88267737a456f354b1",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "a5498f1f864ea26f4c613c77f54409c776a95a90",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "64f2657b579343cf923aa933f08074e6258eb07b",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Fix assumption that Resolution Multipliers must be in Logical Collections\n\nA report in 2019 by the syzbot fuzzer was found to be connected to two\nerrors in the HID core associated with Resolution Multipliers.  One of\nthe errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop\nin hid_apply_multiplier.\"), but the other has not been fixed.\n\nThis error arises because hid_apply_multipler() assumes that every\nResolution Multiplier control is contained in a Logical Collection,\ni.e., there\u0027s no way the routine can ever set multiplier_collection to\nNULL.  This is in spite of the fact that the function starts with a\nbig comment saying:\n\n\t * \"The Resolution Multiplier control must be contained in the same\n\t * Logical Collection as the control(s) to which it is to be applied.\n\t   ...\n\t *  If no Logical Collection is\n\t * defined, the Resolution Multiplier is associated with all\n\t * controls in the report.\"\n\t * HID Usage Table, v1.12, Section 4.3.1, p30\n\t *\n\t * Thus, search from the current collection upwards until we find a\n\t * logical collection...\n\nThe comment and the code overlook the possibility that none of the\ncollections found may be a Logical Collection.\n\nThe fix is to set the multiplier_collection pointer to NULL if the\ncollection found isn\u0027t a Logical Collection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:45.914Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3a002e4029230d9a6be89f869b2328b258612f5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/05dd7d10675b540b8b7b31035c0a8abb6e6f3b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/a32ea3f982b389ea43a41ce77b6fb70d74006d9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bebf542e8d7c44a18a95f306b1b5dc160c823506"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3d3883476423f337aac0f22c521819b3f1e970"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebaeca33d32c8bdb705a8c88267737a456f354b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5498f1f864ea26f4c613c77f54409c776a95a90"
        },
        {
          "url": "https://git.kernel.org/stable/c/64f2657b579343cf923aa933f08074e6258eb07b"
        }
      ],
      "title": "HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57986",
    "datePublished": "2025-02-27T02:07:10.621Z",
    "dateReserved": "2025-02-27T02:04:28.913Z",
    "dateUpdated": "2025-05-04T10:07:45.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-2588 (GCVE-0-2025-2588)

Vulnerability from cvelistv5

Published

2025-03-21 12:00

Modified

2025-03-21 17:24

Severity ?

4.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3.3 (Low) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-476 - NULL Pointer Dereference
CWE-404 - Denial of Service

Summary

A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

References

►

URL

Tags

	https://vuldb.com/?id.300568	vdb-entry, technical-description
	https://vuldb.com/?ctiid.300568	signature, permissions-required
	https://vuldb.com/?submit.517281	third-party-advisory
	https://github.com/hercules-team/augeas/issues/852	issue-tracking
	https://github.com/hercules-team/augeas/issues/852#issue-2905999609	exploit, issue-tracking

Impacted products

	Vendor	Product	Version
	Hercules	Augeas	Version: 1.14.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2588",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-21T17:24:34.308971Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-21T17:24:55.111Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/hercules-team/augeas/issues/852#issue-2905999609"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Augeas",
          "vendor": "Hercules",
          "versions": [
            {
              "status": "affected",
              "version": "1.14.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In Hercules Augeas 1.14.1 wurde eine problematische Schwachstelle gefunden. Dabei geht es um die Funktion re_case_expand der Datei src/fa.c. Durch Manipulation des Arguments re mit unbekannten Daten kann eine null pointer dereference-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs hat dabei lokal zu erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.7,
            "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "Denial of Service",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-21T12:00:10.758Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-300568 | Hercules Augeas fa.c re_case_expand null pointer dereference",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.300568"
        },
        {
          "name": "VDB-300568 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.300568"
        },
        {
          "name": "Submit #517281 | https://github.com/hercules-team/augeas augeas 1.14.1 NULL Pointer Dereference",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.517281"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/hercules-team/augeas/issues/852"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/hercules-team/augeas/issues/852#issue-2905999609"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-21T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-03-21T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-03-21T07:37:32.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Hercules Augeas fa.c re_case_expand null pointer dereference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-2588",
    "datePublished": "2025-03-21T12:00:10.758Z",
    "dateReserved": "2025-03-21T06:32:24.166Z",
    "dateUpdated": "2025-03-21T17:24:55.111Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56758 (GCVE-0-2024-56758)

Vulnerability from cvelistv5

Published

2025-01-06 16:20

Modified

2025-06-04 12:57

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.

References

►

URL

Tags

	https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0
	https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd
	https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578
	https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9

Impacted products

Vendor

Product

Version

►

Linux

Version: 08daa38ca212d87f77beae839bc9be71079c7abf
Version: e7f1326cc24e22b38afc3acd328480a1183f9e79
Version: e7f1326cc24e22b38afc3acd328480a1183f9e79
Version: e7f1326cc24e22b38afc3acd328480a1183f9e79
Version: 9d1e020ed9649cf140fcfafd052cfdcce9e9d67d

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "36679fab54fa7bcffafd469e2c474c1fc4beaee0",
              "status": "affected",
              "version": "08daa38ca212d87f77beae839bc9be71079c7abf",
              "versionType": "git"
            },
            {
              "lessThan": "c7b1bd52a031ad0144d42eef0ba8471ce75122dd",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "d508e56270389b3a16f5b3cf247f4eb1bbad1578",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "lessThan": "3e74859ee35edc33a022c3f3971df066ea0ca6b9",
              "status": "affected",
              "version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9d1e020ed9649cf140fcfafd052cfdcce9e9d67d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/relocation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: check folio mapping after unlock in relocate_one_folio()\n\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\nfolio. The result of that is that a different thread can modify the\nmapping (like remove it with invalidate) before we call folio_lock().\nThis results in an invalid page and we need to try again.\n\nIn particular, if we are relocating concurrently with aborting a\ntransaction, this can result in a crash like the following:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 76 PID: 1411631 Comm: kworker/u322:5\n  Workqueue: events_unbound btrfs_reclaim_bgs_work\n  RIP: 0010:set_page_extent_mapped+0x20/0xb0\n  RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\n  RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\n  RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\n  R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\n  R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\n  FS:  0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  PKRU: 55555554\n  Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x78/0xc0\n  ? page_fault_oops+0x2a8/0x3a0\n  ? __switch_to+0x133/0x530\n  ? wq_worker_running+0xa/0x40\n  ? exc_page_fault+0x63/0x130\n  ? asm_exc_page_fault+0x22/0x30\n  ? set_page_extent_mapped+0x20/0xb0\n  relocate_file_extent_cluster+0x1a7/0x940\n  relocate_data_extent+0xaf/0x120\n  relocate_block_group+0x20f/0x480\n  btrfs_relocate_block_group+0x152/0x320\n  btrfs_relocate_chunk+0x3d/0x120\n  btrfs_reclaim_bgs_work+0x2ae/0x4e0\n  process_scheduled_works+0x184/0x370\n  worker_thread+0xc6/0x3e0\n  ? blk_add_timer+0xb0/0xb0\n  kthread+0xae/0xe0\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork+0x2f/0x40\n  ? flush_tlb_kernel_range+0x90/0x90\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e\n\nThis occurs because cleanup_one_transaction() calls\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\ntakes the folio_lock before setting mapping to NULL. We fail to check\nthis, and subsequently call set_extent_mapping(), which assumes that\nmapping != NULL (in fact it asserts that in debug mode)\n\nNote that the \"fixes\" patch here is not the one that introduced the\nrace (the very first iteration of this code from 2009) but a more recent\nchange that made this particular crash happen in practice."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:21.079Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9"
        }
      ],
      "title": "btrfs: check folio mapping after unlock in relocate_one_folio()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56758",
    "datePublished": "2025-01-06T16:20:38.942Z",
    "dateReserved": "2024-12-29T11:26:39.761Z",
    "dateUpdated": "2025-06-04T12:57:21.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49994 (GCVE-0-2024-49994)

Vulnerability from cvelistv5

Published

2024-10-21 18:02

Modified

2025-05-04 09:43

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed

References

►

URL

Tags

	https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239
	https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549
	https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa
	https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d
	https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455

Impacted products

Vendor

Product

Version

►

Linux

Version: 44abff2c0b970ae3d310b97617525dc01f248d7c
Version: 44abff2c0b970ae3d310b97617525dc01f248d7c
Version: 44abff2c0b970ae3d310b97617525dc01f248d7c
Version: 44abff2c0b970ae3d310b97617525dc01f248d7c
Version: 44abff2c0b970ae3d310b97617525dc01f248d7c

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49994",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:30:51.719818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:38:42.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8476f8428e8b48fd7a0e4258fa2a96a8f4468239",
              "status": "affected",
              "version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
              "versionType": "git"
            },
            {
              "lessThan": "a99bacb35c1416355eef957560e8fcac3a665549",
              "status": "affected",
              "version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
              "versionType": "git"
            },
            {
              "lessThan": "0842ddd83939eb4db940b9af7d39e79722bc41aa",
              "status": "affected",
              "version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
              "versionType": "git"
            },
            {
              "lessThan": "6c9915fa9410cbb9bd75ee283c03120046c56d3d",
              "status": "affected",
              "version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
              "versionType": "git"
            },
            {
              "lessThan": "697ba0b6ec4ae04afb67d3911799b5e2043b4455",
              "status": "affected",
              "version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:43:15.743Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239"
        },
        {
          "url": "https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549"
        },
        {
          "url": "https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455"
        }
      ],
      "title": "block: fix integer overflow in BLKSECDISCARD",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49994",
    "datePublished": "2024-10-21T18:02:35.722Z",
    "dateReserved": "2024-10-21T12:17:06.055Z",
    "dateUpdated": "2025-05-04T09:43:15.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50056 (GCVE-0-2024-50056)

Vulnerability from cvelistv5

Published

2024-10-21 19:39

Modified

2025-05-04 09:44

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Fix potential dereferencing of ERR_PTR() in find_format_by_pix() and uvc_v4l2_enum_format(). Fix the following smatch errors: drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix() error: 'fmtdesc' dereferencing possible ERR_PTR() drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format() error: 'fmtdesc' dereferencing possible ERR_PTR() Also, fix similar issue in uvc_v4l2_try_format() for potential dereferencing of ERR_PTR().

References

►

URL

Tags

	https://git.kernel.org/stable/c/03fa71e97e9bb116993ec1d51b8a6fe776db0984
	https://git.kernel.org/stable/c/72a68d2bede3284b95ee93a5ab3a81758bba95b0
	https://git.kernel.org/stable/c/cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6
	https://git.kernel.org/stable/c/a7bb96b18864225a694e3887ac2733159489e4b0

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50056",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:23:29.014877Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:28:42.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/uvc_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03fa71e97e9bb116993ec1d51b8a6fe776db0984",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "72a68d2bede3284b95ee93a5ab3a81758bba95b0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a7bb96b18864225a694e3887ac2733159489e4b0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/uvc_v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.133",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.86",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c\n\nFix potential dereferencing of ERR_PTR() in find_format_by_pix()\nand uvc_v4l2_enum_format().\n\nFix the following smatch errors:\n\ndrivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()\nerror: \u0027fmtdesc\u0027 dereferencing possible ERR_PTR()\n\ndrivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()\nerror: \u0027fmtdesc\u0027 dereferencing possible ERR_PTR()\n\nAlso, fix similar issue in uvc_v4l2_try_format() for potential\ndereferencing of ERR_PTR()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:44:51.970Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03fa71e97e9bb116993ec1d51b8a6fe776db0984"
        },
        {
          "url": "https://git.kernel.org/stable/c/72a68d2bede3284b95ee93a5ab3a81758bba95b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7bb96b18864225a694e3887ac2733159489e4b0"
        }
      ],
      "title": "usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50056",
    "datePublished": "2024-10-21T19:39:47.131Z",
    "dateReserved": "2024-10-21T19:36:19.938Z",
    "dateUpdated": "2025-05-04T09:44:51.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4382 (GCVE-0-2025-4382)

Vulnerability from cvelistv5

Published

2025-05-09 11:59

Modified

2025-07-29 17:44

Severity ?

5.9 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Summary

A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern.

References

►

URL

Tags

	https://access.redhat.com/security/cve/CVE-2025-4382	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2364416	issue-tracking, x_refsource_REDHAT
	https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=blobdiff;f=grub-core/kern/rescue_reader.c;h=a71ada8fb7da2eae6ee7135fe234fb1755ca78b0;hp=4259857ba9eea45446bc40ea13c3de4ab1b88ffd;hb=c448f511e74cb7c776b314fcb7943f98d3f22b6d;hpb=4abac0ad5a7914dd3cdfff08aaac06588bf98d80

Impacted products

Vendor

Product

Version

►

Version: 0 ≤ 2.12

Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4382",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-09T13:23:09.759013Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-09T13:33:37.385Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.gnu.org/software/grub/",
          "defaultStatus": "unaffected",
          "packageName": "grub2",
          "versions": [
            {
              "lessThanOrEqual": "2.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-05-08T23:59:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T17:44:28.715Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-4382"
        },
        {
          "name": "RHBZ#2364416",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364416"
        },
        {
          "url": "https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=blobdiff;f=grub-core/kern/rescue_reader.c;h=a71ada8fb7da2eae6ee7135fe234fb1755ca78b0;hp=4259857ba9eea45446bc40ea13c3de4ab1b88ffd;hb=c448f511e74cb7c776b314fcb7943f98d3f22b6d;hpb=4abac0ad5a7914dd3cdfff08aaac06588bf98d80"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-06T14:24:53.960000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-05-08T23:59:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Grub2: grub allow access to encrypted device through cli once root device is unlocked via tpm",
      "workarounds": [
        {
          "lang": "en",
          "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."
        }
      ],
      "x_redhatCweChain": "CWE-306: Missing Authentication for Critical Function"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-4382",
    "datePublished": "2025-05-09T11:59:33.176Z",
    "dateReserved": "2025-05-06T13:23:57.941Z",
    "dateUpdated": "2025-07-29T17:44:28.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21764 (GCVE-0-2025-21764)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/96fc896d0e5b37c12808df797397fb16f3080879
	https://git.kernel.org/stable/c/c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1
	https://git.kernel.org/stable/c/b870256dd2a5648d5ed2f22316b3ac29a7e5ed63
	https://git.kernel.org/stable/c/3c2d705f5adf5d860aaef90cb4211c0fde2ba66d
	https://git.kernel.org/stable/c/9e0ec817eb41a55327a46cd3ce331a9868d60304
	https://git.kernel.org/stable/c/bbec88e4108e8d6fb468d3817fa652140a44ff28
	https://git.kernel.org/stable/c/cd1065f92eb7ff21b9ba5308a86f33d1670bf926
	https://git.kernel.org/stable/c/628e6d18930bbd21f2d4562228afe27694f66da9

Impacted products

Vendor

Product

Version

►

Linux

Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61

Linux

Version: 3.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21764",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:20.278381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.827Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ndisc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "96fc896d0e5b37c12808df797397fb16f3080879",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "b870256dd2a5648d5ed2f22316b3ac29a7e5ed63",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "3c2d705f5adf5d860aaef90cb4211c0fde2ba66d",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "9e0ec817eb41a55327a46cd3ce331a9868d60304",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "bbec88e4108e8d6fb468d3817fa652140a44ff28",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "cd1065f92eb7ff21b9ba5308a86f33d1670bf926",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            },
            {
              "lessThan": "628e6d18930bbd21f2d4562228afe27694f66da9",
              "status": "affected",
              "version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ndisc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: use RCU protection in ndisc_alloc_skb()\n\nndisc_alloc_skb() can be called without RTNL or RCU being held.\n\nAdd RCU protection to avoid possible UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:36.864Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/96fc896d0e5b37c12808df797397fb16f3080879"
        },
        {
          "url": "https://git.kernel.org/stable/c/c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b870256dd2a5648d5ed2f22316b3ac29a7e5ed63"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c2d705f5adf5d860aaef90cb4211c0fde2ba66d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e0ec817eb41a55327a46cd3ce331a9868d60304"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbec88e4108e8d6fb468d3817fa652140a44ff28"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd1065f92eb7ff21b9ba5308a86f33d1670bf926"
        },
        {
          "url": "https://git.kernel.org/stable/c/628e6d18930bbd21f2d4562228afe27694f66da9"
        }
      ],
      "title": "ndisc: use RCU protection in ndisc_alloc_skb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21764",
    "datePublished": "2025-02-27T02:18:15.598Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:36.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53063 (GCVE-0-2024-53063)

Vulnerability from cvelistv5

Published

2024-11-19 17:22

Modified

2025-05-04 09:52

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: prevent the risk of out of memory access The dvbdev contains a static variable used to store dvb minors. The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_register_adapter() would already be enforcing it. On a similar way, dvb_device_open() uses the assumption that the register functions already did the needed checks. This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity. So, add explicit guards to prevent potential risk of OOM issues.

References

►

URL

Tags

	https://git.kernel.org/stable/c/fedfde9deb83ac8d2f3d5f36f111023df34b1684
	https://git.kernel.org/stable/c/3b88675e18b6517043a6f734eaa8ea6eb3bfa140
	https://git.kernel.org/stable/c/a4a17210c03ade1c8d9a9f193a105654b7a05c11
	https://git.kernel.org/stable/c/5f76f7df14861e3a560898fa41979ec92424b58f
	https://git.kernel.org/stable/c/b751a96025275c17f04083cbfe856822f1658946
	https://git.kernel.org/stable/c/1e461672616b726f29261ee81bb991528818537c
	https://git.kernel.org/stable/c/9c17085fabbde2041c893d29599800f2d4992b23
	https://git.kernel.org/stable/c/972e63e895abbe8aa1ccbdbb4e6362abda7cd457

Impacted products

Vendor

Product

Version

►

Linux

Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba

Linux

Version: 2.6.29

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-core/dvbdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fedfde9deb83ac8d2f3d5f36f111023df34b1684",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "3b88675e18b6517043a6f734eaa8ea6eb3bfa140",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "a4a17210c03ade1c8d9a9f193a105654b7a05c11",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "5f76f7df14861e3a560898fa41979ec92424b58f",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "b751a96025275c17f04083cbfe856822f1658946",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "1e461672616b726f29261ee81bb991528818537c",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "9c17085fabbde2041c893d29599800f2d4992b23",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            },
            {
              "lessThan": "972e63e895abbe8aa1ccbdbb4e6362abda7cd457",
              "status": "affected",
              "version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-core/dvbdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.324",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.286",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.172",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.324",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.286",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.230",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.172",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.61",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: prevent the risk of out of memory access\n\nThe dvbdev contains a static variable used to store dvb minors.\n\nThe behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set\nor not. When not set, dvb_register_device() won\u0027t check for\nboundaries, as it will rely that a previous call to\ndvb_register_adapter() would already be enforcing it.\n\nOn a similar way, dvb_device_open() uses the assumption\nthat the register functions already did the needed checks.\n\nThis can be fragile if some device ends using different\ncalls. This also generate warnings on static check analysers\nlike Coverity.\n\nSo, add explicit guards to prevent potential risk of OOM issues."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:52:00.976Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fedfde9deb83ac8d2f3d5f36f111023df34b1684"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b88675e18b6517043a6f734eaa8ea6eb3bfa140"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4a17210c03ade1c8d9a9f193a105654b7a05c11"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f76f7df14861e3a560898fa41979ec92424b58f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b751a96025275c17f04083cbfe856822f1658946"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e461672616b726f29261ee81bb991528818537c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c17085fabbde2041c893d29599800f2d4992b23"
        },
        {
          "url": "https://git.kernel.org/stable/c/972e63e895abbe8aa1ccbdbb4e6362abda7cd457"
        }
      ],
      "title": "media: dvbdev: prevent the risk of out of memory access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53063",
    "datePublished": "2024-11-19T17:22:33.518Z",
    "dateReserved": "2024-11-19T17:17:24.975Z",
    "dateUpdated": "2025-05-04T09:52:00.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43820 (GCVE-0-2024-43820)

Vulnerability from cvelistv5

Published

2024-08-17 09:21

Modified

2025-05-04 12:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume rm-raid devices will occasionally trigger the following warning when being resumed after a table load because DM_RECOVERY_RUNNING is set: WARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid] The failing check is: WARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)); This check is designed to make sure that the sync thread isn't registered, but md_check_recovery can set MD_RECOVERY_RUNNING without the sync_thread ever getting registered. Instead of checking if MD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a5c15a78c0e1631b7df822b56e8b6424e4d1ca3e
	https://git.kernel.org/stable/c/3199a34bfaf7561410e0be1e33a61eba870768fc

Impacted products

Vendor

Product

Version

►

Linux

Version: 16c4770c75b1223998adbeb7286f9a15c65fba73
Version: 16c4770c75b1223998adbeb7286f9a15c65fba73
Version: af916cb66a80597f3523bc85812e790bcdcfd62b
Version: eaa8fc9b092837cf2c754bde1a15d784ce9a85ab

Linux

Version: 6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43820",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:09:03.715774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:25.056Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5c15a78c0e1631b7df822b56e8b6424e4d1ca3e",
              "status": "affected",
              "version": "16c4770c75b1223998adbeb7286f9a15c65fba73",
              "versionType": "git"
            },
            {
              "lessThan": "3199a34bfaf7561410e0be1e33a61eba870768fc",
              "status": "affected",
              "version": "16c4770c75b1223998adbeb7286f9a15c65fba73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "af916cb66a80597f3523bc85812e790bcdcfd62b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "eaa8fc9b092837cf2c754bde1a15d784ce9a85ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume\n\nrm-raid devices will occasionally trigger the following warning when\nbeing resumed after a table load because DM_RECOVERY_RUNNING is set:\n\nWARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid]\n\nThe failing check is:\nWARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, \u0026mddev-\u003erecovery));\n\nThis check is designed to make sure that the sync thread isn\u0027t\nregistered, but md_check_recovery can set MD_RECOVERY_RUNNING without\nthe sync_thread ever getting registered. Instead of checking if\nMD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:08.724Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5c15a78c0e1631b7df822b56e8b6424e4d1ca3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3199a34bfaf7561410e0be1e33a61eba870768fc"
        }
      ],
      "title": "dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43820",
    "datePublished": "2024-08-17T09:21:41.674Z",
    "dateReserved": "2024-08-17T09:11:59.271Z",
    "dateUpdated": "2025-05-04T12:58:08.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53176 (GCVE-0-2024-53176)

Vulnerability from cvelistv5

Published

2024-12-27 13:49

Modified

2025-05-04 09:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: During unmount, ensure all cached dir instances drop their dentry The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs: BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including: - Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid. To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal. The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations. Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing. While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry.

References

►

URL

Tags

	https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94
	https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638
	https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e
	https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662

Impacted products

Vendor

Product

Version

►

Linux

Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c",
            "fs/smb/client/cached_dir.h",
            "fs/smb/client/cifsfs.c",
            "fs/smb/client/cifsglob.h",
            "fs/smb/client/inode.c",
            "fs/smb/client/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "73934e535cffbda1490fa97d82690a0f9aa73e94",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "ff4528bbc82d0d90073751f7b49e7b9e9c7e5638",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "548812afd96982a76a93ba76c0582ea670c40d9e",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "3fa640d035e5ae526769615c35cb9ed4be6e3662",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c",
            "fs/smb/client/cached_dir.h",
            "fs/smb/client/cifsfs.c",
            "fs/smb/client/cifsglob.h",
            "fs/smb/client/inode.c",
            "fs/smb/client/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: During unmount, ensure all cached dir instances drop their dentry\n\nThe unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can\nrace with various cached directory operations, which ultimately results\nin dentries not being dropped and these kernel BUGs:\n\nBUG: Dentry ffff88814f37e358{i=1000000000080,n=/}  still in use (2) [unmount of cifs cifs]\nVFS: Busy inodes after unmount of cifs (cifs)\n------------[ cut here ]------------\nkernel BUG at fs/super.c:661!\n\nThis happens when a cfid is in the process of being cleaned up when, and\nhas been removed from the cfids-\u003eentries list, including:\n\n- Receiving a lease break from the server\n- Server reconnection triggers invalidate_all_cached_dirs(), which\n  removes all the cfids from the list\n- The laundromat thread decides to expire an old cfid.\n\nTo solve these problems, dropping the dentry is done in queued work done\nin a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()\nflushes that workqueue after it drops all the dentries of which it\u0027s\naware. This is a global workqueue (rather than scoped to a mount), but\nthe queued work is minimal.\n\nThe final cleanup work for cleaning up a cfid is performed via work\nqueued in the serverclose_wq workqueue; this is done separate from\ndropping the dentries so that close_all_cached_dirs() doesn\u0027t block on\nany server operations.\n\nBoth of these queued works expect to invoked with a cfid reference and\na tcon reference to avoid those objects from being freed while the work\nis ongoing.\n\nWhile we\u0027re here, add proper locking to close_all_cached_dirs(), and\nlocking around the freeing of cfid-\u003edentry."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:58.234Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638"
        },
        {
          "url": "https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662"
        }
      ],
      "title": "smb: During unmount, ensure all cached dir instances drop their dentry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53176",
    "datePublished": "2024-12-27T13:49:20.518Z",
    "dateReserved": "2024-11-19T17:17:25.007Z",
    "dateUpdated": "2025-05-04T09:54:58.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21831 (GCVE-0-2025-21831)

Vulnerability from cvelistv5

Published

2025-03-06 16:22

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the policy that all PCIe ports are allowed to use D3. When the system is suspended if the port is not power manageable by the platform and won't be used for wakeup via a PME this sets up the policy for these ports to go into D3hot. This policy generally makes sense from an OSPM perspective but it leads to problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a specific old BIOS. This manifests as a system hang. On the affected Device + BIOS combination, add a quirk for the root port of the problematic controller to ensure that these root ports are not put into D3hot at suspend. This patch is based on https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com but with the added condition both in the documentation and in the code to apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only the affected root ports.

References

►

URL

Tags

	https://git.kernel.org/stable/c/8852e056e297df1d8635ee7504e780d3184e45d0
	https://git.kernel.org/stable/c/5ee3dd6e59b834e4d66e8b16fc684749ee40a257
	https://git.kernel.org/stable/c/a78dfe50fffe6058afed2bb04c50c2c9a16664ee
	https://git.kernel.org/stable/c/b1049f2d68693c80a576c4578d96774a68df2bad

Impacted products

Vendor

Product

Version

►

Linux

Version: 9d26d3a8f1b0c442339a235f9508bdad8af91043
Version: 9d26d3a8f1b0c442339a235f9508bdad8af91043
Version: 9d26d3a8f1b0c442339a235f9508bdad8af91043
Version: 9d26d3a8f1b0c442339a235f9508bdad8af91043

Linux

Version: 4.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/pci/fixup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8852e056e297df1d8635ee7504e780d3184e45d0",
              "status": "affected",
              "version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
              "versionType": "git"
            },
            {
              "lessThan": "5ee3dd6e59b834e4d66e8b16fc684749ee40a257",
              "status": "affected",
              "version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
              "versionType": "git"
            },
            {
              "lessThan": "a78dfe50fffe6058afed2bb04c50c2c9a16664ee",
              "status": "affected",
              "version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
              "versionType": "git"
            },
            {
              "lessThan": "b1049f2d68693c80a576c4578d96774a68df2bad",
              "status": "affected",
              "version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/pci/fixup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1\n\ncommit 9d26d3a8f1b0 (\"PCI: Put PCIe ports into D3 during suspend\") sets the\npolicy that all PCIe ports are allowed to use D3.  When the system is\nsuspended if the port is not power manageable by the platform and won\u0027t be\nused for wakeup via a PME this sets up the policy for these ports to go\ninto D3hot.\n\nThis policy generally makes sense from an OSPM perspective but it leads to\nproblems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a\nspecific old BIOS. This manifests as a system hang.\n\nOn the affected Device + BIOS combination, add a quirk for the root port of\nthe problematic controller to ensure that these root ports are not put into\nD3hot at suspend.\n\nThis patch is based on\n\n  https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com\n\nbut with the added condition both in the documentation and in the code to\napply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only\nthe affected root ports."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:04.294Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8852e056e297df1d8635ee7504e780d3184e45d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ee3dd6e59b834e4d66e8b16fc684749ee40a257"
        },
        {
          "url": "https://git.kernel.org/stable/c/a78dfe50fffe6058afed2bb04c50c2c9a16664ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1049f2d68693c80a576c4578d96774a68df2bad"
        }
      ],
      "title": "PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21831",
    "datePublished": "2025-03-06T16:22:33.443Z",
    "dateReserved": "2024-12-29T08:45:45.776Z",
    "dateUpdated": "2025-05-04T07:22:04.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50290 (GCVE-0-2024-50290)

Vulnerability from cvelistv5

Published

2024-11-19 01:30

Modified

2025-05-04 09:50

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that.

References

►

URL

Tags

	https://git.kernel.org/stable/c/127b9076baeadd734b18ddc8f2cd93b47d5a3ea3
	https://git.kernel.org/stable/c/cad97ca8cfd43a78a19b59949f33e3563d369247
	https://git.kernel.org/stable/c/828047c70f4716fde4b1316f7b610e97a4e83824
	https://git.kernel.org/stable/c/f2b4f277c41db8d548f38f1dd091bbdf6a5acb07
	https://git.kernel.org/stable/c/fbefe31e4598cdb0889eee2e74c995b2212efb08
	https://git.kernel.org/stable/c/83c152b55d88cbf6fc4685941fcb31333986774d
	https://git.kernel.org/stable/c/3a1ed994d9454132354b860321414955da289929
	https://git.kernel.org/stable/c/576a307a7650bd544fbb24df801b9b7863b85e2f

Impacted products

Vendor

Product

Version

►

Linux

Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf

Linux

Version: 2.6.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-frontends/cx24116.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "127b9076baeadd734b18ddc8f2cd93b47d5a3ea3",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "cad97ca8cfd43a78a19b59949f33e3563d369247",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "828047c70f4716fde4b1316f7b610e97a4e83824",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "f2b4f277c41db8d548f38f1dd091bbdf6a5acb07",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "fbefe31e4598cdb0889eee2e74c995b2212efb08",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "83c152b55d88cbf6fc4685941fcb31333986774d",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "3a1ed994d9454132354b860321414955da289929",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            },
            {
              "lessThan": "576a307a7650bd544fbb24df801b9b7863b85e2f",
              "status": "affected",
              "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/dvb-frontends/cx24116.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.324",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.286",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.172",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.324",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.286",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.230",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.172",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.61",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.8",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx24116: prevent overflows on SNR calculus\n\nas reported by Coverity, if reading SNR registers fail, a negative\nnumber will be returned, causing an underflow when reading SNR\nregisters.\n\nPrevent that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:50:57.523Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/127b9076baeadd734b18ddc8f2cd93b47d5a3ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/cad97ca8cfd43a78a19b59949f33e3563d369247"
        },
        {
          "url": "https://git.kernel.org/stable/c/828047c70f4716fde4b1316f7b610e97a4e83824"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2b4f277c41db8d548f38f1dd091bbdf6a5acb07"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbefe31e4598cdb0889eee2e74c995b2212efb08"
        },
        {
          "url": "https://git.kernel.org/stable/c/83c152b55d88cbf6fc4685941fcb31333986774d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a1ed994d9454132354b860321414955da289929"
        },
        {
          "url": "https://git.kernel.org/stable/c/576a307a7650bd544fbb24df801b9b7863b85e2f"
        }
      ],
      "title": "media: cx24116: prevent overflows on SNR calculus",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50290",
    "datePublished": "2024-11-19T01:30:35.352Z",
    "dateReserved": "2024-10-21T19:36:19.985Z",
    "dateUpdated": "2025-05-04T09:50:57.523Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21640 (GCVE-0-2025-21640)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used.

References

►

URL

Tags

	https://git.kernel.org/stable/c/5599b212d2f4466e1832a94e9932684aaa364587
	https://git.kernel.org/stable/c/03ca51faba2b017bf6c90e139434c4117d0afcdc
	https://git.kernel.org/stable/c/86ddf8118123cb58a0fb8724cad6979c4069065b
	https://git.kernel.org/stable/c/3cd0659deb9c03535fd61839e91d4d4d3e51ac71
	https://git.kernel.org/stable/c/ad673e514b2793b8d5902f6ba6ab7e890dea23d5
	https://git.kernel.org/stable/c/f0bb3935470684306e4e04793a20ac4c4b08de0b
	https://git.kernel.org/stable/c/ea62dd1383913b5999f3d16ae99d411f41b528d4

Impacted products

Vendor

Product

Version

►

Linux

Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b
Version: 3c68198e75111a905ac2412be12bf7b29099729b

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5599b212d2f4466e1832a94e9932684aaa364587",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "03ca51faba2b017bf6c90e139434c4117d0afcdc",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "86ddf8118123cb58a0fb8724cad6979c4069065b",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "3cd0659deb9c03535fd61839e91d4d4d3e51ac71",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "ad673e514b2793b8d5902f6ba6ab7e890dea23d5",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "f0bb3935470684306e4e04793a20ac4c4b08de0b",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            },
            {
              "lessThan": "ea62dd1383913b5999f3d16ae99d411f41b528d4",
              "status": "affected",
              "version": "3c68198e75111a905ac2412be12bf7b29099729b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: cookie_hmac_alg: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, as this is the only\nmember needed from the \u0027net\u0027 structure, but that would increase the size\nof this fix, to use \u0027*data\u0027 everywhere \u0027net-\u003esctp.sctp_hmac_alg\u0027 is\nused."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:02.677Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5599b212d2f4466e1832a94e9932684aaa364587"
        },
        {
          "url": "https://git.kernel.org/stable/c/03ca51faba2b017bf6c90e139434c4117d0afcdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/86ddf8118123cb58a0fb8724cad6979c4069065b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cd0659deb9c03535fd61839e91d4d4d3e51ac71"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad673e514b2793b8d5902f6ba6ab7e890dea23d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0bb3935470684306e4e04793a20ac4c4b08de0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea62dd1383913b5999f3d16ae99d411f41b528d4"
        }
      ],
      "title": "sctp: sysctl: cookie_hmac_alg: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21640",
    "datePublished": "2025-01-19T10:17:57.593Z",
    "dateReserved": "2024-12-29T08:45:45.727Z",
    "dateUpdated": "2025-05-04T07:18:02.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-40980 (GCVE-0-2024-40980)

Vulnerability from cvelistv5

Published

2024-07-12 12:32

Modified

2025-05-21 09:12

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drop_monitor: replace spin_lock by raw_spin_lock trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context.

References

►

URL

Tags

	https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334
	https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5
	https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac
	https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3
	https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0
	https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e
	https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195

Impacted products

Vendor

Product

Version

►

Linux

Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9
Version: 4ea7e38696c7e798c47ebbecadfd392f23f814f9

Linux

Version: 2.6.31

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:55.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:02:23.500077Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:21.510Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "594e47957f3fe034645e6885393ce96c12286334",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "96941f29ebcc1e9cbf570dc903f30374909562f5",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "b3722fb69468693555f531cddda5c30444726dac",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "f251ccef1d864790e5253386e95544420b7cd8f3",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "76ce2f9125244e1708d29c1d3f9d1d50b347bda0",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "07ea878684dfb78a9d4f564c39d07e855a9e242e",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            },
            {
              "lessThan": "f1e197a665c2148ebc25fe09c53689e60afea195",
              "status": "affected",
              "version": "4ea7e38696c7e798c47ebbecadfd392f23f814f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.279",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.221",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.279",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.221",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.162",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.96",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.36",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.7",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (\u0026data-\u003elock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last  enabled at (139908): [\u003cffffffffb1df2b33\u003e] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [\u003cffffffffb19bd03d\u003e] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last  enabled at (139892): [\u003cffffffffb07a1083\u003e] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [\u003cffffffffb0909b33\u003e] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[\u003cffffffffb1de786b\u003e] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T09:12:48.758Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/594e47957f3fe034645e6885393ce96c12286334"
        },
        {
          "url": "https://git.kernel.org/stable/c/96941f29ebcc1e9cbf570dc903f30374909562f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3722fb69468693555f531cddda5c30444726dac"
        },
        {
          "url": "https://git.kernel.org/stable/c/f251ccef1d864790e5253386e95544420b7cd8f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/76ce2f9125244e1708d29c1d3f9d1d50b347bda0"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ea878684dfb78a9d4f564c39d07e855a9e242e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1e197a665c2148ebc25fe09c53689e60afea195"
        }
      ],
      "title": "drop_monitor: replace spin_lock by raw_spin_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-40980",
    "datePublished": "2024-07-12T12:32:15.569Z",
    "dateReserved": "2024-07-12T12:17:45.604Z",
    "dateUpdated": "2025-05-21T09:12:48.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21703 (GCVE-0-2025-21703)

Vulnerability from cvelistv5

Published

2025-02-18 14:37

Modified

2025-05-04 07:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c
	https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1
	https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207
	https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55
	https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5
	https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83
	https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32
	https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71

Impacted products

Vendor

Product

Version

►

Linux

Version: 83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31
Version: 216509dda290f6db92c816dd54b83c1df9da9e76
Version: c2047b0e216c8edce227d7c42f99ac2877dad0e4
Version: 10df49cfca73dfbbdb6c4150d859f7e8926ae427
Version: 3824c5fad18eeb7abe0c4fc966f29959552dca3e
Version: 356078a5c55ec8d2061fcc009fb8599f5b0527f9
Version: f8d4bc455047cf3903cd6f85f49978987dbb3027
Version: f8d4bc455047cf3903cd6f85f49978987dbb3027

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21703",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T15:38:37.163490Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T15:46:03.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c",
              "status": "affected",
              "version": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31",
              "versionType": "git"
            },
            {
              "lessThan": "7f31d74fcc556a9166b1bb20515542de7bb939d1",
              "status": "affected",
              "version": "216509dda290f6db92c816dd54b83c1df9da9e76",
              "versionType": "git"
            },
            {
              "lessThan": "98a2c685293aae122f688cde11d9334dddc5d207",
              "status": "affected",
              "version": "c2047b0e216c8edce227d7c42f99ac2877dad0e4",
              "versionType": "git"
            },
            {
              "lessThan": "7b79ca9a1de6a428d486ff52fb3d602321c08f55",
              "status": "affected",
              "version": "10df49cfca73dfbbdb6c4150d859f7e8926ae427",
              "versionType": "git"
            },
            {
              "lessThan": "1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5",
              "status": "affected",
              "version": "3824c5fad18eeb7abe0c4fc966f29959552dca3e",
              "versionType": "git"
            },
            {
              "lessThan": "6312555249082d6d8cc5321ff725df05482d8b83",
              "status": "affected",
              "version": "356078a5c55ec8d2061fcc009fb8599f5b0527f9",
              "versionType": "git"
            },
            {
              "lessThan": "839ecc583fa00fab785fde1c85a326743657fd32",
              "status": "affected",
              "version": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
              "versionType": "git"
            },
            {
              "lessThan": "638ba5089324796c2ee49af10427459c2de35f71",
              "status": "affected",
              "version": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_netem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.288",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.232",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.175",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.1.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.6.67",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.12.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch-\u003eq.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops-\u003eqlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses -\u003eqlen_notify() to maintain its active list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:20.127Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83"
        },
        {
          "url": "https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32"
        },
        {
          "url": "https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71"
        }
      ],
      "title": "netem: Update sch-\u003eq.qlen before qdisc_tree_reduce_backlog()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21703",
    "datePublished": "2025-02-18T14:37:44.261Z",
    "dateReserved": "2024-12-29T08:45:45.751Z",
    "dateUpdated": "2025-05-04T07:19:20.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21639 (GCVE-0-2025-21639)

Vulnerability from cvelistv5

Published

2025-01-19 10:17

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used.

References

►

URL

Tags

	https://git.kernel.org/stable/c/c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9
	https://git.kernel.org/stable/c/246428bfb9e7db15c5cd08e1d0eca41b65af2b06
	https://git.kernel.org/stable/c/0f78f09466744589e420935e646ae78212a38290
	https://git.kernel.org/stable/c/4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482
	https://git.kernel.org/stable/c/dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f
	https://git.kernel.org/stable/c/c87f1f6ade56c711f8736901e330685b453e420e
	https://git.kernel.org/stable/c/9fc17b76fc70763780aa78b38fcf4742384044a5

Impacted products

Vendor

Product

Version

►

Linux

Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5
Version: 4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5

Linux

Version: 3.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "246428bfb9e7db15c5cd08e1d0eca41b65af2b06",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "0f78f09466744589e420935e646ae78212a38290",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "c87f1f6ade56c711f8736901e330685b453e420e",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            },
            {
              "lessThan": "9fc17b76fc70763780aa78b38fcf4742384044a5",
              "status": "affected",
              "version": "4f3fdf3bc59cafd14c3bc2c2369efad34c7aa8b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sysctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: rto_min/max: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n  from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n  (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n  syzbot [1] using acct(2).\n\nThe \u0027net\u0027 structure can be obtained from the table-\u003edata using\ncontainer_of().\n\nNote that table-\u003edata could also be used directly, as this is the only\nmember needed from the \u0027net\u0027 structure, but that would increase the size\nof this fix, to use \u0027*data\u0027 everywhere \u0027net-\u003esctp.rto_min/max\u0027 is used."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:01.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c8d179f3b1c1d60bf4484f50aa67b4c70f91bff9"
        },
        {
          "url": "https://git.kernel.org/stable/c/246428bfb9e7db15c5cd08e1d0eca41b65af2b06"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f78f09466744589e420935e646ae78212a38290"
        },
        {
          "url": "https://git.kernel.org/stable/c/4059507e34aa5fe0fa9fd5b2b5f0c8b26ab2d482"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc9d0e3cfd16f66fbf0862857c6b391c8613ca9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c87f1f6ade56c711f8736901e330685b453e420e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fc17b76fc70763780aa78b38fcf4742384044a5"
        }
      ],
      "title": "sctp: sysctl: rto_min/max: avoid using current-\u003ensproxy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21639",
    "datePublished": "2025-01-19T10:17:56.828Z",
    "dateReserved": "2024-12-29T08:45:45.727Z",
    "dateUpdated": "2025-05-04T07:18:01.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56568 (GCVE-0-2024-56568)

Vulnerability from cvelistv5

Published

2024-12-27 14:23

Modified

2025-05-04 09:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. [will: Add comment]

References

►

URL

Tags

	https://git.kernel.org/stable/c/c2527d07c7e9cda2c6165d5edccf74752baac1b0
	https://git.kernel.org/stable/c/dc02407ea952e20c544a078a6be2e6f008327973
	https://git.kernel.org/stable/c/f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5
	https://git.kernel.org/stable/c/4a9485918a042e3114890dfbe19839a1897f8b2c
	https://git.kernel.org/stable/c/5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8
	https://git.kernel.org/stable/c/229e6ee43d2a160a1592b83aad620d6027084aad

Impacted products

Vendor

Product

Version

►

Linux

Version: 021bb8420d44cf56102d44fca9af628625e75482
Version: 021bb8420d44cf56102d44fca9af628625e75482
Version: 021bb8420d44cf56102d44fca9af628625e75482
Version: 021bb8420d44cf56102d44fca9af628625e75482
Version: 021bb8420d44cf56102d44fca9af628625e75482
Version: 021bb8420d44cf56102d44fca9af628625e75482

Linux

Version: 4.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2527d07c7e9cda2c6165d5edccf74752baac1b0",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "dc02407ea952e20c544a078a6be2e6f008327973",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "4a9485918a042e3114890dfbe19839a1897f8b2c",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            },
            {
              "lessThan": "229e6ee43d2a160a1592b83aad620d6027084aad",
              "status": "affected",
              "version": "021bb8420d44cf56102d44fca9af628625e75482",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/arm/arm-smmu/arm-smmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Defer probe of clients after smmu device bound\n\nNull pointer dereference occurs due to a race between smmu\ndriver probe and client driver probe, when of_dma_configure()\nfor client is called after the iommu_device_register() for smmu driver\nprobe has executed but before the driver_bound() for smmu driver\nhas been called.\n\nFollowing is how the race occurs:\n\nT1:Smmu device probe\t\tT2: Client device probe\n\nreally_probe()\narm_smmu_device_probe()\niommu_device_register()\n\t\t\t\t\treally_probe()\n\t\t\t\t\tplatform_dma_configure()\n\t\t\t\t\tof_dma_configure()\n\t\t\t\t\tof_dma_configure_id()\n\t\t\t\t\tof_iommu_configure()\n\t\t\t\t\tiommu_probe_device()\n\t\t\t\t\tiommu_init_device()\n\t\t\t\t\tarm_smmu_probe_device()\n\t\t\t\t\tarm_smmu_get_by_fwnode()\n\t\t\t\t\t\tdriver_find_device_by_fwnode()\n\t\t\t\t\t\tdriver_find_device()\n\t\t\t\t\t\tnext_device()\n\t\t\t\t\t\tklist_next()\n\t\t\t\t\t\t    /* null ptr\n\t\t\t\t\t\t       assigned to smmu */\n\t\t\t\t\t/* null ptr dereference\n\t\t\t\t\t   while smmu-\u003estreamid_mask */\ndriver_bound()\n\tklist_add_tail()\n\nWhen this null smmu pointer is dereferenced later in\narm_smmu_probe_device, the device crashes.\n\nFix this by deferring the probe of the client device\nuntil the smmu device has bound to the arm smmu driver.\n\n[will: Add comment]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:58:34.224Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2527d07c7e9cda2c6165d5edccf74752baac1b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc02407ea952e20c544a078a6be2e6f008327973"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a9485918a042e3114890dfbe19839a1897f8b2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/229e6ee43d2a160a1592b83aad620d6027084aad"
        }
      ],
      "title": "iommu/arm-smmu: Defer probe of clients after smmu device bound",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56568",
    "datePublished": "2024-12-27T14:23:11.733Z",
    "dateReserved": "2024-12-27T14:03:05.996Z",
    "dateUpdated": "2025-05-04T09:58:34.224Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21761 (GCVE-0-2025-21761)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:20

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF.

References

►

URL

Tags

	https://git.kernel.org/stable/c/e85a25d1a9985645e796039e843d1de581d2de1e
	https://git.kernel.org/stable/c/a8816b3f1f151373fd30f1996f00480126c8bb11
	https://git.kernel.org/stable/c/a884f57600e463f69d7b279c4598b865260b62a1
	https://git.kernel.org/stable/c/7e01abc34e87abd091e619161a20f54ed4e3e2da
	https://git.kernel.org/stable/c/8ec57509c36c8b9a23e50b7858dda0c520a2d074
	https://git.kernel.org/stable/c/a849a10de5e04d798f7f286a2f1ca174719a617a
	https://git.kernel.org/stable/c/5828937742af74666192835d657095d95c53dbd0
	https://git.kernel.org/stable/c/90b2f49a502fa71090d9f4fe29a2f51fe5dff76d

Impacted products

Vendor

Product

Version

►

Linux

Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b

Linux

Version: 4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21761",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:35.920303Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e85a25d1a9985645e796039e843d1de581d2de1e",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "a8816b3f1f151373fd30f1996f00480126c8bb11",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "a884f57600e463f69d7b279c4598b865260b62a1",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "7e01abc34e87abd091e619161a20f54ed4e3e2da",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "8ec57509c36c8b9a23e50b7858dda0c520a2d074",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "a849a10de5e04d798f7f286a2f1ca174719a617a",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "5828937742af74666192835d657095d95c53dbd0",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            },
            {
              "lessThan": "90b2f49a502fa71090d9f4fe29a2f51fe5dff76d",
              "status": "affected",
              "version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: use RCU protection in ovs_vport_cmd_fill_info()\n\novs_vport_cmd_fill_info() can be called without RTNL or RCU.\n\nUse RCU protection and dev_net_rcu() to avoid potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:33.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e85a25d1a9985645e796039e843d1de581d2de1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8816b3f1f151373fd30f1996f00480126c8bb11"
        },
        {
          "url": "https://git.kernel.org/stable/c/a884f57600e463f69d7b279c4598b865260b62a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e01abc34e87abd091e619161a20f54ed4e3e2da"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ec57509c36c8b9a23e50b7858dda0c520a2d074"
        },
        {
          "url": "https://git.kernel.org/stable/c/a849a10de5e04d798f7f286a2f1ca174719a617a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5828937742af74666192835d657095d95c53dbd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/90b2f49a502fa71090d9f4fe29a2f51fe5dff76d"
        }
      ],
      "title": "openvswitch: use RCU protection in ovs_vport_cmd_fill_info()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21761",
    "datePublished": "2025-02-27T02:18:14.054Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-05-04T07:20:33.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56702 (GCVE-0-2024-56702)

Vulnerability from cvelistv5

Published

2024-12-28 09:46

Modified

2025-05-04 10:02

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Mark raw_tp arguments with PTR_MAYBE_NULL Arguments to a raw tracepoint are tagged as trusted, which carries the semantics that the pointer will be non-NULL. However, in certain cases, a raw tracepoint argument may end up being NULL. More context about this issue is available in [0]. Thus, there is a discrepancy between the reality, that raw_tp arguments can actually be NULL, and the verifier's knowledge, that they are never NULL, causing explicit NULL checks to be deleted, and accesses to such pointers potentially crashing the kernel. To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special case the dereference and pointer arithmetic to permit it, and allow passing them into helpers/kfuncs; these exceptions are made for raw_tp programs only. Ensure that we don't do this when ref_obj_id > 0, as in that case this is an acquired object and doesn't need such adjustment. The reason we do mask_raw_tp_trusted_reg logic is because other will recheck in places whether the register is a trusted_reg, and then consider our register as untrusted when detecting the presence of the PTR_MAYBE_NULL flag. To allow safe dereference, we enable PROBE_MEM marking when we see loads into trusted pointers with PTR_MAYBE_NULL. While trusted raw_tp arguments can also be passed into helpers or kfuncs where such broken assumption may cause issues, a future patch set will tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can already be passed into helpers and causes similar problems. Thus, they are left alone for now. It is possible that these checks also permit passing non-raw_tp args that are trusted PTR_TO_BTF_ID with null marking. In such a case, allowing dereference when pointer is NULL expands allowed behavior, so won't regress existing programs, and the case of passing these into helpers is the same as above and will be dealt with later. Also update the failure case in tp_btf_nullable selftest to capture the new behavior, as the verifier will no longer cause an error when directly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb

References

►

URL

Tags

	https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6
	https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8
	https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d

Impacted products

Vendor

Product

Version

►

Linux

Version: 3f00c52393445ed49aadc1a567aa502c6333b1a1
Version: 3f00c52393445ed49aadc1a567aa502c6333b1a1
Version: 3f00c52393445ed49aadc1a567aa502c6333b1a1

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/btf.c",
            "kernel/bpf/verifier.c",
            "tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6",
              "status": "affected",
              "version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
              "versionType": "git"
            },
            {
              "lessThan": "3634d4a310820567fc634bf8f1ee2b91378773e8",
              "status": "affected",
              "version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
              "versionType": "git"
            },
            {
              "lessThan": "cb4158ce8ec8a5bb528cc1693356a5eb8058094d",
              "status": "affected",
              "version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/btf.c",
            "kernel/bpf/verifier.c",
            "tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\n\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL.  However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\n\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier\u0027s knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\n\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don\u0027t do this when ref_obj_id \u003e 0, as in\nthat case this is an acquired object and doesn\u0027t need such adjustment.\n\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\n\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\n\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\n\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon\u0027t regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\n\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n\n  [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:02:50.500Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d"
        }
      ],
      "title": "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56702",
    "datePublished": "2024-12-28T09:46:24.244Z",
    "dateReserved": "2024-12-27T15:00:39.856Z",
    "dateUpdated": "2025-05-04T10:02:50.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21659 (GCVE-0-2025-21659)

Vulnerability from cvelistv5

Published

2025-01-21 12:18

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netdev: prevent accessing NAPI instances from another namespace The NAPI IDs were not fully exposed to user space prior to the netlink API, so they were never namespaced. The netlink API must ensure that at the very least NAPI instance belongs to the same netns as the owner of the genl sock. napi_by_id() can become static now, but it needs to move because of dev_get_by_napi_id().

References

►

URL

Tags

	https://git.kernel.org/stable/c/b683ba0df11ff563cc237eb1b74d6adfa77226bf
	https://git.kernel.org/stable/c/d1cacd74776895f6435941f86a1130e58f6dd226

Impacted products

Vendor

Product

Version

►

Linux

Version: 27f91aaf49b3a50e5a02ad5fa27b7c453d029a72
Version: 27f91aaf49b3a50e5a02ad5fa27b7c453d029a72

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/core/dev.h",
            "net/core/netdev-genl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b683ba0df11ff563cc237eb1b74d6adfa77226bf",
              "status": "affected",
              "version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
              "versionType": "git"
            },
            {
              "lessThan": "d1cacd74776895f6435941f86a1130e58f6dd226",
              "status": "affected",
              "version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/core/dev.h",
            "net/core/netdev-genl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdev: prevent accessing NAPI instances from another namespace\n\nThe NAPI IDs were not fully exposed to user space prior to the netlink\nAPI, so they were never namespaced. The netlink API must ensure that\nat the very least NAPI instance belongs to the same netns as the owner\nof the genl sock.\n\nnapi_by_id() can become static now, but it needs to move because of\ndev_get_by_napi_id()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:25.265Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b683ba0df11ff563cc237eb1b74d6adfa77226bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1cacd74776895f6435941f86a1130e58f6dd226"
        }
      ],
      "title": "netdev: prevent accessing NAPI instances from another namespace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21659",
    "datePublished": "2025-01-21T12:18:15.407Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-05-04T07:18:25.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21861 (GCVE-0-2025-21861)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7
	https://git.kernel.org/stable/c/069dd21ea8262204f94737878389c2815a054a9e
	https://git.kernel.org/stable/c/41cddf83d8b00f29fd105e7a0777366edc69a5cf

Impacted products

Vendor

Product

Version

►

Linux

Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6
Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6
Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6

Linux

Version: 4.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7",
              "status": "affected",
              "version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
              "versionType": "git"
            },
            {
              "lessThan": "069dd21ea8262204f94737878389c2815a054a9e",
              "status": "affected",
              "version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
              "versionType": "git"
            },
            {
              "lessThan": "41cddf83d8b00f29fd105e7a0777366edc69a5cf",
              "status": "affected",
              "version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()\n\nIf migration succeeded, we called\nfolio_migrate_flags()-\u003emem_cgroup_migrate() to migrate the memcg from the\nold to the new folio.  This will set memcg_data of the old folio to 0.\n\nSimilarly, if migration failed, memcg_data of the dst folio is left unset.\n\nIf we call folio_putback_lru() on such folios (memcg_data == 0), we will\nadd the folio to be freed to the LRU, making memcg code unhappy.  Running\nthe hmm selftests:\n\n  # ./hmm-tests\n  ...\n  #  RUN           hmm.hmm_device_private.migrate ...\n  [  102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00\n  [  102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)\n  [  102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9\n  [  102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000\n  [  102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg \u0026\u0026 !mem_cgroup_disabled())\n  [  102.087230][T14893] ------------[ cut here ]------------\n  [  102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170\n  [  102.090478][T14893] Modules linked in:\n  [  102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151\n  [  102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n  [  102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170\n  [  102.096104][T14893] Code: ...\n  [  102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293\n  [  102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426\n  [  102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880\n  [  102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\n  [  102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8\n  [  102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000\n  [  102.108830][T14893] FS:  00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000\n  [  102.110643][T14893] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [  102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0\n  [  102.113478][T14893] PKRU: 55555554\n  [  102.114172][T14893] Call Trace:\n  [  102.114805][T14893]  \u003cTASK\u003e\n  [  102.115397][T14893]  ? folio_lruvec_lock_irqsave+0x10e/0x170\n  [  102.116547][T14893]  ? __warn.cold+0x110/0x210\n  [  102.117461][T14893]  ? folio_lruvec_lock_irqsave+0x10e/0x170\n  [  102.118667][T14893]  ? report_bug+0x1b9/0x320\n  [  102.119571][T14893]  ? handle_bug+0x54/0x90\n  [  102.120494][T14893]  ? exc_invalid_op+0x17/0x50\n  [  102.121433][T14893]  ? asm_exc_invalid_op+0x1a/0x20\n  [  102.122435][T14893]  ? __wake_up_klogd.part.0+0x76/0xd0\n  [  102.123506][T14893]  ? dump_page+0x4f/0x60\n  [  102.124352][T14893]  ? folio_lruvec_lock_irqsave+0x10e/0x170\n  [  102.125500][T14893]  folio_batch_move_lru+0xd4/0x200\n  [  102.126577][T14893]  ? __pfx_lru_add+0x10/0x10\n  [  102.127505][T14893]  __folio_batch_add_and_move+0x391/0x720\n  [  102.128633][T14893]  ? __pfx_lru_add+0x10/0x10\n  [  102.129550][T14893]  folio_putback_lru+0x16/0x80\n  [  102.130564][T14893]  migrate_device_finalize+0x9b/0x530\n  [  102.131640][T14893]  dmirror_migrate_to_device.constprop.0+0x7c5/0xad0\n  [  102.133047][T14893]  dmirror_fops_unlocked_ioctl+0x89b/0xc80\n\nLikely, nothing else goes wrong: putting the last folio reference will\nremove the folio from the LRU again.  So besides memcg complaining, adding\nthe folio to be freed to the LRU is just an unnecessary step.\n\nThe new flow resembles what we have in migrate_folio_move(): add the dst\nto the lru, rem\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:44.128Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7"
        },
        {
          "url": "https://git.kernel.org/stable/c/069dd21ea8262204f94737878389c2815a054a9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/41cddf83d8b00f29fd105e7a0777366edc69a5cf"
        }
      ],
      "title": "mm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21861",
    "datePublished": "2025-03-12T09:42:19.199Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-05-04T07:22:44.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21844 (GCVE-0-2025-21844)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f277e479eea3d1aa18bc712abe1d2bf3dece2e30
	https://git.kernel.org/stable/c/f618aeb6cad2307e48a641379db610abcf593edf
	https://git.kernel.org/stable/c/24e8e4523d3071bc5143b0db9127d511489f7b3b
	https://git.kernel.org/stable/c/9e5d99a4cf2e23c716b44862975548415fae5391
	https://git.kernel.org/stable/c/a9b0b4b29877cb4dc5d0842b59b5ccbacddb85bd
	https://git.kernel.org/stable/c/554736b583f529ee159aa95af9a0cbc12b5ffc96
	https://git.kernel.org/stable/c/860ca5e50f73c2a1cef7eefc9d39d04e275417f7

Impacted products

Vendor

Product

Version

►

Linux

Version: b03c8099a738a04d2343547ae6a04e5f0f63d3fa
Version: 858e73ff25639a0cc1f6f8d2587b62c045867e41
Version: 9f528a8e68327117837b5e28b096f52af4c26a05
Version: 534733397da26de0303057ce0b93a22bda150365
Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7
Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7
Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f277e479eea3d1aa18bc712abe1d2bf3dece2e30",
              "status": "affected",
              "version": "b03c8099a738a04d2343547ae6a04e5f0f63d3fa",
              "versionType": "git"
            },
            {
              "lessThan": "f618aeb6cad2307e48a641379db610abcf593edf",
              "status": "affected",
              "version": "858e73ff25639a0cc1f6f8d2587b62c045867e41",
              "versionType": "git"
            },
            {
              "lessThan": "24e8e4523d3071bc5143b0db9127d511489f7b3b",
              "status": "affected",
              "version": "9f528a8e68327117837b5e28b096f52af4c26a05",
              "versionType": "git"
            },
            {
              "lessThan": "9e5d99a4cf2e23c716b44862975548415fae5391",
              "status": "affected",
              "version": "534733397da26de0303057ce0b93a22bda150365",
              "versionType": "git"
            },
            {
              "lessThan": "a9b0b4b29877cb4dc5d0842b59b5ccbacddb85bd",
              "status": "affected",
              "version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
              "versionType": "git"
            },
            {
              "lessThan": "554736b583f529ee159aa95af9a0cbc12b5ffc96",
              "status": "affected",
              "version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
              "versionType": "git"
            },
            {
              "lessThan": "860ca5e50f73c2a1cef7eefc9d39d04e275417f7",
              "status": "affected",
              "version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.211",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.150",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "6.1.69",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Add check for next_buffer in receive_encrypted_standard()\n\nAdd check for the return value of cifs_buf_get() and cifs_small_buf_get()\nin receive_encrypted_standard() to prevent null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:24.160Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f277e479eea3d1aa18bc712abe1d2bf3dece2e30"
        },
        {
          "url": "https://git.kernel.org/stable/c/f618aeb6cad2307e48a641379db610abcf593edf"
        },
        {
          "url": "https://git.kernel.org/stable/c/24e8e4523d3071bc5143b0db9127d511489f7b3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e5d99a4cf2e23c716b44862975548415fae5391"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9b0b4b29877cb4dc5d0842b59b5ccbacddb85bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/554736b583f529ee159aa95af9a0cbc12b5ffc96"
        },
        {
          "url": "https://git.kernel.org/stable/c/860ca5e50f73c2a1cef7eefc9d39d04e275417f7"
        }
      ],
      "title": "smb: client: Add check for next_buffer in receive_encrypted_standard()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21844",
    "datePublished": "2025-03-12T09:42:00.435Z",
    "dateReserved": "2024-12-29T08:45:45.778Z",
    "dateUpdated": "2025-05-04T07:22:24.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21699 (GCVE-0-2025-21699)

Vulnerability from cvelistv5

Published

2025-02-12 13:52

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two.

References

►

URL

Tags

	https://git.kernel.org/stable/c/2b0bd5051ad1c1e9ef4879f18e15a7712c974f3e
	https://git.kernel.org/stable/c/8c41abc11aa8438c9ed2d973f97e66674c0355df
	https://git.kernel.org/stable/c/4e3ded34f3f3c9d7ed2aac7be8cf51153646574a
	https://git.kernel.org/stable/c/2a40a140e11fec699e128170ccaa98b6b82cb503
	https://git.kernel.org/stable/c/4dd57d1f0e9844311c635a7fb39abce4f2ac5a61
	https://git.kernel.org/stable/c/4516febe325342555bb09ca5b396fb816d655821
	https://git.kernel.org/stable/c/5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0
	https://git.kernel.org/stable/c/7c9d9223802fbed4dee1ae301661bf346964c9d2

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b0bd5051ad1c1e9ef4879f18e15a7712c974f3e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8c41abc11aa8438c9ed2d973f97e66674c0355df",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4e3ded34f3f3c9d7ed2aac7be8cf51153646574a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2a40a140e11fec699e128170ccaa98b6b82cb503",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4dd57d1f0e9844311c635a7fb39abce4f2ac5a61",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4516febe325342555bb09ca5b396fb816d655821",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7c9d9223802fbed4dee1ae301661bf346964c9d2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Truncate address space when flipping GFS2_DIF_JDATA flag\n\nTruncate an inode\u0027s address space when flipping the GFS2_DIF_JDATA flag:\ndepending on that flag, the pages in the address space will either use\nbuffer heads or iomap_folio_state structs, and we cannot mix the two."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:15.766Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b0bd5051ad1c1e9ef4879f18e15a7712c974f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c41abc11aa8438c9ed2d973f97e66674c0355df"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e3ded34f3f3c9d7ed2aac7be8cf51153646574a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a40a140e11fec699e128170ccaa98b6b82cb503"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dd57d1f0e9844311c635a7fb39abce4f2ac5a61"
        },
        {
          "url": "https://git.kernel.org/stable/c/4516febe325342555bb09ca5b396fb816d655821"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c9d9223802fbed4dee1ae301661bf346964c9d2"
        }
      ],
      "title": "gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21699",
    "datePublished": "2025-02-12T13:52:50.962Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2025-05-04T07:19:15.766Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-47408 (GCVE-0-2024-47408)

Vulnerability from cvelistv5

Published

2025-01-11 12:35

Modified

2025-05-04 09:36

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a36364d8d4fabb105001f992fb8ff2d3546203d6
	https://git.kernel.org/stable/c/e1cc8be2a785a8f1ce1f597f3e608602c5fccd46
	https://git.kernel.org/stable/c/935caf324b445fe73d7708fae6f7176fb243f357
	https://git.kernel.org/stable/c/48d5a8a304a643613dab376a278f29d3e22f7c34
	https://git.kernel.org/stable/c/9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad

Impacted products

Vendor

Product

Version

►

Linux

Version: 5c21c4ccafe85906db809de3af391fd434df8a27
Version: 5c21c4ccafe85906db809de3af391fd434df8a27
Version: 5c21c4ccafe85906db809de3af391fd434df8a27
Version: 5c21c4ccafe85906db809de3af391fd434df8a27
Version: 5c21c4ccafe85906db809de3af391fd434df8a27

Linux

Version: 5.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36364d8d4fabb105001f992fb8ff2d3546203d6",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "e1cc8be2a785a8f1ce1f597f3e608602c5fccd46",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "935caf324b445fe73d7708fae6f7176fb243f357",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "48d5a8a304a643613dab376a278f29d3e22f7c34",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            },
            {
              "lessThan": "9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad",
              "status": "affected",
              "version": "5c21c4ccafe85906db809de3af391fd434df8a27",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c",
            "net/smc/smc_clc.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.122",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.68",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.7",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check smcd_v2_ext_offset when receiving proposal msg\n\nWhen receiving proposal msg in server, the field smcd_v2_ext_offset in\nproposal msg is from the remote client and can not be fully trusted.\nOnce the value of smcd_v2_ext_offset exceed the max value, there has\nthe chance to access wrong address, and crash may happen.\n\nThis patch checks the value of smcd_v2_ext_offset before using it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:36:30.974Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36364d8d4fabb105001f992fb8ff2d3546203d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1cc8be2a785a8f1ce1f597f3e608602c5fccd46"
        },
        {
          "url": "https://git.kernel.org/stable/c/935caf324b445fe73d7708fae6f7176fb243f357"
        },
        {
          "url": "https://git.kernel.org/stable/c/48d5a8a304a643613dab376a278f29d3e22f7c34"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad"
        }
      ],
      "title": "net/smc: check smcd_v2_ext_offset when receiving proposal msg",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47408",
    "datePublished": "2025-01-11T12:35:35.284Z",
    "dateReserved": "2025-01-11T12:34:02.588Z",
    "dateUpdated": "2025-05-04T09:36:30.974Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21888 (GCVE-0-2025-21888)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0
	https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f
	https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770

Impacted products

Vendor

Product

Version

►

Linux

Version: f18ec422311767738ef4033b61e91cae07163b22
Version: f18ec422311767738ef4033b61e91cae07163b22
Version: f18ec422311767738ef4033b61e91cae07163b22

Linux

Version: 5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0bd34bdd468e93a779c403de3cf7d43ee633b3e0",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            },
            {
              "lessThan": "f1298cad47ae29828c5c5be77e733ccfcaef6a7f",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            },
            {
              "lessThan": "abc7b3f1f056d69a8f11d6dceecc0c9549ace770",
              "status": "affected",
              "version": "f18ec422311767738ef4033b61e91cae07163b22",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -\u003e mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS:  00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n\u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:23.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770"
        }
      ],
      "title": "RDMA/mlx5: Fix a WARN during dereg_mr for DM type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21888",
    "datePublished": "2025-03-27T14:57:15.141Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-05-04T07:23:23.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21767 (GCVE-0-2025-21767)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context The following bug report happened with a PREEMPT_RT kernel: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 get_random_u32+0x4f/0x110 clocksource_verify_choose_cpus+0xab/0x1a0 clocksource_verify_percpu.part.0+0x6b/0x330 clocksource_watchdog_kthread+0x193/0x1a0 It is due to the fact that clocksource_verify_choose_cpus() is invoked with preemption disabled. This function invokes get_random_u32() to obtain random numbers for choosing CPUs. The batched_entropy_32 local lock and/or the base_crng.lock spinlock in driver/char/random.c will be acquired during the call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot be acquired in atomic context. Fix this problem by using migrate_disable() to allow smp_processor_id() to be reliably used without introducing atomic context. preempt_disable() is then called after clocksource_verify_choose_cpus() but before the clocksource measurement is being run to avoid introducing unexpected latency.

References

►

URL

Tags

	https://git.kernel.org/stable/c/d9c217fadfcff7a8df58567517d1e4253f3fd243
	https://git.kernel.org/stable/c/60f54f0d4ea530950549a8263e6fdd70a40490a4
	https://git.kernel.org/stable/c/852805b6cbdb69c298a8fc9fbe79994c95106e04
	https://git.kernel.org/stable/c/8783ceeee797d9aa9cfe150690fb9d0bac8cc459
	https://git.kernel.org/stable/c/cc3d79e7c806cb57d71c28a4a35e7d7fb3265faa
	https://git.kernel.org/stable/c/0fb534187d2355f6c8f995321e76d1ccd1262ac1
	https://git.kernel.org/stable/c/6bb05a33337b2c842373857b63de5c9bf1ae2a09

Impacted products

Vendor

Product

Version

►

Linux

Version: d9b40ebd448e437ffbc65f013836f98252279a82
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 7560c02bdffb7c52d1457fa551b9e745d4b9e754
Version: 193e14e68e907b2a7a936a7726accbaa4df25a4d
Version: 155d3c5d24ee13cafa6236b49fc02b240a511d59

Linux

Version: 5.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/clocksource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9c217fadfcff7a8df58567517d1e4253f3fd243",
              "status": "affected",
              "version": "d9b40ebd448e437ffbc65f013836f98252279a82",
              "versionType": "git"
            },
            {
              "lessThan": "60f54f0d4ea530950549a8263e6fdd70a40490a4",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "lessThan": "852805b6cbdb69c298a8fc9fbe79994c95106e04",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "lessThan": "8783ceeee797d9aa9cfe150690fb9d0bac8cc459",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "lessThan": "cc3d79e7c806cb57d71c28a4a35e7d7fb3265faa",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "lessThan": "0fb534187d2355f6c8f995321e76d1ccd1262ac1",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "lessThan": "6bb05a33337b2c842373857b63de5c9bf1ae2a09",
              "status": "affected",
              "version": "7560c02bdffb7c52d1457fa551b9e745d4b9e754",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "193e14e68e907b2a7a936a7726accbaa4df25a4d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "155d3c5d24ee13cafa6236b49fc02b240a511d59",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/clocksource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context\n\nThe following bug report happened with a PREEMPT_RT kernel:\n\n  BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n  in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog\n  preempt_count: 1, expected: 0\n  RCU nest depth: 0, expected: 0\n  get_random_u32+0x4f/0x110\n  clocksource_verify_choose_cpus+0xab/0x1a0\n  clocksource_verify_percpu.part.0+0x6b/0x330\n  clocksource_watchdog_kthread+0x193/0x1a0\n\nIt is due to the fact that clocksource_verify_choose_cpus() is invoked with\npreemption disabled.  This function invokes get_random_u32() to obtain\nrandom numbers for choosing CPUs.  The batched_entropy_32 local lock and/or\nthe base_crng.lock spinlock in driver/char/random.c will be acquired during\nthe call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot\nbe acquired in atomic context.\n\nFix this problem by using migrate_disable() to allow smp_processor_id() to\nbe reliably used without introducing atomic context. preempt_disable() is\nthen called after clocksource_verify_choose_cpus() but before the\nclocksource measurement is being run to avoid introducing unexpected\nlatency."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:30.777Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9c217fadfcff7a8df58567517d1e4253f3fd243"
        },
        {
          "url": "https://git.kernel.org/stable/c/60f54f0d4ea530950549a8263e6fdd70a40490a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/852805b6cbdb69c298a8fc9fbe79994c95106e04"
        },
        {
          "url": "https://git.kernel.org/stable/c/8783ceeee797d9aa9cfe150690fb9d0bac8cc459"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc3d79e7c806cb57d71c28a4a35e7d7fb3265faa"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fb534187d2355f6c8f995321e76d1ccd1262ac1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bb05a33337b2c842373857b63de5c9bf1ae2a09"
        }
      ],
      "title": "clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21767",
    "datePublished": "2025-02-27T02:18:17.067Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-05-04T13:06:30.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26634 (GCVE-0-2024-26634)

Vulnerability from cvelistv5

Published

2024-03-18 10:14

Modified

2025-05-04 12:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get "refunded" to init_net when that namespace disappears. The main interface name may get overwritten in the process if it would have conflicted. We need to also discard all conflicting altnames. Recent fixes addressed ensuring that altnames get moved with the main interface, which surfaced this problem.

References

►

URL

Tags

	https://git.kernel.org/stable/c/a2232f29bf52c24f827865b3c90829c44b6c695b
	https://git.kernel.org/stable/c/e855dded4b70d1975ee7b9fed0c700391e3c8ea6
	https://git.kernel.org/stable/c/8072699aa9e67d1727692cfb3c347263bb627fb9
	https://git.kernel.org/stable/c/d09486a04f5da0a812c26217213b89a3b1acf836

Impacted products

Vendor

Product

Version

►

Linux

Version: 673edcffa0960fc154085d639e10f80b6317d3bd
Version: 7663d522099ecc464512164e660bc771b2ff7b64
Version: 7663d522099ecc464512164e660bc771b2ff7b64
Version: 7663d522099ecc464512164e660bc771b2ff7b64
Version: f7a69786fe5ec75d1cdd71b465e74a1adc68ef40

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:19.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a2232f29bf52c24f827865b3c90829c44b6c695b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e855dded4b70d1975ee7b9fed0c700391e3c8ea6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8072699aa9e67d1727692cfb3c347263bb627fb9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d09486a04f5da0a812c26217213b89a3b1acf836"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:55:13.071723Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:18.527Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/core/dev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a2232f29bf52c24f827865b3c90829c44b6c695b",
              "status": "affected",
              "version": "673edcffa0960fc154085d639e10f80b6317d3bd",
              "versionType": "git"
            },
            {
              "lessThan": "e855dded4b70d1975ee7b9fed0c700391e3c8ea6",
              "status": "affected",
              "version": "7663d522099ecc464512164e660bc771b2ff7b64",
              "versionType": "git"
            },
            {
              "lessThan": "8072699aa9e67d1727692cfb3c347263bb627fb9",
              "status": "affected",
              "version": "7663d522099ecc464512164e660bc771b2ff7b64",
              "versionType": "git"
            },
            {
              "lessThan": "d09486a04f5da0a812c26217213b89a3b1acf836",
              "status": "affected",
              "version": "7663d522099ecc464512164e660bc771b2ff7b64",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f7a69786fe5ec75d1cdd71b465e74a1adc68ef40",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c",
            "net/core/dev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.76",
                  "versionStartIncluding": "6.1.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix removing a namespace with conflicting altnames\n\nMark reports a BUG() when a net namespace is removed.\n\n    kernel BUG at net/core/dev.c:11520!\n\nPhysical interfaces moved outside of init_net get \"refunded\"\nto init_net when that namespace disappears. The main interface\nname may get overwritten in the process if it would have\nconflicted. We need to also discard all conflicting altnames.\nRecent fixes addressed ensuring that altnames get moved\nwith the main interface, which surfaced this problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:54:19.482Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a2232f29bf52c24f827865b3c90829c44b6c695b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e855dded4b70d1975ee7b9fed0c700391e3c8ea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8072699aa9e67d1727692cfb3c347263bb627fb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d09486a04f5da0a812c26217213b89a3b1acf836"
        }
      ],
      "title": "net: fix removing a namespace with conflicting altnames",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26634",
    "datePublished": "2024-03-18T10:14:46.639Z",
    "dateReserved": "2024-02-19T14:20:24.136Z",
    "dateUpdated": "2025-05-04T12:54:19.482Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57980 (GCVE-0-2024-57980)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 10:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda <ribalda@chromium.org>

References

►

URL

Tags

	https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d
	https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c
	https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277
	https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d
	https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49
	https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22
	https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4
	https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac

Impacted products

Vendor

Product

Version

►

Linux

Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1

Linux

Version: 2.6.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_status.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "87522ef165e5b6de8ef98cc318f3335166a1512c",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "9232719ac9ce4d5c213cebda23d72aec3e1c4c0d",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "6c36dcd662ec5276782838660f8533a7cb26be49",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "d1f8e69eec91d5a75ef079778a5d0151db2a7f22",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "d8e63dd7b6683969d3d47c7b8e9635f96d554ad4",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            },
            {
              "lessThan": "c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac",
              "status": "affected",
              "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_status.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:38.248Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277"
        },
        {
          "url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac"
        }
      ],
      "title": "media: uvcvideo: Fix double free in error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57980",
    "datePublished": "2025-02-27T02:07:06.849Z",
    "dateReserved": "2025-02-27T02:04:28.912Z",
    "dateUpdated": "2025-05-04T10:07:38.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21715 (GCVE-0-2025-21715)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 13:06

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool.

References

►

URL

Tags

	https://git.kernel.org/stable/c/db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9
	https://git.kernel.org/stable/c/a53cb72043443ac787ec0b5fa17bb3f8ff3d462b
	https://git.kernel.org/stable/c/7d7d201eb3b766abe590ac0dda7a508b7db3e357
	https://git.kernel.org/stable/c/c94ab07edc2843e2f3d46dbd82e5c681503aaadf
	https://git.kernel.org/stable/c/c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca
	https://git.kernel.org/stable/c/5a54367a7c2378c65aaa4d3cfd952f26adef7aa7
	https://git.kernel.org/stable/c/2013c95df6752d9c88221d0f0f37b6f197969390
	https://git.kernel.org/stable/c/19e65c45a1507a1a2926649d2db3583ed9d55fd9

Impacted products

Vendor

Product

Version

►

Linux

Version: d28e783c20033b90a64d4e1307bafb56085d8184
Version: 4fd0654b8f2129b68203974ddee15f804ec011c2
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b
Version: d182994b2b6e23778b146a230efac8f1d77a3445
Version: 427b3fc3d5244fef9c1f910a9c699f2690642f83
Version: 9c49181c201d434186ca6b1a7b52e29f4169f6f8
Version: 9808f032c4d971cbf2b01411a0a2a8ee0040efe3
Version: a1f308089257616cdb91b4334c5eaa81ae17e387

Linux

Version: 5.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:14.582749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:28.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/davicom/dm9000.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9",
              "status": "affected",
              "version": "d28e783c20033b90a64d4e1307bafb56085d8184",
              "versionType": "git"
            },
            {
              "lessThan": "a53cb72043443ac787ec0b5fa17bb3f8ff3d462b",
              "status": "affected",
              "version": "4fd0654b8f2129b68203974ddee15f804ec011c2",
              "versionType": "git"
            },
            {
              "lessThan": "7d7d201eb3b766abe590ac0dda7a508b7db3e357",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "c94ab07edc2843e2f3d46dbd82e5c681503aaadf",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "5a54367a7c2378c65aaa4d3cfd952f26adef7aa7",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "2013c95df6752d9c88221d0f0f37b6f197969390",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "19e65c45a1507a1a2926649d2db3583ed9d55fd9",
              "status": "affected",
              "version": "cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d182994b2b6e23778b146a230efac8f1d77a3445",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "427b3fc3d5244fef9c1f910a9c699f2690642f83",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c49181c201d434186ca6b1a7b52e29f4169f6f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9808f032c4d971cbf2b01411a0a2a8ee0040efe3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a1f308089257616cdb91b4334c5eaa81ae17e387",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/davicom/dm9000.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.106",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.226",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: davicom: fix UAF in dm9000_drv_remove\n\ndm is netdev private data and it cannot be\nused after free_netdev() call. Using dm after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.\n\nThis is similar to the issue fixed in commit\nad297cd2db89 (\"net: qcom/emac: fix UAF in emac_remove\").\n\nThis bug is detected by our static analysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:26.157Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a53cb72043443ac787ec0b5fa17bb3f8ff3d462b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d7d201eb3b766abe590ac0dda7a508b7db3e357"
        },
        {
          "url": "https://git.kernel.org/stable/c/c94ab07edc2843e2f3d46dbd82e5c681503aaadf"
        },
        {
          "url": "https://git.kernel.org/stable/c/c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a54367a7c2378c65aaa4d3cfd952f26adef7aa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2013c95df6752d9c88221d0f0f37b6f197969390"
        },
        {
          "url": "https://git.kernel.org/stable/c/19e65c45a1507a1a2926649d2db3583ed9d55fd9"
        }
      ],
      "title": "net: davicom: fix UAF in dm9000_drv_remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21715",
    "datePublished": "2025-02-27T02:07:26.174Z",
    "dateReserved": "2024-12-29T08:45:45.752Z",
    "dateUpdated": "2025-05-04T13:06:26.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21743 (GCVE-0-2025-21743)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-05-04 07:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length.

References

►

URL

Tags

	https://git.kernel.org/stable/c/18bf6f5cce3172cb303c3f0551aa9443d5ed74f8
	https://git.kernel.org/stable/c/d677e7dd59ad6837496f5a02d8e5d39824278dfd
	https://git.kernel.org/stable/c/d824a964185910e317287f034c0a439c08b4fe49
	https://git.kernel.org/stable/c/c219427ed296f94bb4b91d08626776dc7719ee27

Impacted products

Vendor

Product

Version

►

Linux

Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226
Version: a2d274c62e44b1995c170595db3865c6fe701226

Linux

Version: 6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18bf6f5cce3172cb303c3f0551aa9443d5ed74f8",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "d677e7dd59ad6837496f5a02d8e5d39824278dfd",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "d824a964185910e317287f034c0a439c08b4fe49",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            },
            {
              "lessThan": "c219427ed296f94bb4b91d08626776dc7719ee27",
              "status": "affected",
              "version": "a2d274c62e44b1995c170595db3865c6fe701226",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/ipheth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix possible overflow in DPE length check\n\nOriginally, it was possible for the DPE length check to overflow if\nwDatagramIndex + wDatagramLength \u003e U16_MAX. This could lead to an OoB\nread.\n\nMove the wDatagramIndex term to the other side of the inequality.\n\nAn existing condition ensures that wDatagramIndex \u003c urb-\u003eactual_length."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:10.526Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18bf6f5cce3172cb303c3f0551aa9443d5ed74f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d677e7dd59ad6837496f5a02d8e5d39824278dfd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d824a964185910e317287f034c0a439c08b4fe49"
        },
        {
          "url": "https://git.kernel.org/stable/c/c219427ed296f94bb4b91d08626776dc7719ee27"
        }
      ],
      "title": "usbnet: ipheth: fix possible overflow in DPE length check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21743",
    "datePublished": "2025-02-27T02:12:16.696Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:10.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21756 (GCVE-0-2025-21756)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-08-14 21:02

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

References

►

URL

Tags

	https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173
	https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c
	https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
	https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
	https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
	https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
	https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a

Impacted products

Vendor

Product

Version

►

Linux

Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a

Linux

Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21756",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T21:01:56.187542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-14T21:02:02.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e7754d564579a5db9c5c9f74228df5d6dd6f1173",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "e48fcb403c2d0e574c19683f09399ab4cf67809c",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "42b33381e5e1f2b967dc4fb4221ddb9aaf10d197",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "3f43540166128951cc1be7ab1ce6b7f05c670d8b",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "645ce25aa0e67895b11d89f27bb86c9d444c40f8",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "b1afd40321f1c243cffbcf40ea7ca41aca87fa5e",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "fcdd2242c0231032fc84e1404315c245ae56322a",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Keep the binding until socket destruction\n\nPreserve sockets bindings; this includes both resulting from an explicit\nbind() and those implicitly bound through autobind during connect().\n\nPrevents socket unbinding during a transport reassignment, which fixes a\nuse-after-free:\n\n    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\n    2. transport-\u003erelease() calls vsock_remove_bound() without checking if\n       sk was bound and moved to bound list (refcnt=1)\n    3. vsock_bind() assumes sk is in unbound list and before\n       __vsock_insert_bound(vsock_bound_sockets()) calls\n       __vsock_remove_bound() which does:\n           list_del_init(\u0026vsk-\u003ebound_table); // nop\n           sock_put(\u0026vsk-\u003esk);               // refcnt=0\n\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n __vsock_bind+0x62e/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n __vsock_create.constprop.0+0x2e/0xb60\n vsock_create+0xe4/0x420\n __sock_create+0x241/0x650\n __sys_socket+0xf2/0x1a0\n __x64_sys_socket+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n __vsock_bind+0x5e1/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\nRIP: 0010:refcount_warn_saturate+0xce/0x150\n __vsock_bind+0x66d/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\nRIP: 0010:refcount_warn_saturate+0xee/0x150\n vsock_remove_bound+0x187/0x1e0\n __vsock_release+0x383/0x4a0\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x359/0xa80\n task_work_run+0x107/0x1d0\n do_exit+0x847/0x2560\n do_group_exit+0xb8/0x250\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0xfec/0x14f0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:28.873Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173"
        },
        {
          "url": "https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c"
        },
        {
          "url": "https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a"
        }
      ],
      "title": "vsock: Keep the binding until socket destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21756",
    "datePublished": "2025-02-27T02:18:11.547Z",
    "dateReserved": "2024-12-29T08:45:45.760Z",
    "dateUpdated": "2025-08-14T21:02:02.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26873 (GCVE-0-2024-26873)

Vulnerability from cvelistv5

Published

2024-04-17 10:27

Modified

2025-05-04 08:58

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix a deadlock issue related to automatic dump If we issue a disabling PHY command, the device attached with it will go offline, if a 2 bit ECC error occurs at the same time, a hung task may be found: [ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds. [ 4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208 [ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas] [ 4613.691518] Call trace: [ 4613.694678] __switch_to+0xf8/0x17c [ 4613.698872] __schedule+0x660/0xee0 [ 4613.703063] schedule+0xac/0x240 [ 4613.706994] schedule_timeout+0x500/0x610 [ 4613.711705] __down+0x128/0x36c [ 4613.715548] down+0x240/0x2d0 [ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main] [ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas] [ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas] [ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main] [ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main] [ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas] [ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas] [ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas] [ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas] [ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas] [ 4613.784716] process_one_work+0x248/0x950 [ 4613.789424] worker_thread+0x318/0x934 [ 4613.793878] kthread+0x190/0x200 [ 4613.797810] ret_from_fork+0x10/0x18 [ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds. [ 4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208 [ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main] [ 4613.841491] Call trace: [ 4613.844647] __switch_to+0xf8/0x17c [ 4613.848852] __schedule+0x660/0xee0 [ 4613.853052] schedule+0xac/0x240 [ 4613.856984] schedule_timeout+0x500/0x610 [ 4613.861695] __down+0x128/0x36c [ 4613.865542] down+0x240/0x2d0 [ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main] [ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main] [ 4613.883019] process_one_work+0x248/0x950 [ 4613.887732] worker_thread+0x318/0x934 [ 4613.892204] kthread+0x190/0x200 [ 4613.896118] ret_from_fork+0x10/0x18 [ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds. [ 4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208 [ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas] [ 4613.939549] Call trace: [ 4613.942702] __switch_to+0xf8/0x17c [ 4613.946892] __schedule+0x660/0xee0 [ 4613.951083] schedule+0xac/0x240 [ 4613.955015] schedule_timeout+0x500/0x610 [ 4613.959725] wait_for_common+0x200/0x610 [ 4613.964349] wait_for_completion+0x3c/0x5c [ 4613.969146] flush_workqueue+0x198/0x790 [ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas] [ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas] [ 4613.985708] process_one_work+0x248/0x950 [ 4613.990420] worker_thread+0x318/0x934 [ 4613.994868] kthread+0x190/0x200 [ 4613.998800] ret_from_fork+0x10/0x18 This is because when the device goes offline, we obtain the hisi_hba semaphore and send the ABORT_DEV command to the device. However, the internal abort timed out due to the 2 bit ECC error and triggers automatic dump. In addition, since the hisi_hba semaphore has been obtained, the dump cannot be executed and the controller cannot be reset. Therefore, the deadlocks occur on the following circular dependencies ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/a47f0b03149af538af4442ff0702eac430ace1cb
	https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a
	https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563
	https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953

Impacted products

Vendor

Product

Version

►

Linux

Version: 91e035e98fa1383ca90d774c29bb14c3c5ed2d8c
Version: 2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde
Version: 2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde
Version: 2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde

Linux

Version: 6.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26873",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T14:02:10.417549Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:43.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:04.227Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a47f0b03149af538af4442ff0702eac430ace1cb",
              "status": "affected",
              "version": "91e035e98fa1383ca90d774c29bb14c3c5ed2d8c",
              "versionType": "git"
            },
            {
              "lessThan": "e022dd3b875315a2d2001a512e98d1dc8c991f4a",
              "status": "affected",
              "version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
              "versionType": "git"
            },
            {
              "lessThan": "85c98073ffcfe9e46abfb9c66f3364467119d563",
              "status": "affected",
              "version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
              "versionType": "git"
            },
            {
              "lessThan": "3c4f53b2c341ec6428b98cb51a89a09b025d0953",
              "status": "affected",
              "version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hisi_sas/hisi_sas_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.11",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Fix a deadlock issue related to automatic dump\n\nIf we issue a disabling PHY command, the device attached with it will go\noffline, if a 2 bit ECC error occurs at the same time, a hung task may be\nfound:\n\n[ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds.\n[ 4613.666297] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.674809] task:kworker/u256:0  state:D stack:    0 pid:165233 ppid:     2 flags:0x00000208\n[ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas]\n[ 4613.691518] Call trace:\n[ 4613.694678]  __switch_to+0xf8/0x17c\n[ 4613.698872]  __schedule+0x660/0xee0\n[ 4613.703063]  schedule+0xac/0x240\n[ 4613.706994]  schedule_timeout+0x500/0x610\n[ 4613.711705]  __down+0x128/0x36c\n[ 4613.715548]  down+0x240/0x2d0\n[ 4613.719221]  hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main]\n[ 4613.726618]  sas_execute_internal_abort+0x144/0x310 [libsas]\n[ 4613.732976]  sas_execute_internal_abort_dev+0x44/0x60 [libsas]\n[ 4613.739504]  hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main]\n[ 4613.747499]  hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main]\n[ 4613.753682]  sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas]\n[ 4613.759781]  sas_unregister_common_dev+0x4c/0x7a0 [libsas]\n[ 4613.765962]  sas_destruct_devices+0xb8/0x120 [libsas]\n[ 4613.771709]  sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas]\n[ 4613.778930]  sas_revalidate_domain+0x60/0xa4 [libsas]\n[ 4613.784716]  process_one_work+0x248/0x950\n[ 4613.789424]  worker_thread+0x318/0x934\n[ 4613.793878]  kthread+0x190/0x200\n[ 4613.797810]  ret_from_fork+0x10/0x18\n[ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds.\n[ 4613.816026] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.824538] task:kworker/u256:4  state:D stack:    0 pid:316722 ppid:     2 flags:0x00000208\n[ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main]\n[ 4613.841491] Call trace:\n[ 4613.844647]  __switch_to+0xf8/0x17c\n[ 4613.848852]  __schedule+0x660/0xee0\n[ 4613.853052]  schedule+0xac/0x240\n[ 4613.856984]  schedule_timeout+0x500/0x610\n[ 4613.861695]  __down+0x128/0x36c\n[ 4613.865542]  down+0x240/0x2d0\n[ 4613.869216]  hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main]\n[ 4613.876324]  hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main]\n[ 4613.883019]  process_one_work+0x248/0x950\n[ 4613.887732]  worker_thread+0x318/0x934\n[ 4613.892204]  kthread+0x190/0x200\n[ 4613.896118]  ret_from_fork+0x10/0x18\n[ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds.\n[ 4613.914341] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.922852] task:kworker/u256:1  state:D stack:    0 pid:348985 ppid:     2 flags:0x00000208\n[ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas]\n[ 4613.939549] Call trace:\n[ 4613.942702]  __switch_to+0xf8/0x17c\n[ 4613.946892]  __schedule+0x660/0xee0\n[ 4613.951083]  schedule+0xac/0x240\n[ 4613.955015]  schedule_timeout+0x500/0x610\n[ 4613.959725]  wait_for_common+0x200/0x610\n[ 4613.964349]  wait_for_completion+0x3c/0x5c\n[ 4613.969146]  flush_workqueue+0x198/0x790\n[ 4613.973776]  sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas]\n[ 4613.979960]  sas_port_event_worker+0x54/0xa0 [libsas]\n[ 4613.985708]  process_one_work+0x248/0x950\n[ 4613.990420]  worker_thread+0x318/0x934\n[ 4613.994868]  kthread+0x190/0x200\n[ 4613.998800]  ret_from_fork+0x10/0x18\n\nThis is because when the device goes offline, we obtain the hisi_hba\nsemaphore and send the ABORT_DEV command to the device. However, the\ninternal abort timed out due to the 2 bit ECC error and triggers automatic\ndump. In addition, since the hisi_hba semaphore has been obtained, the dump\ncannot be executed and the controller cannot be reset.\n\nTherefore, the deadlocks occur on the following circular dependencies\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:58:34.180Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a47f0b03149af538af4442ff0702eac430ace1cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953"
        }
      ],
      "title": "scsi: hisi_sas: Fix a deadlock issue related to automatic dump",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26873",
    "datePublished": "2024-04-17T10:27:32.647Z",
    "dateReserved": "2024-02-19T14:20:24.184Z",
    "dateUpdated": "2025-05-04T08:58:34.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21668 (GCVE-0-2025-21668)

Vulnerability from cvelistv5

Published

2025-01-31 11:25

Modified

2025-05-04 07:18

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f

References

►

URL

Tags

	https://git.kernel.org/stable/c/699cc10cc3068f9097a506eae7fe178c860dca4e
	https://git.kernel.org/stable/c/926ad31b76b8e229b412536e77cdf828a5cae9c6
	https://git.kernel.org/stable/c/488a68c948bc52dc2a4554a56fdd99aa67c49b06
	https://git.kernel.org/stable/c/726efa92e02b460811e8bc6990dd742f03b645ea

Impacted products

Vendor

Product

Version

►

Linux

Version: 556f5cf9568af772d494cff24ffaa7ea41e1ab40
Version: 556f5cf9568af772d494cff24ffaa7ea41e1ab40
Version: 556f5cf9568af772d494cff24ffaa7ea41e1ab40
Version: 556f5cf9568af772d494cff24ffaa7ea41e1ab40

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "699cc10cc3068f9097a506eae7fe178c860dca4e",
              "status": "affected",
              "version": "556f5cf9568af772d494cff24ffaa7ea41e1ab40",
              "versionType": "git"
            },
            {
              "lessThan": "926ad31b76b8e229b412536e77cdf828a5cae9c6",
              "status": "affected",
              "version": "556f5cf9568af772d494cff24ffaa7ea41e1ab40",
              "versionType": "git"
            },
            {
              "lessThan": "488a68c948bc52dc2a4554a56fdd99aa67c49b06",
              "status": "affected",
              "version": "556f5cf9568af772d494cff24ffaa7ea41e1ab40",
              "versionType": "git"
            },
            {
              "lessThan": "726efa92e02b460811e8bc6990dd742f03b645ea",
              "status": "affected",
              "version": "556f5cf9568af772d494cff24ffaa7ea41e1ab40",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: add missing loop break condition\n\nCurrently imx8mp_blk_ctrl_remove() will continue the for loop\nuntil an out-of-bounds exception occurs.\n\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : dev_pm_domain_detach+0x8/0x48\nlr : imx8mp_blk_ctrl_shutdown+0x58/0x90\nsp : ffffffc084f8bbf0\nx29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000\nx26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028\nx23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0\nx20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff\nx17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72\nx14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000\nx11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8\nx8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077\nx2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n dev_pm_domain_detach+0x8/0x48\n platform_shutdown+0x2c/0x48\n device_shutdown+0x158/0x268\n kernel_restart_prepare+0x40/0x58\n kernel_kexec+0x58/0xe8\n __do_sys_reboot+0x198/0x258\n __arm64_sys_reboot+0x2c/0x40\n invoke_syscall+0x5c/0x138\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x38/0xc8\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x190/0x198\nCode: 8128c2d0 ffffffc0 aa1e03e9 d503201f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:40.937Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/699cc10cc3068f9097a506eae7fe178c860dca4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/926ad31b76b8e229b412536e77cdf828a5cae9c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/488a68c948bc52dc2a4554a56fdd99aa67c49b06"
        },
        {
          "url": "https://git.kernel.org/stable/c/726efa92e02b460811e8bc6990dd742f03b645ea"
        }
      ],
      "title": "pmdomain: imx8mp-blk-ctrl: add missing loop break condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21668",
    "datePublished": "2025-01-31T11:25:32.477Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-05-04T07:18:40.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21687 (GCVE-0-2025-21687)

Vulnerability from cvelistv5

Published

2025-02-10 15:58

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device.

References

►

URL

Tags

	https://git.kernel.org/stable/c/f21636f24b6786c8b13f1af4319fa75ffcf17f38
	https://git.kernel.org/stable/c/9377cdc118cf327248f1a9dde7b87de067681dc9
	https://git.kernel.org/stable/c/d19a8650fd3d7aed8d1af1d9a77f979a8430eba1
	https://git.kernel.org/stable/c/ed81d82bb6e9df3a137f2c343ed689e6c68268ef
	https://git.kernel.org/stable/c/92340e6c5122d823ad064984ef7513eba9204048
	https://git.kernel.org/stable/c/f65ce06387f8c1fb54bd59e18a8428248ec68eaf
	https://git.kernel.org/stable/c/6bcb8a5b70b80143db9bf12dfa7d53636f824d53
	https://git.kernel.org/stable/c/1485932496a1b025235af8aa1e21988d6b7ccd54
	https://git.kernel.org/stable/c/c981c32c38af80737a2fedc16e270546d139ccdd
	https://git.kernel.org/stable/c/a20fcaa230f7472456d12cf761ed13938e320ac3
	https://git.kernel.org/stable/c/665cfd1083866f87301bbd232cb8ba48dcf4acce
	https://git.kernel.org/stable/c/ce9ff21ea89d191e477a02ad7eabf4f996b80a69

Impacted products

Vendor

Product

Version

►

Linux

Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a
Version: 6e3f264560099869f68830cb14b3b3e71e5ac76a

Linux

Version: 4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/platform/vfio_platform_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f21636f24b6786c8b13f1af4319fa75ffcf17f38",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "9377cdc118cf327248f1a9dde7b87de067681dc9",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "d19a8650fd3d7aed8d1af1d9a77f979a8430eba1",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "ed81d82bb6e9df3a137f2c343ed689e6c68268ef",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "92340e6c5122d823ad064984ef7513eba9204048",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "f65ce06387f8c1fb54bd59e18a8428248ec68eaf",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "6bcb8a5b70b80143db9bf12dfa7d53636f824d53",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "1485932496a1b025235af8aa1e21988d6b7ccd54",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "c981c32c38af80737a2fedc16e270546d139ccdd",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "a20fcaa230f7472456d12cf761ed13938e320ac3",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "665cfd1083866f87301bbd232cb8ba48dcf4acce",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            },
            {
              "lessThan": "ce9ff21ea89d191e477a02ad7eabf4f996b80a69",
              "status": "affected",
              "version": "6e3f264560099869f68830cb14b3b3e71e5ac76a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/vfio/platform/vfio_platform_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: check the bounds of read/write syscalls\n\ncount and offset are passed from user space and not checked, only\noffset is capped to 40 bits, which can be used to read/write out of\nbounds of the device."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:03.532Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f21636f24b6786c8b13f1af4319fa75ffcf17f38"
        },
        {
          "url": "https://git.kernel.org/stable/c/9377cdc118cf327248f1a9dde7b87de067681dc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d19a8650fd3d7aed8d1af1d9a77f979a8430eba1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed81d82bb6e9df3a137f2c343ed689e6c68268ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/92340e6c5122d823ad064984ef7513eba9204048"
        },
        {
          "url": "https://git.kernel.org/stable/c/f65ce06387f8c1fb54bd59e18a8428248ec68eaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bcb8a5b70b80143db9bf12dfa7d53636f824d53"
        },
        {
          "url": "https://git.kernel.org/stable/c/1485932496a1b025235af8aa1e21988d6b7ccd54"
        },
        {
          "url": "https://git.kernel.org/stable/c/c981c32c38af80737a2fedc16e270546d139ccdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a20fcaa230f7472456d12cf761ed13938e320ac3"
        },
        {
          "url": "https://git.kernel.org/stable/c/665cfd1083866f87301bbd232cb8ba48dcf4acce"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce9ff21ea89d191e477a02ad7eabf4f996b80a69"
        }
      ],
      "title": "vfio/platform: check the bounds of read/write syscalls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21687",
    "datePublished": "2025-02-10T15:58:43.944Z",
    "dateReserved": "2024-12-29T08:45:45.741Z",
    "dateUpdated": "2025-05-04T07:19:03.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21723 (GCVE-0-2025-21723)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-05-04 07:19

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: <TASK> mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2

References

►

URL

Tags

	https://git.kernel.org/stable/c/19b248069d1b1424982723a2bf3941ad864d5204
	https://git.kernel.org/stable/c/832b8f95a2832321b8200ae478ed988b25faaef4
	https://git.kernel.org/stable/c/295006f6e8c17212d3098811166e29627d19e05c

Impacted products

Vendor

Product

Version

►

Linux

Version: 4268fa7513655a83d5492705591fdac6c65db48a
Version: 4268fa7513655a83d5492705591fdac6c65db48a
Version: 4268fa7513655a83d5492705591fdac6c65db48a

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/mpi3mr/mpi3mr_app.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19b248069d1b1424982723a2bf3941ad864d5204",
              "status": "affected",
              "version": "4268fa7513655a83d5492705591fdac6c65db48a",
              "versionType": "git"
            },
            {
              "lessThan": "832b8f95a2832321b8200ae478ed988b25faaef4",
              "status": "affected",
              "version": "4268fa7513655a83d5492705591fdac6c65db48a",
              "versionType": "git"
            },
            {
              "lessThan": "295006f6e8c17212d3098811166e29627d19e05c",
              "status": "affected",
              "version": "4268fa7513655a83d5492705591fdac6c65db48a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/mpi3mr/mpi3mr_app.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix possible crash when setting up bsg fails\n\nIf bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.\nConsequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc-\u003ebsg_queue)\"\nwill not be satisfied, preventing execution from entering\nbsg_remove_queue(), which could lead to the following crash:\n\nBUG: kernel NULL pointer dereference, address: 000000000000041c\nCall Trace:\n  \u003cTASK\u003e\n  mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]\n  mpi3mr_remove+0x6f/0x340 [mpi3mr]\n  pci_device_remove+0x3f/0xb0\n  device_release_driver_internal+0x19d/0x220\n  unbind_store+0xa4/0xb0\n  kernfs_fop_write_iter+0x11f/0x200\n  vfs_write+0x1fc/0x3e0\n  ksys_write+0x67/0xe0\n  do_syscall_64+0x38/0x80\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:47.558Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19b248069d1b1424982723a2bf3941ad864d5204"
        },
        {
          "url": "https://git.kernel.org/stable/c/832b8f95a2832321b8200ae478ed988b25faaef4"
        },
        {
          "url": "https://git.kernel.org/stable/c/295006f6e8c17212d3098811166e29627d19e05c"
        }
      ],
      "title": "scsi: mpi3mr: Fix possible crash when setting up bsg fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21723",
    "datePublished": "2025-02-27T02:07:30.985Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T07:19:47.558Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53178 (GCVE-0-2024-53178)

Vulnerability from cvelistv5

Published

2024-12-27 13:49

Modified

2025-05-04 09:55

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350 [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/31fabf70d58388d5475e48ca8a6b7d2847b36678
	https://git.kernel.org/stable/c/1d76332d783db12684b67592f1fb2057b88af4c3
	https://git.kernel.org/stable/c/73a57b25b4df23f22814fc06b7e8f9cf570be026
	https://git.kernel.org/stable/c/7afb86733685c64c604d32faf00fa4a1f22c2ab1

Impacted products

Vendor

Product

Version

►

Linux

Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7
Version: ebe98f1447bbccf8228335c62d86af02a0ed23f7

Linux

Version: 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31fabf70d58388d5475e48ca8a6b7d2847b36678",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "1d76332d783db12684b67592f1fb2057b88af4c3",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "73a57b25b4df23f22814fc06b7e8f9cf570be026",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "7afb86733685c64c604d32faf00fa4a1f22c2ab1",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Don\u0027t leak cfid when reconnect races with open_cached_dir\n\nopen_cached_dir() may either race with the tcon reconnection even before\ncompound_send_recv() or directly trigger a reconnection via\nSMB2_open_init() or SMB_query_info_init().\n\nThe reconnection process invokes invalidate_all_cached_dirs() via\ncifs_mark_open_files_invalid(), which removes all cfids from the\ncfids-\u003eentries list but doesn\u0027t drop a ref if has_lease isn\u0027t true. This\nresults in the currently-being-constructed cfid not being on the list,\nbut still having a refcount of 2. It leaks if returned from\nopen_cached_dir().\n\nFix this by setting cfid-\u003ehas_lease when the ref is actually taken; the\ncfid will not be used by other threads until it has a valid time.\n\nAddresses these kmemleaks:\n\nunreferenced object 0xffff8881090c4000 (size 1024):\n  comm \"bash\", pid 1860, jiffies 4295126592\n  hex dump (first 32 bytes):\n    00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........\".......\n    00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff  ..E\"......O.....\n  backtrace (crc 6f58c20f):\n    [\u003cffffffff8b895a1e\u003e] __kmalloc_cache_noprof+0x2be/0x350\n    [\u003cffffffff8bda06e3\u003e] open_cached_dir+0x993/0x1fb0\n    [\u003cffffffff8bdaa750\u003e] cifs_readdir+0x15a0/0x1d50\n    [\u003cffffffff8b9a853f\u003e] iterate_dir+0x28f/0x4b0\n    [\u003cffffffff8b9a9aed\u003e] __x64_sys_getdents64+0xfd/0x200\n    [\u003cffffffff8cf6da05\u003e] do_syscall_64+0x95/0x1a0\n    [\u003cffffffff8d00012f\u003e] entry_SYSCALL_64_after_hwframe+0x76/0x7e\nunreferenced object 0xffff8881044fdcf8 (size 8):\n  comm \"bash\", pid 1860, jiffies 4295126592\n  hex dump (first 8 bytes):\n    00 cc cc cc cc cc cc cc                          ........\n  backtrace (crc 10c106a9):\n    [\u003cffffffff8b89a3d3\u003e] __kmalloc_node_track_caller_noprof+0x363/0x480\n    [\u003cffffffff8b7d7256\u003e] kstrdup+0x36/0x60\n    [\u003cffffffff8bda0700\u003e] open_cached_dir+0x9b0/0x1fb0\n    [\u003cffffffff8bdaa750\u003e] cifs_readdir+0x15a0/0x1d50\n    [\u003cffffffff8b9a853f\u003e] iterate_dir+0x28f/0x4b0\n    [\u003cffffffff8b9a9aed\u003e] __x64_sys_getdents64+0xfd/0x200\n    [\u003cffffffff8cf6da05\u003e] do_syscall_64+0x95/0x1a0\n    [\u003cffffffff8d00012f\u003e] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAnd addresses these BUG splats when unmounting the SMB filesystem:\n\nBUG: Dentry ffff888140590ba0{i=1000000000080,n=/}  still in use (2) [unmount of cifs cifs]\nWARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100\nModules linked in:\nCPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:umount_check+0xd0/0x100\nCode: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff \u003c0f\u003e 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41\nRSP: 0018:ffff88811cc27978 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40\nRBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3\nR10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08\nR13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0\nFS:  00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n d_walk+0x6a/0x530\n shrink_dcache_for_umount+0x6a/0x200\n generic_shutdown_super+0x52/0x2a0\n kill_anon_super+0x22/0x40\n cifs_kill_sb+0x159/0x1e0\n deactivate_locked_super+0x66/0xe0\n cleanup_mnt+0x140/0x210\n task_work_run+0xfb/0x170\n syscall_exit_to_user_mode+0x29f/0x2b0\n do_syscall_64+0xa1/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f23bfb93ae7\nCode: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:55:02.060Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31fabf70d58388d5475e48ca8a6b7d2847b36678"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d76332d783db12684b67592f1fb2057b88af4c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/73a57b25b4df23f22814fc06b7e8f9cf570be026"
        },
        {
          "url": "https://git.kernel.org/stable/c/7afb86733685c64c604d32faf00fa4a1f22c2ab1"
        }
      ],
      "title": "smb: Don\u0027t leak cfid when reconnect races with open_cached_dir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53178",
    "datePublished": "2024-12-27T13:49:22.085Z",
    "dateReserved": "2024-11-19T17:17:25.008Z",
    "dateUpdated": "2025-05-04T09:55:02.060Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21892 (GCVE-0-2025-21892)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 13:06

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per the IB specification. This race condition can result in lost CQEs and tasks becoming stuck. To resolve this, the patch sends a final WR which serves only as a barrier before moving the QP state to RESET. Once a CQE is received for that final WR, it guarantees that no outstanding WRs remain, making it safe to transition the QP to RESET and subsequently back to RTS, restoring proper functionality. Note: For the barrier WR, we simply reuse the failed and ready WR. Since the QP is in an error state, it will only receive IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't care about its status. [1] INFO: task rdma_resource_l:1922 blocked for more than 120 seconds. Tainted: G W 6.12.0-rc7+ #1626 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369 flags:0x00004004 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 schedule_timeout+0x280/0x300 ? mark_held_locks+0x48/0x80 ? lockdep_hardirqs_on_prepare+0xe5/0x1a0 wait_for_completion+0x75/0x130 mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib] ? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib] mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib] __mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? __lock_acquire+0x64e/0x2080 ? mark_held_locks+0x48/0x80 ? find_held_lock+0x2d/0xa0 ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? __fget_files+0xc3/0x1b0 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f99c918b17b RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX: 00007f99c918b17b RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09: 000000000000bd7e R10: 00007f99c94c1c70 R11: 0000000000000246 R12: 00007ffc766d0530 R13: 000000000000001c R14: 0000000040246a80 R15: 0000000000000000 </TASK>

References

►

URL

Tags

	https://git.kernel.org/stable/c/3e3bf255992cc02404e9d209b127c1c9944239cf
	https://git.kernel.org/stable/c/1d2b84d8d054313deed2b2fcafe1168bbcb9e99f
	https://git.kernel.org/stable/c/d97505baea64d93538b16baf14ce7b8c1fbad746

Impacted products

Vendor

Product

Version

►

Linux

Version: 158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2
Version: 158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2
Version: 158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2
Version: d8f7bff9a42627d37f4ecffeb01e44db42167175

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/umr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3e3bf255992cc02404e9d209b127c1c9944239cf",
              "status": "affected",
              "version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
              "versionType": "git"
            },
            {
              "lessThan": "1d2b84d8d054313deed2b2fcafe1168bbcb9e99f",
              "status": "affected",
              "version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
              "versionType": "git"
            },
            {
              "lessThan": "d97505baea64d93538b16baf14ce7b8c1fbad746",
              "status": "affected",
              "version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d8f7bff9a42627d37f4ecffeb01e44db42167175",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/umr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix the recovery flow of the UMR QP\n\nThis patch addresses an issue in the recovery flow of the UMR QP,\nensuring tasks do not get stuck, as highlighted by the call trace [1].\n\nDuring recovery, before transitioning the QP to the RESET state, the\nsoftware must wait for all outstanding WRs to complete.\n\nFailing to do so can cause the firmware to skip sending some flushed\nCQEs with errors and simply discard them upon the RESET, as per the IB\nspecification.\n\nThis race condition can result in lost CQEs and tasks becoming stuck.\n\nTo resolve this, the patch sends a final WR which serves only as a\nbarrier before moving the QP state to RESET.\n\nOnce a CQE is received for that final WR, it guarantees that no\noutstanding WRs remain, making it safe to transition the QP to RESET and\nsubsequently back to RTS, restoring proper functionality.\n\nNote:\nFor the barrier WR, we simply reuse the failed and ready WR.\nSince the QP is in an error state, it will only receive\nIB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don\u0027t\ncare about its status.\n\n[1]\nINFO: task rdma_resource_l:1922 blocked for more than 120 seconds.\nTainted: G        W          6.12.0-rc7+ #1626\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:rdma_resource_l state:D stack:0  pid:1922 tgid:1922  ppid:1369\n     flags:0x00004004\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\nschedule_timeout+0x280/0x300\n? mark_held_locks+0x48/0x80\n? lockdep_hardirqs_on_prepare+0xe5/0x1a0\nwait_for_completion+0x75/0x130\nmlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]\n? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]\nmlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? __lock_acquire+0x64e/0x2080\n? mark_held_locks+0x48/0x80\n? find_held_lock+0x2d/0xa0\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? __fget_files+0xc3/0x1b0\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f99c918b17b\nRSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:\n     0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:\n     00007f99c918b17b\nRDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:\n     0000000000000003\nRBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:\n     000000000000bd7e\nR10: 00007f99c94c1c70 R11: 0000000000000246 R12:\n     00007ffc766d0530\nR13: 000000000000001c R14: 0000000040246a80 R15:\n     0000000000000000\n\u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:41.507Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3e3bf255992cc02404e9d209b127c1c9944239cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d2b84d8d054313deed2b2fcafe1168bbcb9e99f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d97505baea64d93538b16baf14ce7b8c1fbad746"
        }
      ],
      "title": "RDMA/mlx5: Fix the recovery flow of the UMR QP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21892",
    "datePublished": "2025-03-27T14:57:17.885Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-05-04T13:06:41.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21825 (GCVE-0-2025-21825)

Vulnerability from cvelistv5

Published

2025-03-06 16:04

Modified

2025-05-04 07:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: <TASK> dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... </TASK> It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled

References

►

URL

Tags

	https://git.kernel.org/stable/c/33e47d9573075342a41783a55c8c67bc71246fc1
	https://git.kernel.org/stable/c/fbeda3d939ca10063aafa7a77cc0f409d82cda88
	https://git.kernel.org/stable/c/58f038e6d209d2dd862fcf5de55407855856794d

Impacted products

Vendor

Product

Version

►

Linux

Version: b00628b1c7d595ae5b544e059c27b1f5828314b4
Version: b00628b1c7d595ae5b544e059c27b1f5828314b4
Version: b00628b1c7d595ae5b544e059c27b1f5828314b4

Linux

Version: 5.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "33e47d9573075342a41783a55c8c67bc71246fc1",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "fbeda3d939ca10063aafa7a77cc0f409d82cda88",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "58f038e6d209d2dd862fcf5de55407855856794d",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Cancel the running bpf_timer through kworker for PREEMPT_RT\n\nDuring the update procedure, when overwrite element in a pre-allocated\nhtab, the freeing of old_element is protected by the bucket lock. The\nreason why the bucket lock is necessary is that the old_element has\nalready been stashed in htab-\u003eextra_elems after alloc_htab_elem()\nreturns. If freeing the old_element after the bucket lock is unlocked,\nthe stashed element may be reused by concurrent update procedure and the\nfreeing of old_element will run concurrently with the reuse of the\nold_element. However, the invocation of check_and_free_fields() may\nacquire a spin-lock which violates the lockdep rule because its caller\nhas already held a raw-spin-lock (bucket lock). The following warning\nwill be reported when such race happens:\n\n  BUG: scheduling while atomic: test_progs/676/0x00000003\n  3 locks held by test_progs/676:\n  #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830\n  #1: ffff88810e961188 (\u0026htab-\u003elockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500\n  #2: ffff8881f4eac1b8 (\u0026base-\u003esoftirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0\n  Modules linked in: bpf_testmod(O)\n  Preemption disabled at:\n  [\u003cffffffff817837a3\u003e] htab_map_update_elem+0x293/0x1500\n  CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11\n  Tainted: [W]=WARN, [O]=OOT_MODULE\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...\n  Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x57/0x70\n  dump_stack+0x10/0x20\n  __schedule_bug+0x120/0x170\n  __schedule+0x300c/0x4800\n  schedule_rtlock+0x37/0x60\n  rtlock_slowlock_locked+0x6d9/0x54c0\n  rt_spin_lock+0x168/0x230\n  hrtimer_cancel_wait_running+0xe9/0x1b0\n  hrtimer_cancel+0x24/0x30\n  bpf_timer_delete_work+0x1d/0x40\n  bpf_timer_cancel_and_free+0x5e/0x80\n  bpf_obj_free_fields+0x262/0x4a0\n  check_and_free_fields+0x1d0/0x280\n  htab_map_update_elem+0x7fc/0x1500\n  bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43\n  bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e\n  bpf_prog_test_run_syscall+0x322/0x830\n  __sys_bpf+0x135d/0x3ca0\n  __x64_sys_bpf+0x75/0xb0\n  x64_sys_call+0x1b5/0xa10\n  do_syscall_64+0x3b/0xc0\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  ...\n  \u003c/TASK\u003e\n\nIt seems feasible to break the reuse and refill of per-cpu extra_elems\ninto two independent parts: reuse the per-cpu extra_elems with bucket\nlock being held and refill the old_element as per-cpu extra_elems after\nthe bucket lock is unlocked. However, it will make the concurrent\noverwrite procedures on the same CPU return unexpected -E2BIG error when\nthe map is full.\n\nTherefore, the patch fixes the lock problem by breaking the cancelling\nof bpf_timer into two steps for PREEMPT_RT:\n1) use hrtimer_try_to_cancel() and check its return value\n2) if the timer is running, use hrtimer_cancel() through a kworker to\n   cancel it again\nConsidering that the current implementation of hrtimer_cancel() will try\nto acquire a being held softirq_expiry_lock when the current timer is\nrunning, these steps above are reasonable. However, it also has\ndownside. When the timer is running, the cancelling of the timer is\ndelayed when releasing the last map uref. The delay is also fixable\n(e.g., break the cancelling of bpf timer into two parts: one part in\nlocked scope, another one in unlocked scope), it can be revised later if\nnecessary.\n\nIt is a bit hard to decide the right fix tag. One reason is that the\nproblem depends on PREEMPT_RT which is enabled in v6.12. Considering the\nsoftirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced\nin v5.15, the bpf_timer commit is used in the fixes tag and an extra\ndepends-on tag is added to state the dependency on PREEMPT_RT.\n\nDepends-on: v6.12+ with PREEMPT_RT enabled"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:57.238Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/33e47d9573075342a41783a55c8c67bc71246fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbeda3d939ca10063aafa7a77cc0f409d82cda88"
        },
        {
          "url": "https://git.kernel.org/stable/c/58f038e6d209d2dd862fcf5de55407855856794d"
        }
      ],
      "title": "bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21825",
    "datePublished": "2025-03-06T16:04:31.576Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:57.238Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21796 (GCVE-0-2025-21796)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 07:21

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered.

References

►

URL

Tags

	https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa
	https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd
	https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3
	https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf
	https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510
	https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9
	https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136

Impacted products

Vendor

Product

Version

►

Linux

Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055

Linux

Version: 2.6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:11.080279Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs2acl.c",
            "fs/nfsd/nfs3acl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a1737ae42c928384ab6447f6ee1a882510e85fa",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "6f7cfee1a316891890c505563aa54f3476db52fd",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "2e59b2b68782519560b3d6a41dd66a3d01a01cd3",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "55d947315fb5f67a35e4e1d3e01bb886b9c6decf",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "f8d871523142f7895f250a856f8c4a4181614510",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "1fd94884174bd20beb1773990fd3b1aa877688d9",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            },
            {
              "lessThan": "7faf14a7b0366f153284db0ad3347c457ea70136",
              "status": "affected",
              "version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs2acl.c",
            "fs/nfsd/nfs3acl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff \u003c0f\u003e 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS:  0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:24.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136"
        }
      ],
      "title": "nfsd: clear acl_access/acl_default after releasing them",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21796",
    "datePublished": "2025-02-27T02:18:32.191Z",
    "dateReserved": "2024-12-29T08:45:45.768Z",
    "dateUpdated": "2025-05-04T07:21:24.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21865 (GCVE-0-2025-21865)

Vulnerability from cvelistv5

Published

2025-03-12 09:42

Modified

2025-05-04 07:22

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated---

References

►

URL

Tags

	https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc
	https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22
	https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657
	https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66
	https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b
	https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595
	https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af
	https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d

Impacted products

Vendor

Product

Version

►

Linux

Version: c986380c1d5274c4d5e935addc807d6791cc23eb
Version: 5f1678346109ff3a6d229d33437fcba3cce9209d
Version: 036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3
Version: efec287cbac92ac6ee8312a89221854760e13b34
Version: bb11f992f5a475bc68ef959f17a55306f0328495
Version: 86f73d4ab2f27deeff22ba9336ad103d94f12ac7
Version: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1
Version: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1

Linux

Version: 6.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f86fb07db65a470d0c11f79da551bd9466357dc",
              "status": "affected",
              "version": "c986380c1d5274c4d5e935addc807d6791cc23eb",
              "versionType": "git"
            },
            {
              "lessThan": "33eb925c0c26e86ca540a08254806512bf911f22",
              "status": "affected",
              "version": "5f1678346109ff3a6d229d33437fcba3cce9209d",
              "versionType": "git"
            },
            {
              "lessThan": "cb15bb1bde0ba97cbbed9508e45210dcafec3657",
              "status": "affected",
              "version": "036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3",
              "versionType": "git"
            },
            {
              "lessThan": "b70fa591b066d52b141fc430ffdee35b6cc87a66",
              "status": "affected",
              "version": "efec287cbac92ac6ee8312a89221854760e13b34",
              "versionType": "git"
            },
            {
              "lessThan": "9d03e7e37187ae140e716377599493987fb20c5b",
              "status": "affected",
              "version": "bb11f992f5a475bc68ef959f17a55306f0328495",
              "versionType": "git"
            },
            {
              "lessThan": "ff81b14010362f6188ca26fec22ff05e4da45595",
              "status": "affected",
              "version": "86f73d4ab2f27deeff22ba9336ad103d94f12ac7",
              "versionType": "git"
            },
            {
              "lessThan": "37e7644b961600ef0beb01d3970c3034a62913af",
              "status": "affected",
              "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
              "versionType": "git"
            },
            {
              "lessThan": "4ccacf86491d33d2486b62d4d44864d7101b299d",
              "status": "affected",
              "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.290",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.234",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.177",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "6.1.127",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "6.6.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket\u0027s netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger -\u003edellink() twice for the same device during\n-\u003eexit_batch_rtnl().\n\nSay we have two netns A \u0026 B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n  1. cleanup_net() processes netns A and then B.\n\n  2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns A\u0027s gn-\u003egtp_dev_list and calls -\u003edellink().\n\n  [ device B is not yet unlinked from netns B\n    as unregister_netdevice_many() has not been called. ]\n\n  3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns B\u0027s for_each_netdev() and calls -\u003edellink().\n\ngtp_dellink() cleans up the device\u0027s hash table, unlinks the dev from\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet\u0027s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n \u003cTASK\u003e\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:48.497Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"
        },
        {
          "url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"
        },
        {
          "url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"
        }
      ],
      "title": "gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21865",
    "datePublished": "2025-03-12T09:42:21.901Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-05-04T07:22:48.497Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-3360 (GCVE-0-2025-3360)

Vulnerability from cvelistv5

Published

2025-04-07 12:53

Modified

2025-07-29 14:22

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-190 - Integer Overflow or Wraparound

Summary

A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.

References

►

URL

Tags

	https://access.redhat.com/security/cve/CVE-2025-3360	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2357754	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

►

Version: 0 ≤

Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3360",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-07T13:23:42.465415Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T18:29:26.350Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-14T12:04:48.978Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00024.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.gnome.org/GNOME/glib",
          "defaultStatus": "unaffected",
          "packageName": "glib",
          "versions": [
            {
              "lessThan": "2.82.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "bootc",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "glib2",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "glycin-loaders",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "loupe",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "mingw-glib2",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "glib2",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "glib2",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "glib2",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "librsvg2",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "mingw-glib2",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "bootc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "glib2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "librsvg2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "mingw-glib2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-04-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-29T14:22:11.859Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-3360"
        },
        {
          "name": "RHBZ#2357754",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2357754"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-07T01:36:36.703000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-04-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Glibc: glib prior to 2.82.5 is vulnerable to integer  overflow and buffer under-read when parsing a very long invalid iso  8601 timestamp with g_date_time_new_from_iso8601().",
      "workarounds": [
        {
          "lang": "en",
          "value": "Currently, no mitigation is available for this vulnerability."
        }
      ],
      "x_redhatCweChain": "CWE-190: Integer Overflow or Wraparound"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-3360",
    "datePublished": "2025-04-07T12:53:55.924Z",
    "dateReserved": "2025-04-07T01:50:45.607Z",
    "dateUpdated": "2025-07-29T14:22:11.859Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-52559 (GCVE-0-2024-52559)

Vulnerability from cvelistv5

Published

2025-02-27 02:18

Modified

2025-05-04 09:51

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32 values that come from the user via the submit_lookup_cmds() function. This addition could lead to an integer wrapping bug so use size_add() to prevent that. Patchwork: https://patchwork.freedesktop.org/patch/624696/

References

►

URL

Tags

	https://git.kernel.org/stable/c/2b99b2c4621d13bd4374ef384e8f1fc188d0a5df
	https://git.kernel.org/stable/c/2f1845e46c41ed500789d53dc45b383b7745c96c
	https://git.kernel.org/stable/c/e43a0f1327a1ee70754f8a0de6e0262cfa3e0b87
	https://git.kernel.org/stable/c/3a47f4b439beb98e955d501c609dfd12b7836d61

Impacted products

Vendor

Product

Version

►

Linux

Version: 198725337ef1f73b73e7dc953c6ffb0799f26ffe
Version: 198725337ef1f73b73e7dc953c6ffb0799f26ffe
Version: 198725337ef1f73b73e7dc953c6ffb0799f26ffe
Version: 198725337ef1f73b73e7dc953c6ffb0799f26ffe

Linux

Version: 3.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/msm_gem_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b99b2c4621d13bd4374ef384e8f1fc188d0a5df",
              "status": "affected",
              "version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
              "versionType": "git"
            },
            {
              "lessThan": "2f1845e46c41ed500789d53dc45b383b7745c96c",
              "status": "affected",
              "version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
              "versionType": "git"
            },
            {
              "lessThan": "e43a0f1327a1ee70754f8a0de6e0262cfa3e0b87",
              "status": "affected",
              "version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
              "versionType": "git"
            },
            {
              "lessThan": "3a47f4b439beb98e955d501c609dfd12b7836d61",
              "status": "affected",
              "version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/msm_gem_submit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()\n\nThe \"submit-\u003ecmd[i].size\" and \"submit-\u003ecmd[i].offset\" variables are u32\nvalues that come from the user via the submit_lookup_cmds() function.\nThis addition could lead to an integer wrapping bug so use size_add()\nto prevent that.\n\nPatchwork: https://patchwork.freedesktop.org/patch/624696/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:51:25.836Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b99b2c4621d13bd4374ef384e8f1fc188d0a5df"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f1845e46c41ed500789d53dc45b383b7745c96c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e43a0f1327a1ee70754f8a0de6e0262cfa3e0b87"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a47f4b439beb98e955d501c609dfd12b7836d61"
        }
      ],
      "title": "drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-52559",
    "datePublished": "2025-02-27T02:18:07.106Z",
    "dateReserved": "2025-02-27T02:16:34.059Z",
    "dateUpdated": "2025-05-04T09:51:25.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53163 (GCVE-0-2024-53163)

Vulnerability from cvelistv5

Published

2024-12-24 11:29

Modified

2025-05-04 09:54

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_420xx - fix off by one in uof_get_name() This is called from uof_get_name_420xx() where "num_objs" is the ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of bounds access.

References

►

URL

Tags

	https://git.kernel.org/stable/c/c23661a36eea840b657e485d48ed88b246da1bb8
	https://git.kernel.org/stable/c/91eef1ad75f03d37dba926b73f9dd6f058bc4d58
	https://git.kernel.org/stable/c/93a11608fb3720e1bc2b19a2649ac2b49cca1921

Impacted products

Vendor

Product

Version

►

Linux

Version: fcf60f4bcf54952cc14d14178c358be222dbeb43
Version: fcf60f4bcf54952cc14d14178c358be222dbeb43
Version: fcf60f4bcf54952cc14d14178c358be222dbeb43

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c23661a36eea840b657e485d48ed88b246da1bb8",
              "status": "affected",
              "version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
              "versionType": "git"
            },
            {
              "lessThan": "91eef1ad75f03d37dba926b73f9dd6f058bc4d58",
              "status": "affected",
              "version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
              "versionType": "git"
            },
            {
              "lessThan": "93a11608fb3720e1bc2b19a2649ac2b49cca1921",
              "status": "affected",
              "version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat/qat_420xx - fix off by one in uof_get_name()\n\nThis is called from uof_get_name_420xx() where \"num_objs\" is the\nARRAY_SIZE() of fw_objs[].  The \u003e needs to be \u003e= to prevent an out of\nbounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:37.480Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c23661a36eea840b657e485d48ed88b246da1bb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/91eef1ad75f03d37dba926b73f9dd6f058bc4d58"
        },
        {
          "url": "https://git.kernel.org/stable/c/93a11608fb3720e1bc2b19a2649ac2b49cca1921"
        }
      ],
      "title": "crypto: qat/qat_420xx - fix off by one in uof_get_name()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53163",
    "datePublished": "2024-12-24T11:29:19.315Z",
    "dateReserved": "2024-11-19T17:17:25.004Z",
    "dateUpdated": "2025-05-04T09:54:37.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21891 (GCVE-0-2025-21891)

Vulnerability from cvelistv5

Published

2025-03-27 14:57

Modified

2025-05-04 07:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline]

References

►

URL

Tags

	https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf
	https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd
	https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c
	https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974
	https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef

Impacted products

Vendor

Product

Version

►

Linux

Version: 2ad7bf3638411cb547f2823df08166c13ab04269
Version: 2ad7bf3638411cb547f2823df08166c13ab04269
Version: 2ad7bf3638411cb547f2823df08166c13ab04269
Version: 2ad7bf3638411cb547f2823df08166c13ab04269
Version: 2ad7bf3638411cb547f2823df08166c13ab04269

Linux

Version: 3.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b8dea8d1612dc7151d2457d7d2e6a69820309bf",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "4ec48f812804f370f622e0874e6dd8fcc58241cd",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "5353fd89663c48f56bdff975c562cfe78b1a2e4c",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "e2a4f76a2d8a44816ecd25bcbdb47b786d621974",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "27843ce6ba3d3122b65066550fe33fb8839f8aef",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb-\u003ehead [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n  __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n  ipv6_addr_type include/net/ipv6.h:555 [inline]\n  ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n  ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n  ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n  ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n  ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n  ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n  ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n  __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n  netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n  xmit_one net/core/dev.c:3735 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n  sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n  qdisc_restart net/sched/sch_generic.c:408 [inline]\n  __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n  qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n  net_tx_action+0x78b/0x940 net/core/dev.c:5484\n  handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n  __do_softirq+0x14/0x1a kernel/softirq.c:595\n  do_softirq+0x9a/0x100 kernel/softirq.c:462\n  __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n  __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n  dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3132 [inline]\n  packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n  sock_sendmsg_nosec net/socket.c:718 [inline]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:27.454Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974"
        },
        {
          "url": "https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef"
        }
      ],
      "title": "ipvlan: ensure network headers are in skb linear part",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21891",
    "datePublished": "2025-03-27T14:57:17.267Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-05-04T07:23:27.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58080 (GCVE-0-2024-58080)

Vulnerability from cvelistv5

Published

2025-03-06 16:13

Modified

2025-05-04 10:09

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for the clock where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together.

References

►

URL

Tags

	https://git.kernel.org/stable/c/3daca9050857220726732ad9d4a8512069386f46
	https://git.kernel.org/stable/c/3ad28517385e2821e8e43388d6a0b3e1ba0bc3ab
	https://git.kernel.org/stable/c/2dba8d5d423fa5f6f3a687aa6e0da5808f69091b
	https://git.kernel.org/stable/c/a1f15808adfd77268eac7fefce5378ad9fedbfba
	https://git.kernel.org/stable/c/d4cdb196f182d2fbe336c968228be00d8c3fed05

Impacted products

Vendor

Product

Version

►

Linux

Version: 837519775f1d3945e3d4019641f7120d58325059
Version: 837519775f1d3945e3d4019641f7120d58325059
Version: 837519775f1d3945e3d4019641f7120d58325059
Version: 837519775f1d3945e3d4019641f7120d58325059
Version: 837519775f1d3945e3d4019641f7120d58325059

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/qcom/dispcc-sm6350.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3daca9050857220726732ad9d4a8512069386f46",
              "status": "affected",
              "version": "837519775f1d3945e3d4019641f7120d58325059",
              "versionType": "git"
            },
            {
              "lessThan": "3ad28517385e2821e8e43388d6a0b3e1ba0bc3ab",
              "status": "affected",
              "version": "837519775f1d3945e3d4019641f7120d58325059",
              "versionType": "git"
            },
            {
              "lessThan": "2dba8d5d423fa5f6f3a687aa6e0da5808f69091b",
              "status": "affected",
              "version": "837519775f1d3945e3d4019641f7120d58325059",
              "versionType": "git"
            },
            {
              "lessThan": "a1f15808adfd77268eac7fefce5378ad9fedbfba",
              "status": "affected",
              "version": "837519775f1d3945e3d4019641f7120d58325059",
              "versionType": "git"
            },
            {
              "lessThan": "d4cdb196f182d2fbe336c968228be00d8c3fed05",
              "status": "affected",
              "version": "837519775f1d3945e3d4019641f7120d58325059",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/qcom/dispcc-sm6350.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: dispcc-sm6350: Add missing parent_map for a clock\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we\u0027ll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n  [    3.388105] Call trace:\n  [    3.390664]  qcom_find_src_index+0x3c/0x70 (P)\n  [    3.395301]  qcom_find_src_index+0x1c/0x70 (L)\n  [    3.399934]  _freq_tbl_determine_rate+0x48/0x100\n  [    3.404753]  clk_rcg2_determine_rate+0x1c/0x28\n  [    3.409387]  clk_core_determine_round_nolock+0x58/0xe4\n  [    3.421414]  clk_core_round_rate_nolock+0x48/0xfc\n  [    3.432974]  clk_core_round_rate_nolock+0xd0/0xfc\n  [    3.444483]  clk_core_set_rate_nolock+0x8c/0x300\n  [    3.455886]  clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for the clock where it\u0027s missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:31.843Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3daca9050857220726732ad9d4a8512069386f46"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ad28517385e2821e8e43388d6a0b3e1ba0bc3ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dba8d5d423fa5f6f3a687aa6e0da5808f69091b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1f15808adfd77268eac7fefce5378ad9fedbfba"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4cdb196f182d2fbe336c968228be00d8c3fed05"
        }
      ],
      "title": "clk: qcom: dispcc-sm6350: Add missing parent_map for a clock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58080",
    "datePublished": "2025-03-06T16:13:43.414Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-05-04T10:09:31.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-50152 (GCVE-0-2024-50152)

Vulnerability from cvelistv5

Published

2024-11-07 09:31

Modified

2025-05-04 09:47

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix possible double free in smb2_set_ea() Clang static checker(scan-build) warning： fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. 1304 | kfree(ea); | ^~~~~~~~~ There is a double free in such case: 'ea is initialized to NULL' -> 'first successful memory allocation for ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' -> 'goto replay_again' -> 'second goto sea_exit before allocate memory for ea' -> 'second memory release for ea resulted in double free'. Re-initialie 'ea' to NULL near to the replay_again label, it can fix this double free problem.

References

►

URL

Tags

	https://git.kernel.org/stable/c/b1813c220b76f60b1727984794377c4aa849d4c1
	https://git.kernel.org/stable/c/c9f758ecf2562dfdd4adf12c22921b5de8366123
	https://git.kernel.org/stable/c/19ebc1e6cab334a8193398d4152deb76019b5d34

Impacted products

Vendor

Product

Version

►

Linux

Version: 433042a91f9373241307725b52de573933ffedbf
Version: 4f1fffa2376922f3d1d506e49c0fd445b023a28e
Version: 4f1fffa2376922f3d1d506e49c0fd445b023a28e

Linux

Version: 6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1813c220b76f60b1727984794377c4aa849d4c1",
              "status": "affected",
              "version": "433042a91f9373241307725b52de573933ffedbf",
              "versionType": "git"
            },
            {
              "lessThan": "c9f758ecf2562dfdd4adf12c22921b5de8366123",
              "status": "affected",
              "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
              "versionType": "git"
            },
            {
              "lessThan": "19ebc1e6cab334a8193398d4152deb76019b5d34",
              "status": "affected",
              "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.59",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix possible double free in smb2_set_ea()\n\nClang static checker(scan-build) warning\uff1a\nfs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.\n 1304 |         kfree(ea);\n      |         ^~~~~~~~~\n\nThere is a double free in such case:\n\u0027ea is initialized to NULL\u0027 -\u003e \u0027first successful memory allocation for\nea\u0027 -\u003e \u0027something failed, goto sea_exit\u0027 -\u003e \u0027first memory release for ea\u0027\n-\u003e \u0027goto replay_again\u0027 -\u003e \u0027second goto sea_exit before allocate memory\nfor ea\u0027 -\u003e \u0027second memory release for ea resulted in double free\u0027.\n\nRe-initialie \u0027ea\u0027 to NULL near to the replay_again label, it can fix this\ndouble free problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:47:22.979Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1813c220b76f60b1727984794377c4aa849d4c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9f758ecf2562dfdd4adf12c22921b5de8366123"
        },
        {
          "url": "https://git.kernel.org/stable/c/19ebc1e6cab334a8193398d4152deb76019b5d34"
        }
      ],
      "title": "smb: client: fix possible double free in smb2_set_ea()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50152",
    "datePublished": "2024-11-07T09:31:28.733Z",
    "dateReserved": "2024-10-21T19:36:19.959Z",
    "dateUpdated": "2025-05-04T09:47:22.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

wid-sec-w-2025-1439

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature

Action not permitted

wid-sec-w-2025-1439

Vulnerability from csaf_certbund

CVE-2024-53057 (GCVE-0-2024-53057)

Vulnerability from cvelistv5

CVE-2024-50294 (GCVE-0-2024-50294)

Vulnerability from cvelistv5

CVE-2023-52831 (GCVE-0-2023-52831)

Vulnerability from cvelistv5

CVE-2025-21793 (GCVE-0-2025-21793)

Vulnerability from cvelistv5

CVE-2025-21859 (GCVE-0-2025-21859)

Vulnerability from cvelistv5

CVE-2025-21858 (GCVE-0-2025-21858)

Vulnerability from cvelistv5

CVE-2024-57974 (GCVE-0-2024-57974)

Vulnerability from cvelistv5

CVE-2025-21779 (GCVE-0-2025-21779)

Vulnerability from cvelistv5

CVE-2024-56720 (GCVE-0-2024-56720)

Vulnerability from cvelistv5

CVE-2024-57948 (GCVE-0-2024-57948)

Vulnerability from cvelistv5

CVE-2024-58078 (GCVE-0-2024-58078)

Vulnerability from cvelistv5

CVE-2025-21711 (GCVE-0-2025-21711)

Vulnerability from cvelistv5

CVE-2025-21802 (GCVE-0-2025-21802)

Vulnerability from cvelistv5

CVE-2025-21870 (GCVE-0-2025-21870)

Vulnerability from cvelistv5

CVE-2024-10041 (GCVE-0-2024-10041)

Vulnerability from cvelistv5

CVE-2024-50185 (GCVE-0-2024-50185)

Vulnerability from cvelistv5

CVE-2025-27219 (GCVE-0-2025-27219)

Vulnerability from cvelistv5

CVE-2024-12243 (GCVE-0-2024-12243)

Vulnerability from cvelistv5

CVE-2025-21727 (GCVE-0-2025-21727)

Vulnerability from cvelistv5

CVE-2025-21706 (GCVE-0-2025-21706)

Vulnerability from cvelistv5

CVE-2024-57900 (GCVE-0-2024-57900)

Vulnerability from cvelistv5

CVE-2025-27113 (GCVE-0-2025-27113)

Vulnerability from cvelistv5

CVE-2025-1795 (GCVE-0-2025-1795)

Vulnerability from cvelistv5

CVE-2025-21848 (GCVE-0-2025-21848)

Vulnerability from cvelistv5

CVE-2025-21754 (GCVE-0-2025-21754)

Vulnerability from cvelistv5

CVE-2025-47268 (GCVE-0-2025-47268)

Vulnerability from cvelistv5

CVE-2023-46316 (GCVE-0-2023-46316)

Vulnerability from cvelistv5

CVE-2025-21773 (GCVE-0-2025-21773)

Vulnerability from cvelistv5

CVE-2024-56719 (GCVE-0-2024-56719)

Vulnerability from cvelistv5

CVE-2025-21799 (GCVE-0-2025-21799)

Vulnerability from cvelistv5

CVE-2024-41077 (GCVE-0-2024-41077)

Vulnerability from cvelistv5

CVE-2024-58054 (GCVE-0-2024-58054)

Vulnerability from cvelistv5

CVE-2025-21673 (GCVE-0-2025-21673)

Vulnerability from cvelistv5

CVE-2025-21714 (GCVE-0-2025-21714)

Vulnerability from cvelistv5

CVE-2025-21742 (GCVE-0-2025-21742)

Vulnerability from cvelistv5

CVE-2025-21749 (GCVE-0-2025-21749)

Vulnerability from cvelistv5

CVE-2025-21819 (GCVE-0-2025-21819)

Vulnerability from cvelistv5

CVE-2025-31335 (GCVE-0-2025-31335)

Vulnerability from cvelistv5

CVE-2024-50029 (GCVE-0-2024-50029)