{"cves":[{"cve_id":"CVE-2026-25506","summary":"MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"epss":0.00019,"ranking_epss":0.05033,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812","https://github.com/dun/munge/releases/tag/munge-0.5.18","https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh","http://www.openwall.com/lists/oss-security/2026/02/10/3","http://www.openwall.com/lists/oss-security/2026/02/17/6","https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html"],"published_time":"2026-02-10T19:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-64098","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta\nmpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector\n::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3\n.3.1, and 2.6.11 patch the issue.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.0002,"ranking_epss":0.05202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f","https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b","https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a","https://security-tracker.debian.org/tracker/CVE-2025-64098"],"published_time":"2026-02-03T20:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62602","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially  `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.0002,"ranking_epss":0.05202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f","https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b","https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a","https://security-tracker.debian.org/tracker/CVE-2025-62602"],"published_time":"2026-02-03T20:15:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62603","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00051,"ranking_epss":0.16158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f","https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b","https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a","https://security-tracker.debian.org/tracker/CVE-2025-62603"],"published_time":"2026-02-03T20:15:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62799","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00022,"ranking_epss":0.05932,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46","https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514","https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659","https://security-tracker.debian.org/tracker/CVE-2025-62799"],"published_time":"2026-02-03T20:15:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62600","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length\n field in readBinaryPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation.\n Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00019,"ranking_epss":0.05018,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f","https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b","https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a","https://security-tracker.debian.org/tracker/CVE-2025-62600"],"published_time":"2026-02-03T19:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-62599","summary":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length\n field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi\nons 3.4.1, 3.3.1, and 2.6.11 patch the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00019,"ranking_epss":0.05018,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f","https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b","https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a","https://security-tracker.debian.org/tracker/CVE-2025-62599"],"published_time":"2026-02-03T18:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25061","summary":"tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00054,"ranking_epss":0.1711,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6","https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"],"published_time":"2026-01-29T22:15:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24765","summary":"PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions  in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00106,"ranking_epss":0.28803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda","https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63","https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50","https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8","https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52","https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33","https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p","https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html"],"published_time":"2026-01-27T22:15:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-68670","summary":"xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.00118,"ranking_epss":0.30824,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa","https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5","https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f","https://lists.debian.org/debian-lts-announce/2026/02/msg00003.html"],"published_time":"2026-01-27T16:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24061","summary":"telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.87007,"ranking_epss":0.99431,"kev":true,"propose_action":"GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a \"-f root\" value for the USER environment variable.","ransomware_campaign":"Unknown","references":["https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc","https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b","https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html","https://www.gnu.org/software/inetutils/","https://www.openwall.com/lists/oss-security/2026/01/20/2","https://www.openwall.com/lists/oss-security/2026/01/20/8","https://www.vicarius.io/vsociety/posts/cve-2026-24061-detection-script-remote-authentication-bypass-in-gnu-inetutils-package","https://www.vicarius.io/vsociety/posts/cve-2026-24061-mitigation-script-remote-authentication-bypass-in-gnu-inetutils-package","http://www.openwall.com/lists/oss-security/2026/01/22/1","https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061","https://www.labs.greynoise.io/grimoire/2026-01-22-f-around-and-find-out-18-hours-of-unsolicited-houseguests/index.html","https://www.openwall.com/lists/oss-security/2026/01/20/2#:~:text=root@...a%3A~%20USER='"],"published_time":"2026-01-21T07:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23490","summary":"pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00021,"ranking_epss":0.05618,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970","https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2","https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq","https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html"],"published_time":"2026-01-16T19:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-68615","summary":"net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00228,"ranking_epss":0.45524,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq","http://www.openwall.com/lists/oss-security/2026/01/09/2","https://lists.debian.org/debian-lts-announce/2026/01/msg00000.html","https://www.vicarius.io/vsociety/posts/cve-2025-68615-detection-script-buffer-overflow-vulnerability-affecting-net-snmp","https://www.vicarius.io/vsociety/posts/cve-2025-68615-mitigation-script-buffer-overflow-vulnerability-affecting-net-snmp"],"published_time":"2025-12-23T00:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-6966","summary":"NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04426,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865","https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html"],"published_time":"2025-12-05T13:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-63498","summary":"alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the \"userName\" parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.00089,"ranking_epss":0.25478,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c","https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4","https://github.com/xryptoh/CVE-2025-63498","https://lists.debian.org/debian-lts-announce/2025/11/msg00029.html"],"published_time":"2025-11-24T21:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-64512","summary":"Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"epss":0.00094,"ranking_epss":0.26299,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086","https://github.com/pdfminer/pdfminer.six/releases/tag/20251107","https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp","https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html","https://lists.debian.org/debian-lts-announce/2026/01/msg00005.html","https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"],"published_time":"2025-11-10T22:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-10934","summary":"GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27823.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00058,"ranking_epss":0.18241,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/5c3e2122d53869599d77ef0f1bdece117b24fd7c","https://www.zerodayinitiative.com/advisories/ZDI-25-978/","https://lists.debian.org/debian-lts-announce/2025/11/msg00005.html"],"published_time":"2025-10-29T20:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-10921","summary":"GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27803.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00058,"ranking_epss":0.18241,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gegl/-/commit/0e68b7471dabf2800d780819c19bd5e6462f565f","https://www.zerodayinitiative.com/advisories/ZDI-25-910/","https://lists.debian.org/debian-lts-announce/2025/10/msg00021.html"],"published_time":"2025-10-29T20:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-10922","summary":"GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27863.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00077,"ranking_epss":0.23142,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/3d909166463731e94dfe62042d76225ecfc4c1e4","https://www.zerodayinitiative.com/advisories/ZDI-25-911/","https://lists.debian.org/debian-lts-announce/2025/10/msg00022.html"],"published_time":"2025-10-29T20:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39920","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Add error handling for add_interval() in do_validate_mem()\n\nIn the do_validate_mem(), the call to add_interval() does not\nhandle errors. If kmalloc() fails in add_interval(), it could\nresult in a null pointer being inserted into the linked list,\nleading to illegal memory access when sub_interval() is called\nnext.\n\nThis patch adds an error handling for the add_interval(). If\nadd_interval() returns an error, the function will return early\nwith the error code.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":9e-05,"ranking_epss":0.00915,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06b26e3099207c94b3d1be8565aedc6edc4f0a60","https://git.kernel.org/stable/c/289b58f8ff3198d091074a751d6b8f6827726f3e","https://git.kernel.org/stable/c/369bf6e241506583f4ee7593c53b92e5a9f271b4","https://git.kernel.org/stable/c/4a81f78caa53e0633cf311ca1526377d9bff7479","https://git.kernel.org/stable/c/5b60ed401b47897352c520bc724c85aa908dedcc","https://git.kernel.org/stable/c/85be7ef8c8e792a414940a38d94565dd48d2f236","https://git.kernel.org/stable/c/8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b","https://git.kernel.org/stable/c/ae184024ef31423e5beb44cf4f52999bbcf2fe5b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39923","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don't have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It's safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3","https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2","https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053","https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f","https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d","https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4","https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c","https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39911","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n  <TASK>\n  free_irq+0x32/0x70\n  i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n  i40e_vsi_request_irq+0x79/0x80 [i40e]\n  i40e_vsi_open+0x21f/0x2f0 [i40e]\n  i40e_open+0x63/0x130 [i40e]\n  __dev_open+0xfc/0x210\n  __dev_change_flags+0x1fc/0x240\n  netif_change_flags+0x27/0x70\n  do_setlink.isra.0+0x341/0xc70\n  rtnl_newlink+0x468/0x860\n  rtnetlink_rcv_msg+0x375/0x450\n  netlink_rcv_skb+0x5c/0x110\n  netlink_unicast+0x288/0x3c0\n  netlink_sendmsg+0x20d/0x430\n  ____sys_sendmsg+0x3a2/0x3d0\n  ___sys_sendmsg+0x99/0xe0\n  __sys_sendmsg+0x8a/0xf0\n  do_syscall_64+0x82/0x2c0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  [...]\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89","https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98","https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df","https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3","https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c","https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315","https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85","https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39913","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n  1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n  2. Attach the prog to a SOCKMAP\n  3. Add a socket to the SOCKMAP\n  4. Activate fault injection\n  5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock->cork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk->sk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock->cork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock->cork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS:  00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n <IRQ>\n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n </IRQ>","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0002,"ranking_epss":0.05245,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05366527f44cf4b884f3d9462ae8009be9665856","https://git.kernel.org/stable/c/08f58d10f5abf11d297cc910754922498c921f91","https://git.kernel.org/stable/c/539920180c55f5e13a2488a2339f94e6b8cb69e0","https://git.kernel.org/stable/c/66bcb04a441fbf15d66834b7e3eefb313dd750c8","https://git.kernel.org/stable/c/7429b8b9bfbc276fd304fbaebc405f46b421fedf","https://git.kernel.org/stable/c/9c2a6456bdf9794474460d885c359b6c4522d6e3","https://git.kernel.org/stable/c/a3967baad4d533dc254c31e0d221e51c8d223d58","https://git.kernel.org/stable/c/de89e58368f8f07df005ecc1c86ad94898a999f2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39914","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fails in trace_pid_write\n\nSyzkaller trigger a fault injection warning:\n\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\nModules linked in:\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\nTainted: [U]=USER\nHardware name: Google Compute Engine/Google Compute Engine\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\nFS:  00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\n vfs_write+0x24c/0x1150 fs/read_write.c:677\n ksys_write+0x12b/0x250 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe can reproduce the warning by following the steps below:\n1. echo 8 >> set_event_notrace_pid. Let tr->filtered_pids owns one pid\n   and register sched_switch tracepoint.\n2. echo ' ' >> set_event_pid, and perform fault injection during chunk\n   allocation of trace_pid_list_alloc. Let pid_list with no pid and\nassign to tr->filtered_pids.\n3. echo ' ' >> set_event_pid. Let pid_list is NULL and assign to\n   tr->filtered_pids.\n4. echo 9 >> set_event_pid, will trigger the double register\n   sched_switch tracepoint warning.\n\nThe reason is that syzkaller injects a fault into the chunk allocation\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\nmay trigger double register of the same tracepoint. This only occurs\nwhen the system is about to crash, but to suppress this warning, let's\nadd failure handling logic to trace_pid_list_set.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1262bda871dace8c6efae25f3b6a2d34f6f06d54","https://git.kernel.org/stable/c/7583a73c53f1d1ae7a39b130eb7190a11f0a902f","https://git.kernel.org/stable/c/793338906ff57d8c683f44fe48ca99d49c8782a7","https://git.kernel.org/stable/c/88525accf16947ab459f8e91c27c8c53e1d612d7","https://git.kernel.org/stable/c/cd4453c5e983cf1fd5757e9acb915adb1e4602b6","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39916","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()\n\nWhen creating a new scheme of DAMON_RECLAIM, the calculation of\n'min_age_region' uses 'aggr_interval' as the divisor, which may lead to\ndivision-by-zero errors.  Fix it by directly returning -EINVAL when such a\ncase occurs.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1","https://git.kernel.org/stable/c/5d6eeb3c683c777ed4538eb3a650bb7da17a7cff","https://git.kernel.org/stable/c/64dc351e58271c1e9005e42f5216b4f3d7a39b66","https://git.kernel.org/stable/c/9fe0415156fbde773b31f920201cb70b1f0e40fe","https://git.kernel.org/stable/c/e6b543ca9806d7bced863f43020e016ee996c057","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39907","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[    4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren't supported\n[    4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[    4.097071] Modules linked in:\n[    4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[    4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[    4.118824] Workqueue: events_unbound deferred_probe_work_func\n[    4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    4.131624] pc : add_dma_entry+0x23c/0x300\n[    4.135658] lr : add_dma_entry+0x23c/0x300\n[    4.139792] sp : ffff800009dbb490\n[    4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[    4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[    4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[    4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[    4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[    4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[    4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[    4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[    4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[    4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[    4.214185] Call trace:\n[    4.216605]  add_dma_entry+0x23c/0x300\n[    4.220338]  debug_dma_map_sg+0x198/0x350\n[    4.224373]  __dma_map_sg_attrs+0xa0/0x110\n[    4.228411]  dma_map_sg_attrs+0x10/0x2c\n[    4.232247]  stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[    4.237088]  stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[    4.242127]  nand_read_oob+0x1d4/0x8e0\n[    4.245861]  mtd_read_oob_std+0x58/0x84\n[    4.249596]  mtd_read_oob+0x90/0x150\n[    4.253231]  mtd_read+0x68/0xac","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06d8ef8f853752fea88c8d5bb093a40e71b330cf","https://git.kernel.org/stable/c/26adba1e7d7924174e15a3ba4b1132990786300b","https://git.kernel.org/stable/c/513c40e59d5a414ab763a9c84797534b5e8c208d","https://git.kernel.org/stable/c/75686c49574dd5f171ca682c18717787f1d8d55e","https://git.kernel.org/stable/c/dc1c6e60993b93b87604eb11266ac72e1a3be9e0","https://git.kernel.org/stable/c/dfe2ac47a6ee0ab50393694517c54ef1e276dda3","https://git.kernel.org/stable/c/e32a2ea52b51368774d014e5bcd9b86110a2b727","https://git.kernel.org/stable/c/f6fd98d961fa6f97347cead4f08ed862cbbb91ff","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39909","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()\n\nPatch series \"mm/damon: avoid divide-by-zero in DAMON module's parameters\napplication\".\n\nDAMON's RECLAIM and LRU_SORT modules perform no validation on\nuser-configured parameters during application, which may lead to\ndivision-by-zero errors.\n\nAvoid the divide-by-zero by adding validation checks when DAMON modules\nattempt to apply the parameters.\n\n\nThis patch (of 2):\n\nDuring the calculation of 'hot_thres' and 'cold_thres', either\n'sample_interval' or 'aggr_interval' is used as the divisor, which may\nlead to division-by-zero errors.  Fix it by directly returning -EINVAL\nwhen such a case occurs.  Additionally, since 'aggr_interval' is already\nrequired to be set no smaller than 'sample_interval' in damon_set_attrs(),\nonly the case where 'sample_interval' is zero needs to be checked.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/326a4b3750c71af3f3c52399ec4dbe33b6da4c26","https://git.kernel.org/stable/c/711f19dfd783ffb37ca4324388b9c4cb87e71363","https://git.kernel.org/stable/c/74e391f7da7d9d5235a3cca88ee9fc18f720c75b","https://git.kernel.org/stable/c/7bb675c9f0257840d33e5d1337d7e3afdd74a6bf","https://git.kernel.org/stable/c/af0ae62b935317bed1a1361c8c9579db9d300e70","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39902","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f","https://git.kernel.org/stable/c/1f0797f17927b5cad0fb7eced422f9a7c30a3191","https://git.kernel.org/stable/c/3baa1da473e6e50281324ff1d332d1a07a3bb02e","https://git.kernel.org/stable/c/7e287256904ee796c9477e3ec92b07f236481ef3","https://git.kernel.org/stable/c/872f2c34ff232af1e65ad2df86d61163c8ffad42","https://git.kernel.org/stable/c/b4efccec8d06ceb10a7d34d7b1c449c569d53770","https://git.kernel.org/stable/c/dda6ec365ab04067adae40ef17015db447e90736","https://git.kernel.org/stable/c/f66012909e7bf383fcdc5850709ed5716073fdc4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39891","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter->chan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out\nmemory.  The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here.  What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn't necessarily\ninitialize the whole array.  Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small.  It's a maximum of 900 bytes so it's\nmore appropriate to use kcalloc() instead vmalloc().","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475","https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9","https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b","https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659","https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc","https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111","https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65","https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39894","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm\n\nWhen send a broadcast packet to a tap device, which was added to a bridge,\nbr_nf_local_in() is called to confirm the conntrack. If another conntrack\nwith the same hash value is added to the hash table, which can be\ntriggered by a normal packet to a non-bridge device, the below warning\nmay happen.\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200\n  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)\n  RIP: 0010:br_nf_local_in+0x168/0x200\n  Call Trace:\n   <TASK>\n   nf_hook_slow+0x3e/0xf0\n   br_pass_frame_up+0x103/0x180\n   br_handle_frame_finish+0x2de/0x5b0\n   br_nf_hook_thresh+0xc0/0x120\n   br_nf_pre_routing_finish+0x168/0x3a0\n   br_nf_pre_routing+0x237/0x5e0\n   br_handle_frame+0x1ec/0x3c0\n   __netif_receive_skb_core+0x225/0x1210\n   __netif_receive_skb_one_core+0x37/0xa0\n   netif_receive_skb+0x36/0x160\n   tun_get_user+0xa54/0x10c0\n   tun_chr_write_iter+0x65/0xb0\n   vfs_write+0x305/0x410\n   ksys_write+0x60/0xd0\n   do_syscall_64+0xa4/0x260\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n\nTo solve the hash conflict, nf_ct_resolve_clash() try to merge the\nconntracks, and update skb->_nfct. However, br_nf_local_in() still use the\nold ct from local variable 'nfct' after confirm(), which leads to this\nwarning.\n\nIf confirm() does not insert the conntrack entry and return NF_DROP, the\nwarning may also occur. There is no need to reserve the WARN_ON_ONCE, just\nremove it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576","https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0","https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe","https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6","https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94","https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-10-01T08:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-41244","summary":"VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00436,"ranking_epss":0.62977,"kev":true,"propose_action":"Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.","ransomware_campaign":"Unknown","references":["http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015--VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities--CVE-2025-41244-CVE-2025-41245--CVE-2025-41246-/36149","http://www.openwall.com/lists/oss-security/2025/09/29/10","https://lists.debian.org/debian-lts-announce/2025/10/msg00000.html","https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/","https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-41244"],"published_time":"2025-09-29T17:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39883","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n <TASK>\n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n </TASK>\nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page.  So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered.  This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline > /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a","https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96","https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0","https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a","https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02","https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da","https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6","https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39885","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n   __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n   __schedule_loop kernel/sched/core.c:7043 [inline]\n   schedule+0x165/0x360 kernel/sched/core.c:7058\n   schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n   rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n   __down_write_common kernel/locking/rwsem.c:1317 [inline]\n   __down_write kernel/locking/rwsem.c:1326 [inline]\n   down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n   ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n   do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n   wp_page_shared mm/memory.c:3762 [inline]\n   do_wp_page+0x268d/0x5800 mm/memory.c:3981\n   handle_pte_fault mm/memory.c:6068 [inline]\n   __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n   handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n   do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n   handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n   exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n   asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n   copy_to_user include/linux/uaccess.h:225 [inline]\n   fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n   ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n   ioctl_fiemap fs/ioctl.c:220 [inline]\n   do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n   __do_sys_ioctl fs/ioctl.c:596 [inline]\n   __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable.  The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore.  This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size.  Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline().  This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05104,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d","https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a","https://git.kernel.org/stable/c/16e518ca84dfe860c20a62f3615e14e8af0ace57","https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e","https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02","https://git.kernel.org/stable/c/7e1514bd44ef68007703c752c99ff7319f35bce6","https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f","https://git.kernel.org/stable/c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39876","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798","https://git.kernel.org/stable/c/20a3433d31c2d2bf70ab0abec75f3136b42ae66c","https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5","https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752","https://git.kernel.org/stable/c/8c60d12bba14dc655d2d948b1dbf390b3ae39cb8","https://git.kernel.org/stable/c/93a699d6e92cfdfa9eb9dbb8c653b5322542ca4f","https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541","https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39877","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix use-after-free in state_show()\n\nstate_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. \nThis allows a use-after-free race:\n\nCPU 0                         CPU 1\n-----                         -----\nstate_show()                  damon_sysfs_turn_damon_on()\nctx = kdamond->damon_ctx;     mutex_lock(&damon_sysfs_lock);\n                              damon_destroy_ctx(kdamond->damon_ctx);\n                              kdamond->damon_ctx = NULL;\n                              mutex_unlock(&damon_sysfs_lock);\ndamon_is_running(ctx);        /* ctx is freed */\nmutex_lock(&ctx->kdamond_lock); /* UAF */\n\n(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and\ndamon_sysfs_kdamond_release(), which free or replace the context under\ndamon_sysfs_lock.)\n\nFix by taking damon_sysfs_lock before dereferencing the context, mirroring\nthe locking used in pid_show().\n\nThe bug has existed since state_show() first accessed kdamond->damon_ctx.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4c","https://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cff","https://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50e","https://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58ce","https://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39880","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con->v1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use.  This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that\nit's being written to can cause more serious consequences, but luckily\nit's not something that happens often.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8","https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983","https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5","https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef","https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371","https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39881","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 > test/cgroup.pressure\n3. Re-enable monitoring: echo 1 > test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:\n   - Releases PSI triggers via cgroup_file_release()\n   - Frees of->priv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 > cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft->release(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 > cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79","https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f","https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f","https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77","https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39869","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n  queue_priority_map[i][0] = i;\n  queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0002,"ranking_epss":0.05399,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b","https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc","https://git.kernel.org/stable/c/301a96cc4dc006c9a285913d301e681cfbf7edb6","https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93","https://git.kernel.org/stable/c/7d4de60d6db02d9b01d5890d5156b04fad65d07a","https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5","https://git.kernel.org/stable/c/d722de80ce037dccf6931e778f4a46499d51bdf9","https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39870","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle.  It's simpler to just re-write it in a cleaner\nway.  The issues here are:\n\n1) If \"idxd->max_wqs\" is <= 0 then we call put_device(conf_dev) when\n   \"conf_dev\" hasn't been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid.  It's\n   either uninitialized or it points to the \"conf_dev\" from the\n   previous iteration so it leads to a double free.\n\nIt's better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations.  I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31","https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606","https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1","https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9","https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39873","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03249,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a","https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7","https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f","https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c","https://git.kernel.org/stable/c/e202ffd9e54538ef67ec301ebd6d9da4823466c9","https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-23T06:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39864","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they're not shared via the corresponding\n'hidden_beacon_bss' pointer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26e84445f02ce6b2fe5f3e0e28ff7add77f35e08","https://git.kernel.org/stable/c/5b7ae04969f822283a95c866967e42b4d75e0eef","https://git.kernel.org/stable/c/6854476d9e1aeaaf05ebc98d610061c2075db07d","https://git.kernel.org/stable/c/912c4b66bef713a20775cfbf3b5e9bd71525c716","https://git.kernel.org/stable/c/a8bb681e879ca3c9f722aa08d3d7ae41c42a8807","https://git.kernel.org/stable/c/a97a9791e455bb0cd5e7a38b5abcb05523d4e21c","https://git.kernel.org/stable/c/b7d08929178c16398278613df07ad65cf63cce9d","https://git.kernel.org/stable/c/ff040562c10a540b8d851f7f4145fa112977f853","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39865","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache -->\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n        tee_shm_free(shm); -->\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e","https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f","https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff","https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca","https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079","https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d","https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39866","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed                         kworker\n----------------------------------------------------------------------\n___mark_inode_dirty                     inode_switch_wbs_work_fn\n\n  spin_lock(&inode->i_lock);\n  inode_attach_wb\n  locked_inode_to_wb_and_lock_list\n     get inode->i_wb\n     spin_unlock(&inode->i_lock);\n     spin_lock(&wb->list_lock)\n  spin_lock(&inode->i_lock)\n  inode_io_list_move_locked\n  spin_unlock(&wb->list_lock)\n  spin_unlock(&inode->i_lock)\n                                    spin_lock(&old_wb->list_lock)\n                                      inode_do_switch_wbs\n                                        spin_lock(&inode->i_lock)\n                                        inode->i_wb = new_wb\n                                        spin_unlock(&inode->i_lock)\n                                    spin_unlock(&old_wb->list_lock)\n                                    wb_put_many(old_wb, nr_switched)\n                                      cgwb_release\n                                      old wb released\n  wb_wakeup_delayed() accesses wb,\n  then trigger the use-after-free\n  issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00022,"ranking_epss":0.05984,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1edc2feb9c759a9883dfe81cb5ed231412d8b2e4","https://git.kernel.org/stable/c/b187c976111960e6e54a6b1fff724f6e3d39406c","https://git.kernel.org/stable/c/bf89b1f87c72df79cf76203f71fbf8349cd5c9de","https://git.kernel.org/stable/c/c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a","https://git.kernel.org/stable/c/d02d2c98d25793902f65803ab853b592c7a96b29","https://git.kernel.org/stable/c/e2a14bbae5d8bacaa301362744a110e2be40a3a3","https://git.kernel.org/stable/c/e63052921f1b25a836feb1500b841bff7a4a0456","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39853","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":9e-05,"ranking_epss":0.00938,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1eadabcf5623f1237a539b16586b4ed8ac8dffcd","https://git.kernel.org/stable/c/3c6fb929afa313d9d11f780451d113f73922fe5d","https://git.kernel.org/stable/c/66e7cdbda74ee823ec2bf7b830ebd235c54f5ddf","https://git.kernel.org/stable/c/971feafe157afac443027acdc235badc6838560b","https://git.kernel.org/stable/c/9c21fc4cebd44dd21016c61261a683af390343f8","https://git.kernel.org/stable/c/a556f06338e1d5a85af0e32ecb46e365547f92b9","https://git.kernel.org/stable/c/e2a5e74879f9b494bbd66fa93f355feacde450c7","https://git.kernel.org/stable/c/fb216d980fae6561c7c70af8ef826faf059c6515","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39857","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()\n\nBUG: kernel NULL pointer dereference, address: 00000000000002ec\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G        OE       6.17.0-rc2+ #9 NONE\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nWorkqueue: smc_hs_wq smc_listen_work [smc]\nRIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]\n...\nCall Trace:\n <TASK>\n smcr_buf_map_link+0x211/0x2a0 [smc]\n __smc_buf_create+0x522/0x970 [smc]\n smc_buf_create+0x3a/0x110 [smc]\n smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]\n ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]\n smc_listen_find_device+0x1dd/0x2b0 [smc]\n smc_listen_work+0x30f/0x580 [smc]\n process_one_work+0x18c/0x340\n worker_thread+0x242/0x360\n kthread+0xe7/0x220\n ret_from_fork+0x13a/0x160\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nIf the software RoCE device is used, ibdev->dma_device is a null pointer.\nAs a result, the problem occurs. Null pointer detection is added to\nprevent problems.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0cdf1fd8fc59d44a48c694324611136910301ef9","https://git.kernel.org/stable/c/34f17cbe027050b8d5316ea1b6f9bd7c378e92de","https://git.kernel.org/stable/c/ba1e9421cf1a8369d25c3832439702a015d6b5f9","https://git.kernel.org/stable/c/eb929910bd4b4165920fa06a87b22cc6cae92e0e","https://git.kernel.org/stable/c/f18d9b3abf9c6587372cc702f963a7592277ed56","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39860","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n  CPU1                        CPU2 (close())\n  ----                        ----\n  sock_hold(sk)               sock_hold(sk);\n  lock_sock(sk)   <-- block close()\n  sock_put(sk)\n  bt_accept_unlink(sk)\n    sock_put(sk)  <-- refcnt by bt_accept_enqueue()\n  release_sock(sk)\n                              lock_sock(sk)\n                              sock_put(sk)\n                              bt_accept_unlink(sk)\n                                sock_put(sk)        <-- last refcnt\n                              bt_accept_unlink(sk)  <-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet's call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n </TASK>\n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ca99fc3512a8074de20ee52a87b492dfcc41a4d","https://git.kernel.org/stable/c/306b0991413b482dbf5585b423022123bb505966","https://git.kernel.org/stable/c/3dff390f55ccd9ce12e91233849769b5312180c2","https://git.kernel.org/stable/c/47f6090bcf75c369695d21c3f179db8a56bbbd49","https://git.kernel.org/stable/c/6077d16b5c0f65d571eee709de2f0541fb5ef0ca","https://git.kernel.org/stable/c/83e1d9892ef51785cf0760b7681436760dda435a","https://git.kernel.org/stable/c/862c628108562d8c7a516a900034823b381d3cba","https://git.kernel.org/stable/c/964cbb198f9c46c2b2358cd1faffc04c1e8248cf","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39843","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: avoid wake up kswapd in set_track_prepare\n\nset_track_prepare() can incur lock recursion.\nThe issue is that it is called from hrtimer_start_range_ns\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\n\nAvoid deadlock caused by implicitly waking up kswapd by passing in\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\ngfp_nested_mask().\nSince ___slab_alloc() has preemption disabled, we mask out\n__GFP_DIRECT_RECLAIM from the flags there.\n\nThe oops looks something like:\n\nBUG: spinlock recursion on CPU#3, swapper/3/0\n lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\nCall trace:\nspin_bug+0x0\n_raw_spin_lock_irqsave+0x80\nhrtimer_try_to_cancel+0x94\ntask_contending+0x10c\nenqueue_dl_entity+0x2a4\ndl_server_start+0x74\nenqueue_task_fair+0x568\nenqueue_task+0xac\ndo_activate_task+0x14c\nttwu_do_activate+0xcc\ntry_to_wake_up+0x6c8\ndefault_wake_function+0x20\nautoremove_wake_function+0x1c\n__wake_up+0xac\nwakeup_kswapd+0x19c\nwake_all_kswapds+0x78\n__alloc_pages_slowpath+0x1ac\n__alloc_pages_noprof+0x298\nstack_depot_save_flags+0x6b0\nstack_depot_save+0x14\nset_track_prepare+0x5c\n___slab_alloc+0xccc\n__kmalloc_cache_noprof+0x470\n__set_page_owner+0x2bc\npost_alloc_hook[jt]+0x1b8\nprep_new_page+0x28\nget_page_from_freelist+0x1edc\n__alloc_pages_noprof+0x13c\nalloc_slab_page+0x244\nallocate_slab+0x7c\n___slab_alloc+0x8e8\nkmem_cache_alloc_noprof+0x450\ndebug_objects_fill_pool+0x22c\ndebug_object_activate+0x40\nenqueue_hrtimer[jt]+0xdc\nhrtimer_start_range_ns+0x5f8\n...","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.0147,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/243b705a90ed8449f561a271cf251fd2e939f3db","https://git.kernel.org/stable/c/522ffe298627cfe72539d72167c2e20e72b5e856","https://git.kernel.org/stable/c/850470a8413a8a78e772c4f6bd9fe81ec6bd5b0f","https://git.kernel.org/stable/c/994b03b9605d36d814c611385fbf90ca6db20aa8","https://git.kernel.org/stable/c/eb3240ffd243bfb8b1e9dc568d484ecf9fd660ab","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39844","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: move page table sync declarations to linux/pgtable.h\n\nDuring our internal testing, we started observing intermittent boot\nfailures when the machine uses 4-level paging and has a large amount of\npersistent memory:\n\n  BUG: unable to handle page fault for address: ffffe70000000034\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0 \n  Oops: 0002 [#1] SMP NOPTI\n  RIP: 0010:__init_single_page+0x9/0x6d\n  Call Trace:\n   <TASK>\n   __init_zone_device_page+0x17/0x5d\n   memmap_init_zone_device+0x154/0x1bb\n   pagemap_range+0x2e0/0x40f\n   memremap_pages+0x10b/0x2f0\n   devm_memremap_pages+0x1e/0x60\n   dev_dax_probe+0xce/0x2ec [device_dax]\n   dax_bus_probe+0x6d/0xc9\n   [... snip ...]\n   </TASK>\n\nIt turns out that the kernel panics while initializing vmemmap (struct\npage array) when the vmemmap region spans two PGD entries, because the new\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\nother tasks.\n\nAnd looking at __populate_section_memmap():\n  if (vmemmap_can_optimize(altmap, pgmap))                                \n          // does not sync top level page tables\n          r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\n  else                                                                    \n          // sync top level page tables in x86\n          r = vmemmap_populate(start, end, nid, altmap);\n\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\nthat all tasks in the system can see the new vmemmap area.\n\nHowever, when vmemmap_can_optimize() returns true, the optimized path\nskips synchronization of top-level page tables.  This is because\nvmemmap_populate_compound_pages() is implemented in core MM code, which\ndoes not handle synchronization of the top-level page tables.  Instead,\nthe core MM has historically relied on each architecture to perform this\nsynchronization manually.\n\nWe're not the first party to encounter a crash caused by not-sync'd top\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\nvmemmap area before the corresponding top-level entries were synced.  At\nthat time, the issue was believed to be triggered only when struct page\nwas enlarged for debugging purposes, and the patch did not get further\nupdates.\n\nIt turns out that current approach of relying on each arch to handle the\npage table sync manually is fragile because 1) it's easy to forget to sync\nthe top level page table, and 2) it's also easy to overlook that the\nkernel should not access the vmemmap and direct mapping areas before the\nsync.\n\n# The solution: Make page table sync more code robust and harder to miss\n\nTo address this, Dave Hansen suggested [3] [4] introducing\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\nand allow each architecture to explicitly perform synchronization when\ninstalling top-level entries.  With this approach, we no longer need to\nworry about missing the sync step, reducing the risk of future\nregressions.\n\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\nvmalloc and ioremap to synchronize page tables.\n\npgd_populate_kernel() looks like this:\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\n                                       p4d_t *p4d)\n{\n        pgd_populate(&init_mm, pgd, p4d);\n        if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED)\n                arch_sync_kernel_mappings(addr, addr);\n}\n\nIt is worth noting that vmalloc() and apply_to_range() carefully\nsynchronizes page tables by calling p*d_alloc_track() and\narch_sync_kernel_mappings(), and thus they are not affected by\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/469f9d22751472b81eaaf8a27fcdb5a70741c342","https://git.kernel.org/stable/c/4f7537772011fad832f83d6848f8eab282545bef","https://git.kernel.org/stable/c/6797a8b3f71b2cb558b8771a03450dc3e004e453","https://git.kernel.org/stable/c/732e62212f49d549c91071b4da7942ee3058f7a2","https://git.kernel.org/stable/c/7cc183f2e67d19b03ee5c13a6664b8c6cc37ff9d","https://git.kernel.org/stable/c/eceb44e1f94bd641b2a4e8c09b64c797c4eabc15","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39845","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel().  In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n  BUG: unable to handle page fault for address: ffffe70000000034\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: 0002 [#1] SMP NOPTI\n  RIP: 0010:__init_single_page+0x9/0x6d\n  Call Trace:\n   <TASK>\n   __init_zone_device_page+0x17/0x5d\n   memmap_init_zone_device+0x154/0x1bb\n   pagemap_range+0x2e0/0x40f\n   memremap_pages+0x10b/0x2f0\n   devm_memremap_pages+0x1e/0x60\n   dev_dax_probe+0xce/0x2ec [device_dax]\n   dax_bus_probe+0x6d/0xc9\n   [... snip ...]\n   </TASK>\n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n  BUG: unable to handle page fault for address: ffffeb3ff1200000\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n  Tainted: [W]=WARN\n  RIP: 0010:vmemmap_set_pmd+0xff/0x230\n   <TASK>\n   vmemmap_populate_hugepages+0x176/0x180\n   vmemmap_populate+0x34/0x80\n   __populate_section_memmap+0x41/0x90\n   sparse_add_section+0x121/0x3e0\n   __add_pages+0xba/0x150\n   add_pages+0x1d/0x70\n   memremap_pages+0x3dc/0x810\n   devm_memremap_pages+0x1c/0x60\n   xe_devm_add+0x8b/0x100 [xe]\n   xe_tile_init_noalloc+0x6a/0x70 [xe]\n   xe_device_probe+0x48c/0x740 [xe]\n   [... snip ...]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26ff568f390a531d1bd792e49f1a401849921960","https://git.kernel.org/stable/c/5f761d40ee95d2624f839c90ebeef2d5c55007f5","https://git.kernel.org/stable/c/6659d027998083fbb6d42a165b0c90dc2e8ba989","https://git.kernel.org/stable/c/6bf9473727569e8283c1e2445c7ac42cf4fc9fa9","https://git.kernel.org/stable/c/744ff519c72de31344a627eaf9b24e9595aae554","https://git.kernel.org/stable/c/b7f4051dd3388edd30e9a6077c05c486aa31e0d4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39846","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ee32c4c4f636e474cd8ab7c19a68cf36072ea93","https://git.kernel.org/stable/c/44822df89e8f3386871d9cad563ece8e2fd8f0e7","https://git.kernel.org/stable/c/4bd570f494124608a0696da070f00236a96fb610","https://git.kernel.org/stable/c/5ff2826c998370bf7f9ae26fe802140d220e3510","https://git.kernel.org/stable/c/b990c8c6ff50649ad3352507398e443b1e3527b2","https://git.kernel.org/stable/c/ce3b7766276894d2fbb07e2047a171f9deb965de","https://git.kernel.org/stable/c/d7286005e8fde0a430dc180a9f46c088c7d74483","https://git.kernel.org/stable/c/fafa7450075f41d232bc785a4ebcbf16374f2076","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39847","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n    skb = pad_compress_skb(ppp, skb);\n    if (!skb)\n        goto drop;\n\ndrop:\n    kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed.  At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b21e9cd4559102da798bdcba453b64ecd7be7ee","https://git.kernel.org/stable/c/1d8b354eafb8876d8bdb1bef69c7d2438aacfbe8","https://git.kernel.org/stable/c/33a5bac5f14772730d2caf632ae97b6c2ee95044","https://git.kernel.org/stable/c/4844123fe0b853a4982c02666cb3fd863d701d50","https://git.kernel.org/stable/c/631fc8ab5beb9e0ec8651fb9875b9a968e7b4ae4","https://git.kernel.org/stable/c/85c1c86a67e09143aa464e9bf09c397816772348","https://git.kernel.org/stable/c/87a35a36742df328d0badf4fbc2e56061c15846c","https://git.kernel.org/stable/c/9ca6a040f76c0b149293e430dabab446f3fc8ab7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39848","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb->dev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\").","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69","https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14","https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094","https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883","https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56","https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85","https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe","https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39849","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()\n\nIf the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would\nlead to memory corruption so add some bounds checking.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04336,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31229145e6ba5ace3e9391113376fa05b7831ede","https://git.kernel.org/stable/c/5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523","https://git.kernel.org/stable/c/62b635dcd69c4fde7ce1de4992d71420a37e51e3","https://git.kernel.org/stable/c/8e751d46336205abc259ed3990e850a9843fb649","https://git.kernel.org/stable/c/e472f59d02c82b511bc43a3f96d62ed08bf4537f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39838","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL pointer dereference in UTF16 conversion\n\nThere can be a NULL pointer dereference bug here. NULL is passed to\n__cifs_sfu_make_node without checks, which passes it unchecked to\ncifs_strndup_to_utf16, which in turn passes it to\ncifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.\n\nThis patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and\nreturns NULL early to prevent dereferencing NULL pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03188,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f797f062b5cf13a1c2bcc23285361baaa7c9260","https://git.kernel.org/stable/c/3c26a8d30ed6b53a52a023ec537dc50a6d34a67a","https://git.kernel.org/stable/c/70bccd9855dae56942f2b18a08ba137bb54093a0","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39839","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183","https://git.kernel.org/stable/c/20080709457bc1e920eb002483d7d981d9b2ac1c","https://git.kernel.org/stable/c/30fc47248f02b8a14a61df469e1da4704be1a19f","https://git.kernel.org/stable/c/5d334bce9fad58cf328d8fa14ea1fff855819863","https://git.kernel.org/stable/c/a67c6397fcb7e842d3c595243049940970541c48","https://git.kernel.org/stable/c/bb37252c9af1cb250f34735ee98f80b46be3cef1","https://git.kernel.org/stable/c/d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087","https://git.kernel.org/stable/c/dce6c2aa70e94c04c523b375dfcc664d7a0a560a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39841","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11","https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13","https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7","https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2","https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3","https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111","https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57","https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39842","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: prevent release journal inode after journal shutdown\n\nBefore calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already\nbeen executed in ocfs2_dismount_volume(), so osb->journal must be NULL. \nTherefore, the following calltrace will inevitably fail when it reaches\njbd2_journal_release_jbd_inode().\n\nocfs2_dismount_volume()->\n  ocfs2_delete_osb()->\n    ocfs2_free_slot_info()->\n      __ocfs2_free_slot_info()->\n        evict()->\n          ocfs2_evict_inode()->\n            ocfs2_clear_inode()->\n\t      jbd2_journal_release_jbd_inode(osb->journal->j_journal,\n\nAdding osb->journal checks will prevent null-ptr-deref during the above\nexecution path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03055,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/42c415c53ad2065088cc411d08925effa5b3d255","https://git.kernel.org/stable/c/85e66331b60601d903cceaf8c10a234db863cd78","https://git.kernel.org/stable/c/e9188f66e94955431ddbe2cd1cdf8ff2bb486abf","https://git.kernel.org/stable/c/f46e8ef8bb7b452584f2e75337b619ac51a7cadf","https://git.kernel.org/stable/c/f4a917e6cd6c798f7adf39907f117fc754db1283","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-19T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39835","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: do not propagate ENODATA disk errors into xattr code\n\nENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;\nnamely, that the requested attribute name could not be found.\n\nHowever, a medium error from disk may also return ENODATA. At best,\nthis medium error may escape to userspace as \"attribute not found\"\nwhen in fact it's an IO (disk) error.\n\nAt worst, we may oops in xfs_attr_leaf_get() when we do:\n\n\terror = xfs_attr_leaf_hasname(args, &bp);\n\tif (error == -ENOATTR)  {\n\t\txfs_trans_brelse(args->trans, bp);\n\t\treturn error;\n\t}\n\nbecause an ENODATA/ENOATTR error from disk leaves us with a null bp,\nand the xfs_trans_brelse will then null-deref it.\n\nAs discussed on the list, we really need to modify the lower level\nIO functions to trap all disk errors and ensure that we don't let\nunique errors like this leak up into higher xfs functions - many\nlike this should be remapped to EIO.\n\nHowever, this patch directly addresses a reported bug in the xattr\ncode, and should be safe to backport to stable kernels. A larger-scope\npatch to handle more unique errors at lower levels can follow later.\n\n(Note, prior to 07120f1abdff we did not oops, but we did return the\nwrong error code to userspace.)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/157ddfb05961c68ab7d457a462822a698e4e4bf4","https://git.kernel.org/stable/c/39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8","https://git.kernel.org/stable/c/90bae69c2959c39912f0c2f07a9a7894f3fc49f5","https://git.kernel.org/stable/c/ae668cd567a6a7622bc813ee0bb61c42bed61ba7","https://git.kernel.org/stable/c/d3cc7476b89fb45b7e00874f4f56f6b928467c60","https://git.kernel.org/stable/c/dcdf36f1b67884c722abce9b8946e34ffb9f67c8","https://git.kernel.org/stable/c/e358d4b6225e4c1eb208686a05e360ef8df59e07","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T14:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39828","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n  struct atmtcp_control {\n  \tstruct atmtcp_hdr hdr;\t/* must be first */\n  ...\n  \tatm_kptr_t vcc;\t\t/* both directions */\n  ...\n  } __ATM_API_ALIGN;\n\n  typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:\n\n  1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())\n  2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet's add a new ->pre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS:  00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n <TASK>\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n </TASK>\nModules linked in:","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a6a6d4fb333f7afe22e59ffed18511a7a98efc8","https://git.kernel.org/stable/c/33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b","https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe","https://git.kernel.org/stable/c/3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b","https://git.kernel.org/stable/c/51872b26429077be611b0a1816e0e722278015c3","https://git.kernel.org/stable/c/62f368472b0aa4b5d91d9b983152855c6b6d8925","https://git.kernel.org/stable/c/b502f16bad8f0a4cfbd023452766f21bfda39dde","https://git.kernel.org/stable/c/ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39826","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert 'use' field to refcount_t\n\nThe 'use' field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh->use becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of 'use' from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b","https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51","https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061","https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284","https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39827","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the 'count' field in struct rose_neigh tracks references from\nrose_node structures, while the 'use' field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using 'use' field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh->use when rose_neigh->count is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05695,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728","https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639","https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115","https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b","https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39824","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D,        // Usage Page (Digitizer)\n0x09, 0x05,        // Usage (Touch Pad)\n0xA1, 0x01,        // Collection (Application)\n0x85, 0x0D,        //   Report ID (13)\n0x06, 0x00, 0xFF,  //   Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5,        //   Usage (0xC5)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x04,        //   Report Count (4)\n0xB1, 0x02,        //   Feature (Data,Var,Abs)\n0x85, 0x5D,        //   Report ID (93)\n0x06, 0x00, 0x00,  //   Usage Page (Undefined)\n0x09, 0x01,        //   Usage (0x01)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x1B,        //   Report Count (27)\n0x81, 0x02,        //   Input (Data,Var,Abs)\n0xC0,              // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[   21.672709] ==================================================================\n[   21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[   21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[   21.673700]\n[   21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[   21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[   21.673700] Call Trace:\n[   21.673700]  <TASK>\n[   21.673700]  dump_stack_lvl+0x5f/0x80\n[   21.673700]  print_report+0xd1/0x660\n[   21.673700]  kasan_report+0xe5/0x120\n[   21.673700]  __asan_report_store8_noabort+0x1b/0x30\n[   21.673700]  asus_probe+0xeeb/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Allocated by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_alloc_info+0x3b/0x50\n[   21.673700]  __kasan_kmalloc+0x9c/0xa0\n[   21.673700]  __kmalloc_cache_noprof+0x139/0x340\n[   21.673700]  input_allocate_device+0x44/0x370\n[   21.673700]  hidinput_connect+0xcb6/0x2630\n[   21.673700]  hid_connect+0xf74/0x1d60\n[   21.673700]  hid_hw_start+0x8c/0x110\n[   21.673700]  asus_probe+0x5a3/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Freed by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_free_info+0x3f/0x60\n[   21.673700]  __kasan_slab_free+0x3c/0x50\n[   21.673700]  kfre\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.02607,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5f3c0839b173f7f33415eb098331879e547d1d2d","https://git.kernel.org/stable/c/7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5","https://git.kernel.org/stable/c/72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275","https://git.kernel.org/stable/c/9a9e4a8317437bf944fa017c66e1e23a0368b5c7","https://git.kernel.org/stable/c/a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c","https://git.kernel.org/stable/c/c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c","https://git.kernel.org/stable/c/d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4","https://git.kernel.org/stable/c/eaae728e7335b5dbad70966e2bd520a731fdf7b2","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39825","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00012,"ranking_epss":0.0147,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24b9ed739c8c5b464d983e12cf308982f3ae93c2","https://git.kernel.org/stable/c/289f945acb20b9b54fe4d13895e44aa58965ddb2","https://git.kernel.org/stable/c/c9991af5e09924f6f3b3e6996a5e09f9504b4358","https://git.kernel.org/stable/c/c9e7de284da0be5b44dbe79d71573f9f7f9b144c","https://git.kernel.org/stable/c/d84291fc7453df7881a970716f8256273aca5747","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39823","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: use array_index_nospec with indices that come from guest\n\nmin and dest_id are guest-controlled indices. Using array_index_nospec()\nafter the bounds checks clamps these values to mitigate speculative execution\nside-channels.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03122,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31a0ad2f60cb4816e06218b63e695eb72ce74974","https://git.kernel.org/stable/c/33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f","https://git.kernel.org/stable/c/67a05679621b7f721bdba37a5d18665d3aceb695","https://git.kernel.org/stable/c/72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48","https://git.kernel.org/stable/c/c87bd4dd43a624109c3cc42d843138378a7f4548","https://git.kernel.org/stable/c/d51e381beed5e2f50f85f49f6c90e023754efa12","https://git.kernel.org/stable/c/f49161646e03d107ce81a99c6ca5da682fe5fb69","https://git.kernel.org/stable/c/f57a4bd8d6cb5af05b8ac1be9098e249034639fb","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39819","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb: Fix inconsistent refcnt update\n\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\nSuch inconsistent update could lead to possible resource leaks.\n\nWhy it is a possible bug:\n1. In the comment section of the function, it clearly states that the\nreference to `cfile` should be dropped after calling this function.\n2. Every control flow path would check and drop the reference to\n`cfile`, except the patched one.\n3. Existing callers would not handle refcount update of `cfile` if\n-ENOMEM is returned.\n\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\ncleanup logic would always be respected. As the problem is caused by the\nallocation failure of `vars`, the cleanup logic between label \"finished\"\nand \"out\" can be safely ignored. According to the definition of function\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\nTherefore, the replay logic also gets ignored.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.056,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3fc11ff13fbc2749871d6ac2141685cf54699997","https://git.kernel.org/stable/c/4191ea1f0bb3e27d65c5dcde7bd00e709ec67141","https://git.kernel.org/stable/c/4735f5991f51468b85affb8366b7067248457a71","https://git.kernel.org/stable/c/ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e","https://git.kernel.org/stable/c/cc82c6dff548f0066a51a6e577c7454e7d26a968","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39817","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n  BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n  Call trace:\n   kasan_check_range+0xe8/0x190\n   __asan_loadN+0x1c/0x28\n   memcmp+0x98/0xd0\n   efivarfs_d_compare+0x68/0xd8\n   __d_lookup_rcu_op_compare+0x178/0x218\n   __d_lookup_rcu+0x1f8/0x228\n   d_alloc_parallel+0x150/0x648\n   lookup_open.isra.0+0x5f0/0x8d0\n   open_last_lookups+0x264/0x828\n   path_openat+0x130/0x3f8\n   do_filp_open+0x114/0x248\n   do_sys_openat2+0x340/0x3c0\n   __arm64_sys_openat+0x120/0x1a0\n\nIf dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n  T1\t\t\tT2\n  lookup_open\n   ->lookup\n    simple_lookup\n     d_add\n     // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t  __d_lookup_rcu\n\t\t\t   __d_lookup_rcu_op_compare\n\t\t\t    hlist_bl_for_each_entry_rcu\n\t\t\t    // invalid dentry can be retrieved\n\t\t\t     ->d_compare\n\t\t\t      efivarfs_d_compare\n\t\t\t      // oob\n\nFix it by checking 'guid' before cmp.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6","https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2","https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95","https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e","https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40","https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c","https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf","https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39813","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump)                              CPU1 (reader)\necho z > /proc/sysrq-trigger\n\n!trace_empty(&iter)\ntrace_iterator_reset(&iter) <- len = size = 0\n                                                cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(&iter)\n  __find_next_entry\n    ring_buffer_empty_cpu <- all empty\n  return NULL\n\ntrace_printk_seq(&iter.seq)\n  WARN_ON_ONCE(s->seq.len >= s->seq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the 'iter.seq' is properly populated before\nsubsequent operations.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00011,"ranking_epss":0.01306,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa","https://git.kernel.org/stable/c/4013aef2ced9b756a410f50d12df9ebe6a883e4a","https://git.kernel.org/stable/c/5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85","https://git.kernel.org/stable/c/a6f0f8873cc30fd4543b09adf03f7f51d293f0e6","https://git.kernel.org/stable/c/ced94e137e6cd5e79c65564841d3b7695d0f5fa3","https://git.kernel.org/stable/c/e80ff23ba8bdb0f41a1afe2657078e4097d13a9a","https://git.kernel.org/stable/c/f299353e7ccbcc5c2ed8993c48fbe7609cbe729a","https://git.kernel.org/stable/c/fbd4cf7ee4db65ef36796769fe978e9eba6f0de4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39812","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n  __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n  sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n  sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n  sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n  sctp_get_port net/sctp/socket.c:8523 [inline]\n  sctp_listen_start net/sctp/socket.c:8567 [inline]\n  sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n  __sys_listen_socket net/socket.c:1912 [inline]\n  __sys_listen net/socket.c:1927 [inline]\n  __do_sys_listen net/socket.c:1932 [inline]\n  __se_sys_listen net/socket.c:1930 [inline]\n  __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n  x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n  sctp_get_port net/sctp/socket.c:8515 [inline]\n  sctp_listen_start net/sctp/socket.c:8567 [inline]\n  sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n  __sys_listen_socket net/socket.c:1912 [inline]\n  __sys_listen net/socket.c:1927 [inline]\n  __do_sys_listen net/socket.c:1932 [inline]\n  __se_sys_listen net/socket.c:1930 [inline]\n  __x64_sys_listen+0x343/0x4c0 net/socket.c:1930","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae","https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b","https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99","https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3","https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a","https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf","https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027","https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39808","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev->dev.parent->parent to null\nif hdev->dev.parent->parent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02478,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/019c34ca11372de891c06644846eb41fca7c890c","https://git.kernel.org/stable/c/183def8e4d786e50165e5d992df6a3083e45e16c","https://git.kernel.org/stable/c/185c926283da67a72df20a63a5046b3b4631b7d9","https://git.kernel.org/stable/c/22ddb5eca4af5e69dffe2b54551d2487424448f1","https://git.kernel.org/stable/c/4338b0f6544c3ff042bfbaf40bc9afe531fb08c7","https://git.kernel.org/stable/c/6070123d5344d0950f10ef6a5fdc3f076abb7ad2","https://git.kernel.org/stable/c/98520a9a3d69a530dd1ee280cbe0abc232a35bff","https://git.kernel.org/stable/c/e422370e6ab28478872b914cee5d49a9bdfae0c6","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39806","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[   13.671954] ==================================================================\n[   13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[   13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[   13.673297]\n[   13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[   13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[   13.673297] Call Trace:\n[   13.673297]  <TASK>\n[   13.673297]  dump_stack_lvl+0x5f/0x80\n[   13.673297]  print_report+0xd1/0x660\n[   13.673297]  kasan_report+0xe5/0x120\n[   13.673297]  __asan_report_load1_noabort+0x18/0x20\n[   13.673297]  mt_report_fixup+0x103/0x110\n[   13.673297]  hid_open_report+0x1ef/0x810\n[   13.673297]  mt_probe+0x422/0x960\n[   13.673297]  hid_device_probe+0x2e2/0x6f0\n[   13.673297]  really_probe+0x1c6/0x6b0\n[   13.673297]  __driver_probe_device+0x24f/0x310\n[   13.673297]  driver_probe_device+0x4e/0x220\n[   13.673297]  __device_attach_driver+0x169/0x320\n[   13.673297]  bus_for_each_drv+0x11d/0x1b0\n[   13.673297]  __device_attach+0x1b8/0x3e0\n[   13.673297]  device_initial_probe+0x12/0x20\n[   13.673297]  bus_probe_device+0x13d/0x180\n[   13.673297]  device_add+0xe3a/0x1670\n[   13.673297]  hid_add_device+0x31d/0xa40\n[...]","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4","https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe","https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d","https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338","https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a","https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-16T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-53259","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF\n\nThe call to get_user_pages_fast() in vmci_host_setup_notify() can return\nNULL context->notify_page causing a GPF. To avoid GPF check if\ncontext->notify_page == NULL and return error if so.\n\ngeneral protection fault, probably for non-canonical address\n    0xe0009d1000000060: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0x0005088000000300-\n    0x0005088000000307]\nCPU: 2 PID: 26180 Comm: repro_34802241 Not tainted 6.1.0-rc4 #1\nHardware name: Red Hat KVM, BIOS 1.15.0-2.module+el8.6.0 04/01/2014\nRIP: 0010:vmci_ctx_check_signal_notify+0x91/0xe0\nCall Trace:\n <TASK>\n vmci_host_unlocked_ioctl+0x362/0x1f40\n __x64_sys_ioctl+0x1a1/0x230\n do_syscall_64+0x3a/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00015,"ranking_epss":0.02968,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/055891397f530f9b1b22be38d7eca8b08382941f","https://git.kernel.org/stable/c/1a726cb47fd204109c767409fa9ca15a96328f14","https://git.kernel.org/stable/c/91b8e4f61f8f4594ee65368c8d89e6fdc29d3fb1","https://git.kernel.org/stable/c/a3c89e8c69a58f62451c0a75b77fcab25979b897","https://git.kernel.org/stable/c/b4239bfb260d1e6837766c41a0b241d7670f1402","https://git.kernel.org/stable/c/d4198f67e7556b1507f14f60d81a72660e5560e4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-09-15T15:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-50327","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05695,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2437513a814b3e93bd02879740a8a06e52e2cf7d","https://git.kernel.org/stable/c/2ecd629c788bbfb96be058edade2e934d3763eaf","https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9","https://git.kernel.org/stable/c/ad1190744da9d812da55b76f2afce750afb0a3bd","https://git.kernel.org/stable/c/b85f0e292f73f353eea915499604fbf50c8238b4","https://git.kernel.org/stable/c/fdee7a0acc566c4194d40a501b8a1584e86cc208","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-09-15T15:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39800","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort transaction on unexpected eb generation at btrfs_copy_root()\n\nIf we find an unexpected generation for the extent buffer we are cloning\nat btrfs_copy_root(), we just WARN_ON() and don't error out and abort the\ntransaction, meaning we allow to persist metadata with an unexpected\ngeneration. Instead of warning only, abort the transaction and return\n-EUCLEAN.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/33e8f24b52d2796b8cfb28c19a1a7dd6476323a8","https://git.kernel.org/stable/c/4290e34fb87ae556b12c216efd0ae91583446b7a","https://git.kernel.org/stable/c/4734255ef39b416864139dcda96a387fe5f33a6a","https://git.kernel.org/stable/c/da2124719f386b6e5d4d4b1a2e67c440e4d5892f","https://git.kernel.org/stable/c/f4f5bd9251a4cbe55aaa05725c6c3c32ad1f74b3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-15T13:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39801","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when 'panic_on_warn' is enabled\nand unnecessary call trace prints when 'panic_on_warn' is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n   =======\n->dwc3_thread_interrupt\n ->dwc3_ep0_interrupt\n  ->configfs_composite_setup\n   ->composite_setup\n    ->usb_ep_queue\n     ->dwc3_gadget_ep0_queue\n      ->__dwc3_gadget_ep0_queue\n       ->__dwc3_ep0_do_control_data\n        ->dwc3_send_gadget_ep_cmd\n\n2. Disconnect\n   ==========\n->dwc3_thread_interrupt\n ->dwc3_gadget_disconnect_interrupt\n  ->dwc3_ep0_reset_state\n   ->dwc3_ep0_end_control_data\n    ->dwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/45eae113dccaf8e502090ecf5b3d9e9b805add6f","https://git.kernel.org/stable/c/5a1a847d841505dba2bd85602daf5c218e1d85b8","https://git.kernel.org/stable/c/84c95dbf5bece56086cdb65a64162af35158bdd9","https://git.kernel.org/stable/c/db27482b9db340402e05d4e9b75352bbaca51af2","https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f","https://git.kernel.org/stable/c/f49697dfba2915a9ff36f94604eb76fa61413929","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-15T13:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39798","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix the setting of capabilities when automounting a new filesystem\n\nCapabilities cannot be inherited when we cross into a new filesystem.\nThey need to be reset to the minimal defaults, and then probed for\nagain.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/175afda783e38c0660f2afc0602dd9c83d4e7ee1","https://git.kernel.org/stable/c/3924dab90816d0c683a110628ef386f83a9d1e13","https://git.kernel.org/stable/c/50e0fd0050e510e749e1fdd1d7158e419ff8f3b9","https://git.kernel.org/stable/c/73fcb101bb3eb2a552d7856a476b2c0bc3b5ef9e","https://git.kernel.org/stable/c/816a6f60c2c2b679a33fa4276442bafd11473651","https://git.kernel.org/stable/c/95eb0d97ab98a10e966125c1f274e7d0fc0992b3","https://git.kernel.org/stable/c/987c20428f067c1c7f29ed0a2bd8c63fa74b1c2c","https://git.kernel.org/stable/c/a8ffee4abd8ec9d7a64d394e0306ae64ba139fd2","https://git.kernel.org/stable/c/b01f21cacde9f2878492cf318fee61bf4ccad323","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-12T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39794","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nARM: tegra: Use I/O memcpy to write to IRAM\n\nKasan crashes the kernel trying to check boundaries when using the\nnormal memcpy.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2499b0ac908eefbb8a217aae609b7a5b5174f330","https://git.kernel.org/stable/c/30ef45b89a5961cdecf907ecff1ef3374d1de510","https://git.kernel.org/stable/c/387435f4833f97aabfd74434ee526e31e8a626ea","https://git.kernel.org/stable/c/398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1","https://git.kernel.org/stable/c/46b3a7a3a36d5833f14914d1b95c69d28c6a76d6","https://git.kernel.org/stable/c/75a3bdfeed2f129a2c7d9fd7779382b78e35b014","https://git.kernel.org/stable/c/96d6605bf0561d6e568b1dd9265a0f73b5b94f51","https://git.kernel.org/stable/c/9b0b3b5e5cae95e09bf0ae4a9bcb58d9b6d57f87","https://git.kernel.org/stable/c/b28c1a14accc79ead1e87bbdae53309da60be1e7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-12T16:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39795","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid possible overflow for chunk_sectors check in blk_stack_limits()\n\nIn blk_stack_limits(), we check that the t->chunk_sectors value is a\nmultiple of the t->physical_block_size value.\n\nHowever, by finding the chunk_sectors value in bytes, we may overflow\nthe unsigned int which holds chunk_sectors, so change the check to be\nbased on sectors.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01701,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14beeef4aafecc8a41de534e31fb5be94739392f","https://git.kernel.org/stable/c/31f2f080898e50cbf2bae62d35f9f2a997547b38","https://git.kernel.org/stable/c/3b9d69f0e68aa6b0acd9791c45d445154a8c66e9","https://git.kernel.org/stable/c/418751910044649baa2b424ea31cce3fc4dcc253","https://git.kernel.org/stable/c/448dfecc7ff807822ecd47a5c052acedca7d09e8","https://git.kernel.org/stable/c/46aa80ef49594ed7de685ecbc673b291e9a2c159","https://git.kernel.org/stable/c/5e276e6ff9aacf8901b9c3265c3cdd2568c9fff2","https://git.kernel.org/stable/c/8b3ce085b52e674290cbfdd07034e7653ffbe4dc","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-12T16:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-9086","summary":"1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n   hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n   Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n   boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00035,"ranking_epss":0.10177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://curl.se/docs/CVE-2025-9086.html","https://curl.se/docs/CVE-2025-9086.json","https://hackerone.com/reports/3294999","http://www.openwall.com/lists/oss-security/2025/09/10/1","https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html"],"published_time":"2025-09-12T06:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39788","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n    shift exponent 32 is too large for 32-bit type 'int'\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08","https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912","https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa","https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832","https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a","https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316","https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39790","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host's local copy of the ring's read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost's read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel's xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n'commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")'. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn't local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4","https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7","https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9","https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185","https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb","https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-40300","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15006289e5c38b2a830e1fba221977a27598176c","https://git.kernel.org/stable/c/2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e","https://git.kernel.org/stable/c/2f8f173413f1cbf52660d04df92d0069c4306d25","https://git.kernel.org/stable/c/34e5667041050711a947e260fc9ebebe08bddee5","https://git.kernel.org/stable/c/459274c77b37ac63b78c928b4b4e748d1f9d05c8","https://git.kernel.org/stable/c/510603f504796c3535f67f55fb0b124a303b44c8","https://git.kernel.org/stable/c/893387c18612bb452336a5881da0d015a7e8f4a2","https://git.kernel.org/stable/c/9c23a90648e831d611152ac08dbcd1283d405e7f","https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835","https://git.kernel.org/stable/c/c08192b5d6730a914dee6175bc71092ee6a65f14","https://git.kernel.org/stable/c/d5490dfa35427a2967e00a4c7a1b95fdbc8ede34","https://git.kernel.org/stable/c/d7ddc93392e4a7ffcccc86edf6ef3e64c778db52","https://git.kernel.org/stable/c/f866eef8d1c65504d30923c3f14082ad294d0e6d","http://www.openwall.com/lists/oss-security/2025/11/14/3","http://www.openwall.com/lists/oss-security/2025/11/14/4","http://www.openwall.com/lists/oss-security/2025/11/14/6","http://www.openwall.com/lists/oss-security/2025/11/17/2","http://www.openwall.com/lists/oss-security/2025/11/17/3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39782","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: prevent softlockup in jbd2_log_do_checkpoint()\n\nBoth jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()\nperiodically release j_list_lock after processing a batch of buffers to\navoid long hold times on the j_list_lock. However, since both functions\ncontend for j_list_lock, the combined time spent waiting and processing\ncan be significant.\n\njbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when\nneed_resched() is true to avoid softlockups during prolonged operations.\nBut jbd2_log_do_checkpoint() only exits its loop when need_resched() is\ntrue, relying on potentially sleeping functions like __flush_batch() or\nwait_on_buffer() to trigger rescheduling. If those functions do not sleep,\nthe kernel may hit a softlockup.\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]\nCPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017\nWorkqueue: writeback wb_workfn (flush-7:2)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : native_queued_spin_lock_slowpath+0x358/0x418\nlr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\nCall trace:\n native_queued_spin_lock_slowpath+0x358/0x418\n jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\n __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]\n add_transaction_credits+0x3bc/0x418 [jbd2]\n start_this_handle+0xf8/0x560 [jbd2]\n jbd2__journal_start+0x118/0x228 [jbd2]\n __ext4_journal_start_sb+0x110/0x188 [ext4]\n ext4_do_writepages+0x3dc/0x740 [ext4]\n ext4_writepages+0xa4/0x190 [ext4]\n do_writepages+0x94/0x228\n __writeback_single_inode+0x48/0x318\n writeback_sb_inodes+0x204/0x590\n __writeback_inodes_wb+0x54/0xf8\n wb_writeback+0x2cc/0x3d8\n wb_do_writeback+0x2e0/0x2f8\n wb_workfn+0x80/0x2a8\n process_one_work+0x178/0x3e8\n worker_thread+0x234/0x3b8\n kthread+0xf0/0x108\n ret_from_fork+0x10/0x20\n\nSo explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid\nsoftlockup.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01306,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26cb9aad94cb1811d8fae115594cc71fa3d91ab0","https://git.kernel.org/stable/c/3faac5e1d14c63260fd1bf789d96bde3ab3d9e54","https://git.kernel.org/stable/c/41f40038de62e8306897cf6840791b268996432a","https://git.kernel.org/stable/c/429d50cbaff45090d52a1ea850d5de8c14881ee7","https://git.kernel.org/stable/c/84ff98c1ea19acd3f9389e4bb6061364e943f85e","https://git.kernel.org/stable/c/9d98cf4632258720f18265a058e62fde120c0151","https://git.kernel.org/stable/c/f683d611518d30334813eecf9a8c687453e2800e","https://git.kernel.org/stable/c/f7ee8fd689e6d534f9fd2494b9266f7998082e65","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39783","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix configfs group list head handling\n\nDoing a list_del() on the epf_group field of struct pci_epf_driver in\npci_epf_remove_cfs() is not correct as this field is a list head, not\na list entry. This list_del() call triggers a KASAN warning when an\nendpoint function driver which has a configfs attribute group is torn\ndown:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198\nWrite of size 8 at addr ffff00010f4a0d80 by task rmmod/319\n\nCPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE\nHardware name: Radxa ROCK 5B (DT)\nCall trace:\nshow_stack+0x2c/0x84 (C)\ndump_stack_lvl+0x70/0x98\nprint_report+0x17c/0x538\nkasan_report+0xb8/0x190\n__asan_report_store8_noabort+0x20/0x2c\npci_epf_remove_cfs+0x17c/0x198\npci_epf_unregister_driver+0x18/0x30\nnvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]\n__arm64_sys_delete_module+0x264/0x424\ninvoke_syscall+0x70/0x260\nel0_svc_common.constprop.0+0xac/0x230\ndo_el0_svc+0x40/0x58\nel0_svc+0x48/0xdc\nel0t_64_sync_handler+0x10c/0x138\nel0t_64_sync+0x198/0x19c\n...\n\nRemove this incorrect list_del() call from pci_epf_remove_cfs().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0758862386f114d9ab1e23181461bd1e2e9ec4c6","https://git.kernel.org/stable/c/409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2","https://git.kernel.org/stable/c/6cf65505523224cab1449d726d2ce8180c2941ee","https://git.kernel.org/stable/c/80ea6e6904fb2ba4ccb5d909579988466ec65358","https://git.kernel.org/stable/c/a302bd89db35d8b7e279de4d2b41c16c7f191069","https://git.kernel.org/stable/c/d5aecddc3452371d9da82cdbb0c715812524b54b","https://git.kernel.org/stable/c/d79123d79a8154b4318529b7b2ff7e15806f480b","https://git.kernel.org/stable/c/dc4ffbd571716ff3b171418fb03abe80e720a7b1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39787","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don't read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that's not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don't read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d59ce2bfc3bb13abe6240335a1bf7b96536d022","https://git.kernel.org/stable/c/1096eb63ecfc8df90b70cd068e6de0c2ff204dfd","https://git.kernel.org/stable/c/43d26997d88c4056fce0324e72f62556bc7e8e8d","https://git.kernel.org/stable/c/81278be4eb5f08ba2c68c3055893e61cc03727fe","https://git.kernel.org/stable/c/87bfabb3b2f46827639173f143aa43f7cfc0a7e6","https://git.kernel.org/stable/c/981c845f29838e468a9bfa87f784307193a31297","https://git.kernel.org/stable/c/9f9967fed9d066ed3dae9372b45ffa4f6fccfeef","https://git.kernel.org/stable/c/e1720eb32acf411c328af6a8c8f556c94535808e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39773","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix soft lockup in br_multicast_query_expired()\n\nWhen set multicast_query_interval to a large value, the local variable\n'time' in br_multicast_send_query() may overflow. If the time is smaller\nthan jiffies, the timer will expire immediately, and then call mod_timer()\nagain, which creates a loop and may trigger the following soft lockup\nissue.\n\n  watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]\n  CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)\n  Call Trace:\n   <IRQ>\n   __netdev_alloc_skb+0x2e/0x3a0\n   br_ip6_multicast_alloc_query+0x212/0x1b70\n   __br_multicast_send_query+0x376/0xac0\n   br_multicast_send_query+0x299/0x510\n   br_multicast_query_expired.constprop.0+0x16d/0x1b0\n   call_timer_fn+0x3b/0x2a0\n   __run_timers+0x619/0x950\n   run_timer_softirq+0x11c/0x220\n   handle_softirqs+0x18e/0x560\n   __irq_exit_rcu+0x158/0x1a0\n   sysvec_apic_timer_interrupt+0x76/0x90\n   </IRQ>\n\nThis issue can be reproduced with:\n  ip link add br0 type bridge\n  echo 1 > /sys/class/net/br0/bridge/multicast_querier\n  echo 0xffffffffffffffff >\n  \t/sys/class/net/br0/bridge/multicast_query_interval\n  ip link set dev br0 up\n\nThe multicast_startup_query_interval can also cause this issue. Similar to\nthe commit 99b40610956a (\"net: bridge: mcast: add and enforce query\ninterval minimum\"), add check for the query interval maximum to fix this\nissue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.0147,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/34171b9e53bd1dc264f5556579f2b04f04435c73","https://git.kernel.org/stable/c/43e281fde5e76a866a4d10780c35023f16c0e432","https://git.kernel.org/stable/c/5bf5fce8a0c2a70d063af778fdb5b27238174cdd","https://git.kernel.org/stable/c/96476b043efb86a94f2badd260f7f99c97bd5893","https://git.kernel.org/stable/c/bdb19cd0de739870bb3494c815138b9dc30875c4","https://git.kernel.org/stable/c/d1547bf460baec718b3398365f8de33d25c5f36f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39776","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: clear page table entries at destroy_args()\n\nThe mm/debug_vm_pagetable test allocates manually page table entries for\nthe tests it runs, using also its manually allocated mm_struct.  That in\nitself is ok, but when it exits, at destroy_args() it fails to clear those\nentries with the *_clear functions.\n\nThe problem is that leaves stale entries.  If another process allocates an\nmm_struct with a pgd at the same address, it may end up running into the\nstale entry.  This is happening in practice on a debug kernel with\nCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra\ndebugging I added (it prints a warning trace if pgtables_bytes goes\nnegative, in addition to the warning at check_mm() function):\n\n[    2.539353] debug_vm_pgtable: [get_random_vaddr         ]: random_vaddr is 0x7ea247140000\n[    2.539366] kmem_cache info\n[    2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508\n[    2.539447] debug_vm_pgtable: [init_args                ]: args->mm is 0x000000002267cc9e\n(...)\n[    2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0\n[    2.552816] Modules linked in:\n[    2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY\n[    2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries\n[    2.552872] NIP:  c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90\n[    2.552885] REGS: c0000000622e73b0 TRAP: 0700   Not tainted  (6.12.0-105.debug_vm2.el10.ppc64le+debug)\n[    2.552899] MSR:  800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 24002822  XER: 0000000a\n[    2.552954] CFAR: c0000000008f03f0 IRQMASK: 0\n[    2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001\n[    2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff\n[    2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000\n[    2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb\n[    2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0\n[    2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000\n[    2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001\n[    2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760\n[    2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0\n[    2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0\n[    2.553199] Call Trace:\n[    2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)\n[    2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0\n[    2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570\n[    2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650\n[    2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290\n[    2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0\n[    2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870\n[    2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150\n[    2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50\n[    2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0\n[    2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n(...)\n[    2.558892] ---[ end trace 0000000000000000 ]---\n[    2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1\n[    2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144\n\nHere the modprobe process ended up with an allocated mm_struct from the\nmm_struct slab that was used before by the debug_vm_pgtable test.  That is\nnot a problem, since the mm_stru\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/47d2a149611b8a94d24add9868c442a4af278658","https://git.kernel.org/stable/c/561171db3b3eb759ba3f284dba7a76f4476ade03","https://git.kernel.org/stable/c/61a9f2e5c49f05e3ea2c16674540a075a1b4be6f","https://git.kernel.org/stable/c/63962ff932ef359925b94be2a88df6b4fd4fed0a","https://git.kernel.org/stable/c/7bf57a0709cd7c9088cea8de023d6f4fbf2518b0","https://git.kernel.org/stable/c/dde30854bddfb5d69f30022b53c5955a41088b33","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39770","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n <TASK>\n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear:   00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear:   00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear:   00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear:   00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear:   00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear:   00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear:   00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear:   00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/041e2f945f82fdbd6fff577b79c33469430297aa","https://git.kernel.org/stable/c/2156d9e9f2e483c8c3906c0ea57ea312c1424235","https://git.kernel.org/stable/c/794ddbb7b63b6828c75967b9bcd43b086716e7a1","https://git.kernel.org/stable/c/864e3396976ef41de6cc7bc366276bf4e084fff2","https://git.kernel.org/stable/c/a0478d7e888028f85fa7785ea838ce0ca09398e2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39772","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn't need to free anything.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/93a08f856fcc5aaeeecad01f71bef3088588216a","https://git.kernel.org/stable/c/a4f1b9c57092c48bdc7958abd23403ccaed437b2","https://git.kernel.org/stable/c/c950e1be3a24d021475b56efdb49daa7fbba63a9","https://git.kernel.org/stable/c/d3e774266c28aefab3e9db334fdf568f936cae04","https://git.kernel.org/stable/c/ddf1691f25345699296e642f0f59f2d464722fa3","https://git.kernel.org/stable/c/f93032e5d68f459601c701f6ab087b5feb3382e8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39766","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit\n\nThe following setup can trigger a WARNING in htb_activate due to\nthe condition: !cl->leaf.q->q.qlen\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 \\\n       htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle f: \\\n       cake memlimit 1b\nping -I lo -f -c1 -s64 -W0.001 127.0.0.1\n\nThis is because the low memlimit leads to a low buffer_limit, which\ncauses packet dropping. However, cake_enqueue still returns\nNET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an\nempty child qdisc. We should return NET_XMIT_CN when packets are\ndropped from the same tin and flow.\n\nI do not believe return value of NET_XMIT_CN is necessary for packet\ndrops in the case of ack filtering, as that is meant to optimize\nperformance, not to signal congestion.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dacfc5372e314d1219f03e64dde3ab495a5a25e","https://git.kernel.org/stable/c/15de71d06a400f7fdc15bf377a2552b0ec437cf5","https://git.kernel.org/stable/c/62d591dde4defb1333d202410609c4ddeae060b3","https://git.kernel.org/stable/c/710866fc0a64eafcb8bacd91bcb1329eb7e5035f","https://git.kernel.org/stable/c/7689ab22de36f8db19095f6bdf11f28cfde92f5c","https://git.kernel.org/stable/c/aa12ee1c1bd260943fd6ab556d8635811c332eeb","https://git.kernel.org/stable/c/de04ddd2980b48caa8d7e24a7db2742917a8b280","https://git.kernel.org/stable/c/ff57186b2cc39766672c4c0332323933e5faaa88","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39756","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n  WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n   # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n   #include <unistd.h>\n   #include <sys/resource.h>\n\n   int main() {\n       struct rlimit rlim = {1073741824, 1073741824};\n       setrlimit(RLIMIT_NOFILE, &rlim);\n       dup2(2, 1073741880);  // Triggers the warning\n       return 0;\n   }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n   size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n   inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04a2c4b4511d186b0fce685da21085a5d4acd370","https://git.kernel.org/stable/c/237e416eb62101f21b28c9e6e564d10efe1ecc6f","https://git.kernel.org/stable/c/628fc28f42d979f36dbf75a6129ac7730e30c04e","https://git.kernel.org/stable/c/749528086620f8012b83ae032a80f6ffa80c45cd","https://git.kernel.org/stable/c/9f61fa6a2a89a610120bc4e5d24379c667314b5c","https://git.kernel.org/stable/c/b4159c5a90c03f8acd3de345a7f5fc63b0909818","https://git.kernel.org/stable/c/d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc","https://git.kernel.org/stable/c/dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae","https://git.kernel.org/stable/c/f95638a8f22eba307dceddf5aef9ae2326bbcf98","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39757","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 cluster segment descriptors\n\nUAC3 class segment descriptors need to be verified whether their sizes\nmatch with the declared lengths and whether they fit with the\nallocated buffer sizes, too.  Otherwise malicious firmware may lead to\nthe unexpected OOB accesses.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1034719fdefd26caeec0a44a868bb5a412c2c1a5","https://git.kernel.org/stable/c/275e37532e8ebe25e8a4069b2d9f955bfd202a46","https://git.kernel.org/stable/c/47ab3d820cb0a502bd0074f83bb3cf7ab5d79902","https://git.kernel.org/stable/c/786571b10b1ae6d90e1242848ce78ee7e1d493c4","https://git.kernel.org/stable/c/799c06ad4c9c790c265e8b6b94947213f1fb389c","https://git.kernel.org/stable/c/7ef3fd250f84494fb2f7871f357808edaa1fc6ce","https://git.kernel.org/stable/c/ae17b3b5e753efc239421d186cd1ff06e5ac296e","https://git.kernel.org/stable/c/dfdcbcde5c20df878178245d4449feada7d5b201","https://git.kernel.org/stable/c/ecfd41166b72b67d3bdeb88d224ff445f6163869","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39759","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\n\nThere's a race between a task disabling quotas and another running the\nrescan ioctl that can result in a use-after-free of qgroup records from\nthe fs_info->qgroup_tree rbtree.\n\nThis happens as follows:\n\n1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();\n\n2) Task B enters btrfs_quota_disable() and calls\n   btrfs_qgroup_wait_for_completion(), which does nothing because at that\n   point fs_info->qgroup_rescan_running is false (it wasn't set yet by\n   task A);\n\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\n   from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;\n\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\n   the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,\n   but task B is freeing qgroup records from that tree without holding\n   the lock, resulting in a use-after-free.\n\nFix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().\nAlso at btrfs_qgroup_rescan() don't start the rescan worker if quotas\nwere already disabled.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00012,"ranking_epss":0.01551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2fd0f5ceb997f90f4332ccbab6c7e907e6b2d0eb","https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace","https://git.kernel.org/stable/c/b172535ccba12f0cf7d23b3b840989de47fc104d","https://git.kernel.org/stable/c/c38028ce0d0045ca600b6a8345a0ff92bfb47b66","https://git.kernel.org/stable/c/dd0b28d877b293b1d7f8727a7de08ae36b6b9ef0","https://git.kernel.org/stable/c/e1249667750399a48cafcf5945761d39fa584edf","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39760","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: config: Prevent OOB read in SS endpoint companion parsing\n\nusb_parse_ss_endpoint_companion() checks descriptor type before length,\nenabling a potentially odd read outside of the buffer size.\n\nFix this up by checking the size first before looking at any of the\nfields in the descriptor.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/058ad2b722812708fe90567875704ae36563e33b","https://git.kernel.org/stable/c/4fe6f472f0beef4281e6f03bc38a910a33be663f","https://git.kernel.org/stable/c/5badd56c711e2c8371d1670f9bd486697575423c","https://git.kernel.org/stable/c/5c3097ede7835d3caf6543eb70ff689af4550cd2","https://git.kernel.org/stable/c/9512510cee7d1becdb0e9413fdd3ab783e4e30ee","https://git.kernel.org/stable/c/9843bcb187cb933861f7805022e6873905f669e4","https://git.kernel.org/stable/c/b10e0f868067c6f25bbfabdcf3e1e6432c24ca55","https://git.kernel.org/stable/c/cf16f408364efd8a68f39011a3b073c83a03612d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39749","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect ->defer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won't happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure's ->defer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special().  This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last  enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70\nsoftirqs last  enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special().  In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe ->defer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending\nfield.  This suffices because this handler is not a fast path.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3","https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5","https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e","https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd","https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b","https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895","https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124","https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4","https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39752","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nARM: rockchip: fix kernel hang during smp initialization\n\nIn order to bring up secondary CPUs main CPU write trampoline\ncode to SRAM. The trampoline code is written while secondary\nCPUs are powered on (at least that true for RK3188 CPU).\nSometimes that leads to kernel hang. Probably because secondary\nCPU execute trampoline code while kernel doesn't expect.\n\nThe patch moves SRAM initialization step to the point where all\nsecondary CPUs are powered down.\n\nThat fixes rarely hangs on RK3188:\n[    0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000\n[    0.091996] rockchip_smp_prepare_cpus: ncores 4","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0223a3683d502b7e5eb2eb4ad7e97363fa88d531","https://git.kernel.org/stable/c/1eb67589a7e091b1e5108aab72fddbf4dc69af2c","https://git.kernel.org/stable/c/265583266d93db4ff83d088819b1f63fdf0131db","https://git.kernel.org/stable/c/3c6bf7a324b8995b9c7d790c8d2abf0668f51551","https://git.kernel.org/stable/c/47769dab9073a73e127aa0bfd0ba4c51eaccdc33","https://git.kernel.org/stable/c/7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814","https://git.kernel.org/stable/c/888a453c2a239765a7ab4de8a3cedae2e3802528","https://git.kernel.org/stable/c/c0726d1e466e2d0da620836e293a59e6427ccdff","https://git.kernel.org/stable/c/d7d6d076ee9532c4668f14696a35688d35dd16f4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39743","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: truncate good inode pages when hard link is 0\n\nThe fileset value of the inode copy from the disk by the reproducer is\nAGGR_RESERVED_I. When executing evict, its hard link number is 0, so its\ninode pages are not truncated. This causes the bugon to be triggered when\nexecuting clear_inode() because nrpages is greater than 0.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bb5cdc3e39f0c2b311fcb631258b7e60d3fb0d3","https://git.kernel.org/stable/c/2b1d5ca395a5fb170c3f885cd42c16179f7f54ec","https://git.kernel.org/stable/c/2d91b3765cd05016335cd5df5e5c6a29708ec058","https://git.kernel.org/stable/c/34d8e982bac48bdcca7524644a8825a580edce74","https://git.kernel.org/stable/c/5845b926c561b8333cd65169526eec357d7bb449","https://git.kernel.org/stable/c/89fff8e3d6710fc32507b8e19eb5afa9fb79b896","https://git.kernel.org/stable/c/8ed7275910fb7177012619864e04d3008763f3ea","https://git.kernel.org/stable/c/b5b471820c33365a8ccd2d463578bf4e47056c2c","https://git.kernel.org/stable/c/df3fd8daf278eca365f221749ae5b728e8382a04","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39742","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n\nThe function divides number of online CPUs by num_core_siblings, and\nlater checks the divider by zero. This implies a possibility to get\nand divide-by-zero runtime error. Fix it by moving the check prior to\ndivision. This also helps to save one indentation level.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a7cf828ed861de5be1aff99e10f114b363c19d3","https://git.kernel.org/stable/c/31d0599a23efdbfe579bfbd1eb8f8c942f13744d","https://git.kernel.org/stable/c/4b4317b0d758ff92ba96f4e448a8992a6fe607bf","https://git.kernel.org/stable/c/59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a","https://git.kernel.org/stable/c/89fdac333a17ed990b41565630ef4791782e02f5","https://git.kernel.org/stable/c/9b05e91afe948ed819bf87d7ba0fccf451ed79a6","https://git.kernel.org/stable/c/9bba1a9994c523b44db64f63b564b4719ea2b7ef","https://git.kernel.org/stable/c/9d3211cb61a0773a2440d0a0698c1e6e7429f907","https://git.kernel.org/stable/c/ac53f377393cc85156afdc90b636e84e544a6f96","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39737","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()\n\nA soft lockup warning was observed on a relative small system x86-64\nsystem with 16 GB of memory when running a debug kernel with kmemleak\nenabled.\n\n  watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]\n\nThe test system was running a workload with hot unplug happening in\nparallel.  Then kemleak decided to disable itself due to its inability to\nallocate more kmemleak objects.  The debug kernel has its\nCONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.\n\nThe soft lockup happened in kmemleak_do_cleanup() when the existing\nkmemleak objects were being removed and deleted one-by-one in a loop via a\nworkqueue.  In this particular case, there are at least 40,000 objects\nthat need to be processed and given the slowness of a debug kernel and the\nfact that a raw_spinlock has to be acquired and released in\n__delete_object(), it could take a while to properly handle all these\nobjects.\n\nAs kmemleak has been disabled in this case, the object removal and\ndeletion process can be further optimized as locking isn't really needed. \nHowever, it is probably not worth the effort to optimize for such an edge\ncase that should rarely happen.  So the simple solution is to call\ncond_resched() at periodic interval in the iteration loop to avoid soft\nlockup.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.0259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1ef72a7fedc5bca70e8cc980985790de10d407aa","https://git.kernel.org/stable/c/8d2d22a55ffe35c38e69795468a7addd1a80e9ce","https://git.kernel.org/stable/c/926092268efdf1ed7b55cf486356c74a9e7710d1","https://git.kernel.org/stable/c/9b80430c194e4a114dc663c1025d56b4f3d0153d","https://git.kernel.org/stable/c/9f1f4e95031f84867c5821540466d62f88dab8ca","https://git.kernel.org/stable/c/a04de4c40aab9b338dfa989cf4aec70fd187eeb2","https://git.kernel.org/stable/c/d1534ae23c2b6be350c8ab060803fbf6e9682adc","https://git.kernel.org/stable/c/e21a3ddd58733ce31afcb1e5dc3cb80a4b5bc29b","https://git.kernel.org/stable/c/f014c10d190b92aad366e56b445daffcd1c075e4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39738","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not allow relocation of partially dropped subvolumes\n\n[BUG]\nThere is an internal report that balance triggered transaction abort,\nwith the following call trace:\n\n  item 85 key (594509824 169 0) itemoff 12599 itemsize 33\n          extent refs 1 gen 197740 flags 2\n          ref#0: tree block backref root 7\n  item 86 key (594558976 169 0) itemoff 12566 itemsize 33\n          extent refs 1 gen 197522 flags 2\n          ref#0: tree block backref root 7\n ...\n BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0\n BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117\n ------------[ cut here ]------------\n BTRFS: Transaction aborted (error -117)\n WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]\n\nAnd btrfs check doesn't report anything wrong related to the extent\ntree.\n\n[CAUSE]\nThe cause is a little complex, firstly the extent tree indeed doesn't\nhave the backref for 594526208.\n\nThe extent tree only have the following two backrefs around that bytenr\non-disk:\n\n        item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33\n                refs 1 gen 197740 flags TREE_BLOCK\n                tree block skinny level 0\n                (176 0x7) tree block backref root CSUM_TREE\n        item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33\n                refs 1 gen 197522 flags TREE_BLOCK\n                tree block skinny level 0\n                (176 0x7) tree block backref root CSUM_TREE\n\nBut the such missing backref item is not an corruption on disk, as the\noffending delayed ref belongs to subvolume 934, and that subvolume is\nbeing dropped:\n\n        item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439\n                generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328\n                last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0\n                drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2\n                level 2 generation_v2 198229\n\nAnd that offending tree block 594526208 is inside the dropped range of\nthat subvolume.  That explains why there is no backref item for that\nbytenr and why btrfs check is not reporting anything wrong.\n\nBut this also shows another problem, as btrfs will do all the orphan\nsubvolume cleanup at a read-write mount.\n\nSo half-dropped subvolume should not exist after an RW mount, and\nbalance itself is also exclusive to subvolume cleanup, meaning we\nshouldn't hit a subvolume half-dropped during relocation.\n\nThe root cause is, there is no orphan item for this subvolume.\nIn fact there are 5 subvolumes from around 2021 that have the same\nproblem.\n\nIt looks like the original report has some older kernels running, and\ncaused those zombie subvolumes.\n\nThankfully upstream commit 8d488a8c7ba2 (\"btrfs: fix subvolume/snapshot\ndeletion not triggered on mount\") has long fixed the bug.\n\n[ENHANCEMENT]\nFor repairing such old fs, btrfs-progs will be enhanced.\n\nConsidering how delayed the problem will show up (at run delayed ref\ntime) and at that time we have to abort transaction already, it is too\nlate.\n\nInstead here we reject any half-dropped subvolume for reloc tree at the\nearliest time, preventing confusion and extra time wasted on debugging\nsimilar bugs.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.0296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/125e94a4b76b7b75d194f85bedd628097d2121f0","https://git.kernel.org/stable/c/39a93e1c9dbf7e11632efeb20fcf0fc1dcf64d51","https://git.kernel.org/stable/c/4289b494ac553e74e86fed1c66b2bf9530bc1082","https://git.kernel.org/stable/c/4e403bd8e127d40dc7c05f06ee969c1ba1537ec5","https://git.kernel.org/stable/c/f83d4c81bda3b7d1813268ab77408f7a0ce691ff","https://git.kernel.org/stable/c/fa086b1398cf7e5f7dee7241bd5f2855cb5df8dc","https://git.kernel.org/stable/c/fcb1f77b8ed8795608ca7a1f6505e2b07236c1f3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39736","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock\n\nWhen netpoll is enabled, calling pr_warn_once() while holding\nkmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock\ninversion with the netconsole subsystem.  This occurs because\npr_warn_once() may trigger netpoll, which eventually leads to\n__alloc_skb() and back into kmemleak code, attempting to reacquire\nkmemleak_lock.\n\nThis is the path for the deadlock.\n\nmem_pool_alloc()\n  -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\n      -> pr_warn_once()\n          -> netconsole subsystem\n\t     -> netpoll\n\t         -> __alloc_skb\n\t\t   -> __create_object\n\t\t     -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\n\nFix this by setting a flag and issuing the pr_warn_once() after\nkmemleak_lock is released.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01306,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08f70be5e406ce47c822f2dd11c1170ca259605b","https://git.kernel.org/stable/c/1da95d3d4b7b1d380ebd87b71a61e7e6aed3265d","https://git.kernel.org/stable/c/47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2","https://git.kernel.org/stable/c/4b0151e1d468eb2667c37b7af99b3c075072d334","https://git.kernel.org/stable/c/62879faa8efe8d8a9c7bf7606ee9c068012d7dac","https://git.kernel.org/stable/c/a0854de00ce2ee27edf39037e7836ad580eb3350","https://git.kernel.org/stable/c/a181b228b37a6a5625dad2bb4265bb7abb673e9f","https://git.kernel.org/stable/c/c7b6ea0ede687e7460e593c5ea478f50aa41682a","https://git.kernel.org/stable/c/f249d32bb54876b4b6c3ae071af8ddca77af390b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-11T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39734","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"fs/ntfs3: Replace inode_trylock with inode_lock\"\n\nThis reverts commit 69505fe98f198ee813898cbcaf6770949636430b.\n\nInitially, conditional lock acquisition was removed to fix an xfstest bug\nthat was observed during internal testing. The deadlock reported by syzbot\nis resolved by reintroducing conditional acquisition. The xfstest bug no\nlonger occurs on kernel version 6.16-rc1 during internal testing. I\nassume that changes in other modules may have contributed to this.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1903a6c1f2818154f6bc87bceaaecafa92b6ac5c","https://git.kernel.org/stable/c/7ce6f83ca9d52c9245b7a017466fc4baa1241b0b","https://git.kernel.org/stable/c/a49f0abd8959048af18c6c690b065eb0d65b2d21","https://git.kernel.org/stable/c/a936be9b5f51c4d23f66fb673e9068c6b08104a4","https://git.kernel.org/stable/c/b356ee013a79e7e3147bfe065de376706c5d2ee9","https://git.kernel.org/stable/c/bd20733746263acaaf2a21881665db27ee4303d5","https://git.kernel.org/stable/c/bec8109f957a6e193e52d1728799994c8005ca83","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-07T16:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39730","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04201,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40","https://git.kernel.org/stable/c/2ad40b7992aa26bc631afc1a995b0e3ddc30de3f","https://git.kernel.org/stable/c/3570ef5c31314c13274c935a20b91768ab5bf412","https://git.kernel.org/stable/c/763810bb883cb4de412a72f338d80947d97df67b","https://git.kernel.org/stable/c/7dd36f7477d1e03a1fcf8d13531ca326c4fb599f","https://git.kernel.org/stable/c/7f8eca87fef7519e9c41f3258f25ebc2752247ee","https://git.kernel.org/stable/c/b7f7866932466332a2528fda099000b035303485","https://git.kernel.org/stable/c/cb09afa0948d96b1e385d609ed044bb1aa043536","https://git.kernel.org/stable/c/ef93a685e01a281b5e2a25ce4e3428cf9371a205","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-07T16:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39731","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: vm_unmap_ram() may be called from an invalid context\n\nWhen testing F2FS with xfstests using UFS backed virtual disks the\nkernel complains sometimes that f2fs_release_decomp_mem() calls\nvm_unmap_ram() from an invalid context. Example trace from\nf2fs/007 test:\n\nf2fs/007 5s ...  [12:59:38][    8.902525] run fstests f2fs/007\n[   11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978\n[   11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd\n[   11.475357] preempt_count: 1, expected: 0\n[   11.476970] RCU nest depth: 0, expected: 0\n[   11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G        W           6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)\n[   11.478535] Tainted: [W]=WARN\n[   11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   11.478537] Call Trace:\n[   11.478543]  <TASK>\n[   11.478545]  dump_stack_lvl+0x4e/0x70\n[   11.478554]  __might_resched.cold+0xaf/0xbe\n[   11.478557]  vm_unmap_ram+0x21/0xb0\n[   11.478560]  f2fs_release_decomp_mem+0x59/0x80\n[   11.478563]  f2fs_free_dic+0x18/0x1a0\n[   11.478565]  f2fs_finish_read_bio+0xd7/0x290\n[   11.478570]  blk_update_request+0xec/0x3b0\n[   11.478574]  ? sbitmap_queue_clear+0x3b/0x60\n[   11.478576]  scsi_end_request+0x27/0x1a0\n[   11.478582]  scsi_io_completion+0x40/0x300\n[   11.478583]  ufshcd_mcq_poll_cqe_lock+0xa3/0xe0\n[   11.478588]  ufshcd_sl_intr+0x194/0x1f0\n[   11.478592]  ufshcd_threaded_intr+0x68/0xb0\n[   11.478594]  ? __pfx_irq_thread_fn+0x10/0x10\n[   11.478599]  irq_thread_fn+0x20/0x60\n[   11.478602]  ? __pfx_irq_thread_fn+0x10/0x10\n[   11.478603]  irq_thread+0xb9/0x180\n[   11.478605]  ? __pfx_irq_thread_dtor+0x10/0x10\n[   11.478607]  ? __pfx_irq_thread+0x10/0x10\n[   11.478609]  kthread+0x10a/0x230\n[   11.478614]  ? __pfx_kthread+0x10/0x10\n[   11.478615]  ret_from_fork+0x7e/0xd0\n[   11.478619]  ? __pfx_kthread+0x10/0x10\n[   11.478621]  ret_from_fork_asm+0x1a/0x30\n[   11.478623]  </TASK>\n\nThis patch modifies in_task() check inside f2fs_read_end_io() to also\ncheck if interrupts are disabled. This ensures that pages are unmapped\nasynchronously in an interrupt handler.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08a7efc5b02a0620ae16aa9584060e980a69cb55","https://git.kernel.org/stable/c/0fe7976b62546f1e95eebfe9879925e9aa22b7a8","https://git.kernel.org/stable/c/1023836d1b9465593c8746f97d608da32958785f","https://git.kernel.org/stable/c/18eea36f4f460ead3750ed4afe5496f7ce55f99e","https://git.kernel.org/stable/c/411e00f44e2e1a7fdb526013b25a7f0ed22a0947","https://git.kernel.org/stable/c/eb69e69a5ae6c8350957893b5f68bd55b1565fb2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-07T16:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39724","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p->fcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==\n(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock\nto fix this issue.\n\nPanic backtrace:\n[    0.442336] Oops - unknown exception [#1]\n[    0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[    0.442351]  ra : serial8250_do_startup+0x2c8/0x88e\n...\n[    0.442416] console_on_rootfs+0x26/0x70","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04037,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b882f00655afefbc7729c6b5aec86f7a5473a3d","https://git.kernel.org/stable/c/38c0ea484dedb58cb3a4391229933e16be0d1031","https://git.kernel.org/stable/c/68c4613e89f000e8198f9ace643082c697921c9f","https://git.kernel.org/stable/c/7f8fdd4dbffc05982b96caf586f77a014b2a9353","https://git.kernel.org/stable/c/8e2739478c164147d0774802008528d9e03fb802","https://git.kernel.org/stable/c/b8ca8e3f75ede308b4d49a6ca5081460be01bdb5","https://git.kernel.org/stable/c/c826943abf473a3f7260fbadfad65e44db475460","https://git.kernel.org/stable/c/cb7b3633ed749db8e56f475f43c960652cbd6882","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39716","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise __get_user() to probe user read access\n\nBecause of the way read access support is implemented, read access\ninterruptions are only triggered at privilege levels 2 and 3. The\nkernel executes at privilege level 0, so __get_user() never triggers\na read access interruption (code 26). Thus, it is currently possible\nfor user code to access a read protected address via a system call.\n\nFix this by probing read access rights at privilege level 3 (PRIV_USER)\nand setting __gu_err to -EFAULT (-14) if access isn't allowed.\n\nNote the cmpiclr instruction does a 32-bit compare because COND macro\ndoesn't work inside asm.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28a9b71671fb4a2993ef85b8ef6f117ea63894fe","https://git.kernel.org/stable/c/4c981077255acc2ed5b3df6e8dd0125c81b626a9","https://git.kernel.org/stable/c/741b163e440683195b8fd4fc8495fcd0105c6ab7","https://git.kernel.org/stable/c/89f686a0fb6e473a876a9a60a13aec67a62b9a7e","https://git.kernel.org/stable/c/f410ef9a032caf98117256b22139c31342d7bb06","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39718","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Validate length in packet header before skb_put()\n\nWhen receiving a vsock packet in the guest, only the virtqueue buffer\nsize is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,\nvirtio_vsock_skb_rx_put() uses the length from the packet header as the\nlength argument to skb_put(), potentially resulting in SKB overflow if\nthe host has gone wonky.\n\nValidate the length as advertised by the packet header before calling\nvirtio_vsock_skb_rx_put().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dab92484474587b82e8e0455839eaf5ac7bf894","https://git.kernel.org/stable/c/676f03760ca1d69c2470cef36c44dc152494b47c","https://git.kernel.org/stable/c/969b06bd8b7560efb100a34227619e7d318fbe05","https://git.kernel.org/stable/c/ee438c492b2e0705d819ac0e25d04fae758d8f8f","https://git.kernel.org/stable/c/faf332a10372390ce65d0b803888f4b25a388335","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39719","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: bno055: fix OOB access of hw_xlate array\n\nFix a potential out-of-bounds array access of the hw_xlate array in\nbno055.c.\n\nIn bno055_get_regmask(), hw_xlate was iterated over the length of the\nvals array instead of the length of the hw_xlate array. In the case of\nbno055_gyr_scale, the vals array is larger than the hw_xlate array,\nso this could result in an out-of-bounds access. In practice, this\nshouldn't happen though because a match should always be found which\nbreaks out of the for loop before it iterates beyond the end of the\nhw_xlate array.\n\nBy adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be\nsure we are iterating over the correct length.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/399b883ec828e436f1a721bf8551b4da8727e65b","https://git.kernel.org/stable/c/4808ca3aa30ae857454d0b41d2d0bf161a312b45","https://git.kernel.org/stable/c/50e823a23816b792daf6e8405f8d6045952bb90e","https://git.kernel.org/stable/c/5c2b601922c064f7be70ae8621277f18d1ffec59","https://git.kernel.org/stable/c/a0691ab6334f1769acc64ea9e319414a682ff45d","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39709","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: protect against spurious interrupts during probe\n\nMake sure the interrupt handler is initialized before the interrupt is\nregistered.\n\nIf the IRQ is registered before hfi_create(), it's possible that an\ninterrupt fires before the handler setup is complete, leading to a NULL\ndereference.\n\nThis error condition has been observed during system boot on Rb3Gen2.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18c2b2bd982b8546312c9a7895515672169f28e0","https://git.kernel.org/stable/c/3200144a2fa4209dc084a19941b9b203b43580f0","https://git.kernel.org/stable/c/37cc0ac889b018097c217c5929fd6dc2aed636a1","https://git.kernel.org/stable/c/639eb587f977c02423f4762467055b23902b4131","https://git.kernel.org/stable/c/88cf63c2599761c48dec8f618d57dccf8f6f4b53","https://git.kernel.org/stable/c/9db6a78bc5e418e0064e2248c8f3b9b9e8418646","https://git.kernel.org/stable/c/e796028b4835af00d9a38ebbb208ec3a6634702a","https://git.kernel.org/stable/c/f54be97bc69b1096198b6717c150dec69f2a1b4d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39710","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Add a check for packet size after reading from shared memory\n\nAdd a check to ensure that the packet size does not exceed the number of\navailable words after reading the packet header from shared memory. This\nensures that the size provided by the firmware is safe to process and\nprevent potential out-of-bounds memory access.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00011,"ranking_epss":0.01209,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0520c89f6280d2b60ab537d5743601185ee7d8ab","https://git.kernel.org/stable/c/2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c","https://git.kernel.org/stable/c/49befc830daa743e051a65468c05c2ff9e8580e6","https://git.kernel.org/stable/c/7638bae4539dcebc3f68fda74ac35d73618ec440","https://git.kernel.org/stable/c/ba567c2e52fbcf0e20502746bdaa79e911c2e8cf","https://git.kernel.org/stable/c/ef09b96665f16f3f0bac4e111160e6f24f1f8791","https://git.kernel.org/stable/c/f0cbd9386f974d310a0d20a02e4a1323e95ea654","https://git.kernel.org/stable/c/f5b7a943055a4a106d40a03bacd940e28cc1955f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39713","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n\nIn the interrupt handler rain_interrupt(), the buffer full check on\nrain->buf_len is performed before acquiring rain->buf_lock. This\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\nrain->buf_len is concurrently accessed and modified in the work\nhandler rain_irq_work_handler() under the same lock.\n\nMultiple interrupt invocations can race, with each reading buf_len\nbefore it becomes full and then proceeding. This can lead to both\ninterrupts attempting to write to the buffer, incrementing buf_len\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\n\nFix this bug by moving the spin_lock() to before the buffer full\ncheck. This ensures that the check and the subsequent buffer modification\nare performed atomically, preventing the race condition. An corresponding\nspin_unlock() is added to the overflow path to correctly release the\nlock.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00013,"ranking_epss":0.01912,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c2769dc80255824542ea5a4ff1a07dcdeb1603f","https://git.kernel.org/stable/c/2964dbe631fd21ad7873b1752b895548d3c12496","https://git.kernel.org/stable/c/3c3e33b7edca7a2d6a96801f287f9faeb684d655","https://git.kernel.org/stable/c/6aaef1a75985865d8c6c5b65fb54152060faba48","https://git.kernel.org/stable/c/7af160aea26c7dc9e6734d19306128cce156ec40","https://git.kernel.org/stable/c/ed905fe7cba03cf22ae0b84cf1b73cd1c070423a","https://git.kernel.org/stable/c/fbc81e78d75bf28972bc22b1599559557b1a1b83","https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39714","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn't adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9","https://git.kernel.org/stable/c/5427dda195d6baf23028196fd55a0c90f66ffa61","https://git.kernel.org/stable/c/7e40e0bb778907b2441bff68d73c3eb6b6cd319f","https://git.kernel.org/stable/c/9f886d21e235c4bd038cb20f6696084304197ab3","https://git.kernel.org/stable/c/c35e7c7a004ef379a1ae7c7486d4829419acad1d","https://git.kernel.org/stable/c/c3d75524e10021aa5c223d94da4996640aed46c0","https://git.kernel.org/stable/c/ee7bade8b9244834229b12b6e1e724939bedd484","https://git.kernel.org/stable/c/ef9b3c22405192afaa279077ddd45a51db90b83d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39715","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise gateway LWS calls to probe user read access\n\nWe use load and stbys,e instructions to trigger memory reference\ninterruptions without writing to memory. Because of the way read\naccess support is implemented, read access interruptions are only\ntriggered at privilege levels 2 and 3. The kernel and gateway\npage execute at privilege level 0, so this code never triggers\na read access interruption. Thus, it is currently possible for\nuser code to execute a LWS compare and swap operation at an\naddress that is read protected at privilege level 3 (PRIV_USER).\n\nFix this by probing read access rights at privilege level 3 and\nbranching to lws_fault if access isn't allowed.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8bccf47adbf658293528e86960e6d6f736b1c9f7","https://git.kernel.org/stable/c/9b6af875baba9c4679b55f4561e201485451305f","https://git.kernel.org/stable/c/bc0a24c24ceebabb5ba65900e332233d79e625e6","https://git.kernel.org/stable/c/e8b496c52aa0c6572d88db7cab85aeea6f9c194d","https://git.kernel.org/stable/c/f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39701","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: pfr_update: Fix the driver update version check\n\nThe security-version-number check should be used rather\nthan the runtime version check for driver updates.\n\nOtherwise, the firmware update would fail when the update binary had\na lower runtime version number than the current one.\n\n[ rjw: Changelog edits ]","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/79300ff532bccbbf654992c7c0863b49a6c3973c","https://git.kernel.org/stable/c/8151320c747efb22d30b035af989fed0d502176e","https://git.kernel.org/stable/c/908094681f645d3a78e18ef90561a97029e2df7b","https://git.kernel.org/stable/c/b00219888c11519ef75d988fa8a780da68ff568e","https://git.kernel.org/stable/c/cf0a88124e357bffda487cbf3cb612bb97eb97e4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39702","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00024,"ranking_epss":0.06339,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3b348c9c8d2ca2c67559ffd0e258ae7e1107d4f0","https://git.kernel.org/stable/c/3ddd55cf19ed6cc62def5e3af10c2a9df1b861c3","https://git.kernel.org/stable/c/86b6d34717fe0570afce07ee79b8eeb40341f831","https://git.kernel.org/stable/c/a458b2902115b26a25d67393b12ddd57d1216aaa","https://git.kernel.org/stable/c/b3967c493799e63f648e9c7b6cb063aa2aed04e7","https://git.kernel.org/stable/c/f7878d47560d61e3f370aca3cebb8f42a55b990a","https://git.kernel.org/stable/c/ff55a452d56490047f5233cc48c5d933f8586884","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39703","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet, hsr: reject HSR frame if skb can't hold tag\n\nReceiving HSR frame with insufficient space to hold HSR tag in the skb\ncan result in a crash (kernel BUG):\n\n[   45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1\n[   45.392559] ------------[ cut here ]------------\n[   45.392912] kernel BUG at net/core/skbuff.c:211!\n[   45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[   45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef)\n[   45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[   45.395273] RIP: 0010:skb_panic+0x15b/0x1d0\n\n<snip registers, remove unreliable trace>\n\n[   45.402911] Call Trace:\n[   45.403105]  <IRQ>\n[   45.404470]  skb_push+0xcd/0xf0\n[   45.404726]  br_dev_queue_push_xmit+0x7c/0x6c0\n[   45.406513]  br_forward_finish+0x128/0x260\n[   45.408483]  __br_forward+0x42d/0x590\n[   45.409464]  maybe_deliver+0x2eb/0x420\n[   45.409763]  br_flood+0x174/0x4a0\n[   45.410030]  br_handle_frame_finish+0xc7c/0x1bc0\n[   45.411618]  br_handle_frame+0xac3/0x1230\n[   45.413674]  __netif_receive_skb_core.constprop.0+0x808/0x3df0\n[   45.422966]  __netif_receive_skb_one_core+0xb4/0x1f0\n[   45.424478]  __netif_receive_skb+0x22/0x170\n[   45.424806]  process_backlog+0x242/0x6d0\n[   45.425116]  __napi_poll+0xbb/0x630\n[   45.425394]  net_rx_action+0x4d1/0xcc0\n[   45.427613]  handle_softirqs+0x1a4/0x580\n[   45.427926]  do_softirq+0x74/0x90\n[   45.428196]  </IRQ>\n\nThis issue was found by syzkaller.\n\nThe panic happens in br_dev_queue_push_xmit() once it receives a\ncorrupted skb with ETH header already pushed in linear data. When it\nattempts the skb_push() call, there's not enough headroom and\nskb_push() panics.\n\nThe corrupted skb is put on the queue by HSR layer, which makes a\nsequence of unintended transformations when it receives a specific\ncorrupted HSR frame (with incomplete TAG).\n\nFix it by dropping and consuming frames that are not long enough to\ncontain both ethernet and hsr headers.\n\nAlternative fix would be to check for enough headroom before skb_push()\nin br_dev_queue_push_xmit().\n\nIn the reproducer, this is injected via AF_PACKET, but I don't easily\nsee why it couldn't be sent over the wire from adjacent network.\n\nFurther Details:\n\nIn the reproducer, the following network interface chain is set up:\n\n┌────────────────┐   ┌────────────────┐\n│ veth0_to_hsr   ├───┤  hsr_slave0    ┼───┐\n└────────────────┘   └────────────────┘   │\n                                          │ ┌──────┐\n                                          ├─┤ hsr0 ├───┐\n                                          │ └──────┘   │\n┌────────────────┐   ┌────────────────┐   │            │┌────────┐\n│ veth1_to_hsr   ┼───┤  hsr_slave1    ├───┘            └┤        │\n└────────────────┘   └────────────────┘                ┌┼ bridge │\n                                                       ││        │\n                                                       │└────────┘\n                                                       │\n                                        ┌───────┐      │\n                                        │  ...  ├──────┘\n                                        └───────┘\n\nTo trigger the events leading up to crash, reproducer sends a corrupted\nHSR fr\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3ae272ab523dd6bdc26e879027ed79feac9dd1b3","https://git.kernel.org/stable/c/61009439e4bd8d74e705ee15940760321be91d8a","https://git.kernel.org/stable/c/7af76e9d18a9fd6f8611b3313c86c190f9b6a5a7","https://git.kernel.org/stable/c/8d9bc4a375a1ba05f7dfa0407de8e510ab9bd14d","https://git.kernel.org/stable/c/acd69b597bd3f76d3b3d322b84082226c00eeaa4","https://git.kernel.org/stable/c/b117c41b00902c1a7e24347c405cb82504aeae0b","https://git.kernel.org/stable/c/b640188b8a6690e685939053c7efdbc7818b5f4e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39706","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Destroy KFD debugfs after destroy KFD wq\n\nSince KFD proc content was moved to kernel debugfs, we can't destroy KFD\ndebugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior\nto kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens\nwhen /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but\nkfd_process_destroy_wq calls kfd_debugfs_remove_process. This line\n    debugfs_remove_recursive(entry->proc_dentry);\ntries to remove /sys/kernel/debug/kfd/proc/<pid> while\n/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel\nNULL pointer.\n\n(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e58401a24e7b2d4ec619104e1a76590c1284a4c","https://git.kernel.org/stable/c/74ee7445c3b61c3bd899a54bd82c1982cb3a8206","https://git.kernel.org/stable/c/910735ded17cc306625e7e1cdcc8102f7ac60994","https://git.kernel.org/stable/c/96609a51e6134542bf90e053c2cd2fe4f61ebce3","https://git.kernel.org/stable/c/fc35c955da799ba62f6f977d58e0866d0251e3f8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39693","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid a NULL pointer dereference\n\n[WHY]\nAlthough unlikely drm_atomic_get_new_connector_state() or\ndrm_atomic_get_old_connector_state() can return NULL.\n\n[HOW]\nCheck returns before dereference.\n\n(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07b93a5704b0b72002f0c4bd1076214af67dc661","https://git.kernel.org/stable/c/0c1a486cbe6f9cb194e3c4a8ade4af2a642ba165","https://git.kernel.org/stable/c/36a6b43573d152736eaf2557fe60580dd73e9350","https://git.kernel.org/stable/c/6f860abff89417c0354b6ee5bbca188a233c5762","https://git.kernel.org/stable/c/9c92d12b5cb9d9d88c12ae71794d3a7382fcdec0","https://git.kernel.org/stable/c/f653dd30839eb4f573a7539e90b8a58ff9bedf2f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39694","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix SCCB present check\n\nTracing code called by the SCLP interrupt handler contains early exits\nif the SCCB address associated with an interrupt is NULL. This check is\nperformed after physical to virtual address translation.\n\nIf the kernel identity mapping does not start at address zero, the\nresulting virtual address is never zero, so that the NULL checks won't\nwork. Subsequently this may result in incorrect accesses to the first\npage of the identity mapping.\n\nFix this by introducing a function that handles the NULL case before\naddress translation.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/430fa71027b6ac9bb0ce5532b8d0676777d4219a","https://git.kernel.org/stable/c/61605c847599fbfdfafe638607841c7d73719081","https://git.kernel.org/stable/c/86c2825791c3836a8f77a954b9c5ebe6fab410c5","https://git.kernel.org/stable/c/aa5073ac1a2a274812f3b04c278992e68ff67cc7","https://git.kernel.org/stable/c/bf83ae3537359af088d6577812ed93113dfbcb7b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39697","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn't\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let's take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request().","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00013,"ranking_epss":0.01912,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ff42a32784e0f2cb46a46da8e9f473538c13e1b","https://git.kernel.org/stable/c/181feb41f0b268e6288bf9a7b984624d7fe2031d","https://git.kernel.org/stable/c/202a3432d21ac060629a760fff3b0a39859da3ea","https://git.kernel.org/stable/c/76d2e3890fb169168c73f2e4f8375c7cc24a765e","https://git.kernel.org/stable/c/92278ae36935a54e65fef9f8ea8efe7e80481ace","https://git.kernel.org/stable/c/c32e3c71aaa1c1ba05da88605e2ddd493c58794f","https://git.kernel.org/stable/c/f230d40147cc37eb3aef4d50e2e2c06ea73d9a77","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39684","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`.  A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`).  For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned.  The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak.  There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler.  For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver.  It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`.  That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.03906,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb","https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a","https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a","https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc","https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743","https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39685","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl726: Prevent invalid irq number\n\nThe reproducer passed in an irq number(0x80008000) that was too large,\nwhich triggered the oob.\n\nAdded an interrupt number check to prevent users from passing in an irq\nnumber that was too large.\n\nIf `it->options[1]` is 31, then `1 << it->options[1]` is still invalid\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\nPossible solutions include reducing the upper bound on the\n`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.\n\nThe old code would just not attempt to request the IRQ if the\n`options[1]` value were invalid.  And it would still configure the\ndevice without interrupts even if the call to `request_irq` returned an\nerror.  So it would be better to combine this test with the test below.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0eb4ed2aa261dee228f1668dbfa6d87353e8162d","https://git.kernel.org/stable/c/5a33d07c94ba91306093e823112a7aa9727549f6","https://git.kernel.org/stable/c/96cb948408b3adb69df7e451ba7da9d21f814d00","https://git.kernel.org/stable/c/a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6","https://git.kernel.org/stable/c/bab220b0bb5af652007e278e8e8357f952b0e1ea","https://git.kernel.org/stable/c/d8992c9a01f81128f36acb7c5755530e21fcd059","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39686","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn->n samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`.  Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction.  However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample.  For `INSN_READ`, the comedi core will\ncopy `insn->n` samples back to user-space.  (That triggered KASAN\nkernel-infoleak errors when `insn->n` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn->n` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66","https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930","https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0","https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44","https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b","https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39687","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: as73211: Ensure buffer holes are zeroed\n\nGiven that the buffer is copied to a kfifo that ultimately user space\ncan read, ensure we zero it.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/433b99e922943efdfd62b9a8e3ad1604838181f2","https://git.kernel.org/stable/c/83f14c4ca1ad78fcfb3e0de07d6d8a0c59550fc2","https://git.kernel.org/stable/c/8acd9a0eaa8c9a28e385c0a6a56bb821cb549771","https://git.kernel.org/stable/c/99b508340d0d1b9de0856c48c77898b14c0df7cf","https://git.kernel.org/stable/c/cce55ca4e7a221d5eb2c0b757a868eacd6344e4a","https://git.kernel.org/stable/c/d8c5d87a431596e0e02bd7fe3bff952b002a03bb","https://git.kernel.org/stable/c/fd441fd972067f80861a0b66605c0febb0d038dd","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39689","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn't have to differentiate when to free the\niterator's hash between writers and readers.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74f","https://git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784a","https://git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cb","https://git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309","https://git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955","https://git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfb","https://git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19","https://git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39691","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: fix use-after-free when call bh_read() helper\n\nThere's issue as follows:\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb4/0x270\n kasan_report+0xb8/0xf0\n end_buffer_read_sync+0xe3/0x110\n end_bio_bh_io_sync+0x56/0x80\n blk_update_request+0x30a/0x720\n scsi_end_request+0x51/0x2b0\n scsi_io_completion+0xe3/0x480\n ? scsi_device_unbusy+0x11e/0x160\n blk_complete_reqs+0x7b/0x90\n handle_softirqs+0xef/0x370\n irq_exit_rcu+0xa5/0xd0\n sysvec_apic_timer_interrupt+0x6e/0x90\n </IRQ>\n\n Above issue happens when do ntfs3 filesystem mount, issue may happens\n as follows:\n           mount                            IRQ\nntfs_fill_super\n  read_cache_page\n    do_read_cache_folio\n      filemap_read_folio\n        mpage_read_folio\n\t do_mpage_readpage\n\t  ntfs_get_block_vbo\n\t   bh_read\n\t     submit_bh\n\t     wait_on_buffer(bh);\n\t                            blk_complete_reqs\n\t\t\t\t     scsi_io_completion\n\t\t\t\t      scsi_end_request\n\t\t\t\t       blk_update_request\n\t\t\t\t        end_bio_bh_io_sync\n\t\t\t\t\t end_buffer_read_sync\n\t\t\t\t\t  __end_buffer_read_notouch\n\t\t\t\t\t   unlock_buffer\n\n            wait_on_buffer(bh);--> return will return to caller\n\n\t\t\t\t\t  put_bh\n\t\t\t\t\t    --> trigger stack-out-of-bounds\nIn the mpage_read_folio() function, the stack variable 'map_bh' is\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\nwait_on_buffer() returns to continue processing, the stack variable\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\nprocess, calling put_bh() may result in stack overrun.\n\nIf the bh is not allocated on the stack, it belongs to a folio.  Freeing\na buffer head which belongs to a folio is done by drop_buffers() which\nwill fail to free buffers which are still locked.  So it is safe to call\nput_bh() before __end_buffer_read_notouch().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8","https://git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3","https://git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9e","https://git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9","https://git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49","https://git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719","https://git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4","https://git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39692","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()\n\nWe can't call destroy_workqueue(smb_direct_wq); before stop_sessions()!\n\nOtherwise already existing connections try to use smb_direct_wq as\na NULL pointer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/003e6a3150299f681f34cb189aa068018cef6a45","https://git.kernel.org/stable/c/212eb86f75b4d7b82f3d94aed95ba61103bccb93","https://git.kernel.org/stable/c/524e90e58a267dad11e23351d9e4b1f941490976","https://git.kernel.org/stable/c/bac7b996d42e458a94578f4227795a0d4deef6fa","https://git.kernel.org/stable/c/e41e33400516702427603f8fbbec43c91ede09c0","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39681","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n  923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn't put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n  [ bp: Massage commit message. ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/62f12cde10118253348a7540e85606869bd69432","https://git.kernel.org/stable/c/7207923d8453ebfb35667c1736169f2dd796772e","https://git.kernel.org/stable/c/873f32201df8876bdb2563e3187e79149427cab4","https://git.kernel.org/stable/c/a9e5924daa954c9f585c1ca00358afe71d6781c4","https://git.kernel.org/stable/c/d23264c257a70dbe021b43b3bc2ee16134cd2c69","https://git.kernel.org/stable/c/d8df126349dad855cdfedd6bbf315bad2e901c2f","https://git.kernel.org/stable/c/fb81222c1559f89bfe3aa1010f6d112531d55353","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39682","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don't know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don't have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it's\nzero length.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":8e-05,"ranking_epss":0.00791,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f","https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e","https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9","https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843","https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39683","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser->buffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release->\nftrace_process_regex->strsep->strpbrk. We can solve this problem by\nlimiting access to parser->buffer when trace_get_user failed.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3079517a5ba80901fe828a06998da64b9b8749be","https://git.kernel.org/stable/c/418b448e1d7470da9d4d4797f71782595ee69c49","https://git.kernel.org/stable/c/41b838420457802f21918df66764b6fbf829d330","https://git.kernel.org/stable/c/58ff8064cb4c7eddac4da1a59da039ead586950a","https://git.kernel.org/stable/c/6a909ea83f226803ea0e718f6e88613df9234d58","https://git.kernel.org/stable/c/b842ef39c2ad6156c13afdec25ecc6792a9b67b9","https://git.kernel.org/stable/c/d0c68045b8b0f3737ed7bd6b8c83b7887014adee","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39673","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix race conditions in ppp_fill_forward_path\n\nppp_fill_forward_path() has two race conditions:\n\n1. The ppp->channels list can change between list_empty() and\n   list_first_entry(), as ppp_lock() is not held. If the only channel\n   is deleted in ppp_disconnect_channel(), list_first_entry() may\n   access an empty head or a freed entry, and trigger a panic.\n\n2. pch->chan can be NULL. When ppp_unregister_channel() is called,\n   pch->chan is set to NULL before pch is removed from ppp->channels.\n\nFix these by using a lockless RCU approach:\n- Use list_first_or_null_rcu() to safely test and access the first list\n  entry.\n- Convert list modifications on ppp->channels to their RCU variants and\n  add synchronize_net() after removal.\n- Check for a NULL pch->chan before dereferencing it.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00013,"ranking_epss":0.02173,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0417adf367a0af11adf7ace849af4638cfb573f7","https://git.kernel.org/stable/c/0f1630be6fcca3f0c63e4b242ad202e5cde28a40","https://git.kernel.org/stable/c/94731cc551e29511d85aa8dec61a6c071b1f2430","https://git.kernel.org/stable/c/9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7","https://git.kernel.org/stable/c/ca18d751bcc9faf5b7e82e9fae1223d103928181","https://git.kernel.org/stable/c/f97f6475fdcb3c28ff3c55cc4b7bde632119ec08","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39675","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()\n\nThe function mod_hdcp_hdcp1_create_session() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference.\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.\n\nThis is similar to the commit c3e9826a2202\n(\"drm/amd/display: Add null pointer check for get_first_active_display()\").\n\n(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2af45aadb7b5d3852c76e2d1e985289ada6f48bf","https://git.kernel.org/stable/c/2ee86b764c54e0d6a5464fb023b630fdf20869cd","https://git.kernel.org/stable/c/7a2ca2ea64b1b63c8baa94a8f5deb70b2248d119","https://git.kernel.org/stable/c/857b8387a9777e42b36e0400be99b54c251eaf9a","https://git.kernel.org/stable/c/97fc94c5fd3c6ac5a13e457d38ee247737b8c4bd","https://git.kernel.org/stable/c/ee0373b20bb67b1f00a1b25ccd24c8ac996b6446","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-39676","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Prevent a potential error pointer dereference\n\nThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,\nbut qla4xxx_ep_connect() returns error pointers.  Propagating the error\npointers will lead to an Oops in the caller, so change the error pointers\nto NULL.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/325bf7d57c4e2a341e381c5805e454fb69dd78c3","https://git.kernel.org/stable/c/46288d12d1c30d08fbeffd05abc079f57a43a2d4","https://git.kernel.org/stable/c/9dcf111dd3e7ed5fce82bb108e3a3fc001c07225","https://git.kernel.org/stable/c/ad8a9d38d30c691a77c456e72b78f7932d4f234d","https://git.kernel.org/stable/c/d0225f41ee70611ca88ccb22c8542ecdfa7faea8","https://git.kernel.org/stable/c/f1424c830d6ce840341aac33fe99c8ac45447ac1","https://git.kernel.org/stable/c/f4bc3cdfe95115191e24592bbfc15f1d4a705a75","https://git.kernel.org/stable/c/f5ad0819f902b4b33591791b92a0350fb3692a6b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38732","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject: don't leak dst refcount for loopback packets\n\nrecent patches to add a WARN() when replacing skb dst entry found an\nold bug:\n\nWARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]\nWARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]\nWARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234\n[..]\nCall Trace:\n nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325\n nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27\n expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]\n ..\n\nThis is because blamed commit forgot about loopback packets.\nSuch packets already have a dst_entry attached, even at PRE_ROUTING stage.\n\nInstead of checking hook just check if the skb already has a route\nattached to it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/51e8531371f90bee742c63775c9a568e5d6bf3c5","https://git.kernel.org/stable/c/7b8b503c06274ef3c6c1a107743f1ec0d0a53ef8","https://git.kernel.org/stable/c/82ef97abf22790182f7d433c74960dfd61b99c33","https://git.kernel.org/stable/c/91a79b792204313153e1bdbbe5acbfc28903b3a5","https://git.kernel.org/stable/c/a0a3ace2a57887dac1e7c9a724846040c3e31868","https://git.kernel.org/stable/c/b32e1590a8d22cf7d7f965e46d5576051acf8e42","https://git.kernel.org/stable/c/b7a885ba25960c91db237c3f83b4285156789bce","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38735","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngve: prevent ethtool ops after shutdown\n\nA crash can occur if an ethtool operation is invoked\nafter shutdown() is called.\n\nshutdown() is invoked during system shutdown to stop DMA operations\nwithout performing expensive deallocations. It is discouraged to\nunregister the netdev in this path, so the device may still be visible\nto userspace and kernel helpers.\n\nIn gve, shutdown() tears down most internal data structures. If an\nethtool operation is dispatched after shutdown(), it will dereference\nfreed or NULL pointers, leading to a kernel panic. While graceful\nshutdown normally quiesces userspace before invoking the reboot\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\nthis path.\n\nFix by calling netif_device_detach() in shutdown().\nThis marks the device as detached so the ethtool ioctl handler\nwill skip dispatching operations to the driver.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/48a4e89d50e8ea52e800bc7865970b92fcf4647c","https://git.kernel.org/stable/c/75a9a46d67f46d608205888f9b34e315c1786345","https://git.kernel.org/stable/c/9d8a41e9a4ff83ff666de811e7f012167cdc00e9","https://git.kernel.org/stable/c/a7efffeecb881b4649fdc30de020ef910f35d646","https://git.kernel.org/stable/c/ba51d73408edf815cbaeab148625576c2dd90192","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38736","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: Fix PHY address mask in MDIO bus initialization\n\nSyzbot reported shift-out-of-bounds exception on MDIO bus initialization.\n\nThe PHY address should be masked to 5 bits (0-31). Without this\nmask, invalid PHY addresses could be used, potentially causing issues\nwith MDIO bus operations.\n\nFix this by masking the PHY address with 0x1f (31 decimal) to ensure\nit stays within the valid range.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22042ffedd8c2c6db08ccdd6d4273068eddd3c5c","https://git.kernel.org/stable/c/24ef2f53c07f273bad99173e27ee88d44d135b1c","https://git.kernel.org/stable/c/523eab02fce458fa6d3c51de5bb055800986953e","https://git.kernel.org/stable/c/748da80831221ae24b4bc8d7ffb22acd5712a341","https://git.kernel.org/stable/c/8f141f2a4f2ef8ca865d5921574c3d6535e00a49","https://git.kernel.org/stable/c/fcb4ce9f729c1d08e53abf9d449340e24c3edee6","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-05T18:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38729","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 power domain descriptors, too\n\nUAC3 power domain descriptors need to be verified with its variable\nbLength for avoiding the unexpected OOB accesses by malicious\nfirmware, too.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc","https://git.kernel.org/stable/c/1666207ba0a5973735ef010812536adde6174e81","https://git.kernel.org/stable/c/29b415ec09f5b9d1dfa2423b826725a8c8796b9a","https://git.kernel.org/stable/c/40714daf4d0448e1692c78563faf0ed0f9d9b5c7","https://git.kernel.org/stable/c/452ad54f432675982cc0d6eb6c40a6c86ac61dbd","https://git.kernel.org/stable/c/cd08d390d15b204cac1d3174f5f149a20c52e61a","https://git.kernel.org/stable/c/d832ccbc301fbd9e5a1d691bdcf461cdb514595f","https://git.kernel.org/stable/c/ebc9e06b6ea978a20abf9b87d41afc51b2d745ac","https://git.kernel.org/stable/c/f03418bb9d542f44df78eec2eff4ac83c0a8ac0d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38723","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Fix jump offset calculation in tailcall\n\nThe extra pass of bpf_int_jit_compile() skips JIT context initialization\nwhich essentially skips offset calculation leaving out_offset = -1, so\nthe jmp_offset in emit_bpf_tail_call is calculated by\n\n\"#define jmp_offset (out_offset - (cur_offset))\"\n\nis a negative number, which is wrong. The final generated assembly are\nas follow.\n\n54:\tbgeu        \t$a2, $t1, -8\t    # 0x0000004c\n58:\taddi.d      \t$a6, $s5, -1\n5c:\tbltz        \t$a6, -16\t    # 0x0000004c\n60:\talsl.d      \t$t2, $a2, $a1, 0x3\n64:\tld.d        \t$t2, $t2, 264\n68:\tbeq         \t$t2, $zero, -28\t    # 0x0000004c\n\nBefore apply this patch, the follow test case will reveal soft lock issues.\n\ncd tools/testing/selftests/bpf/\n./test_progs --allow=tailcalls/tailcall_bpf2bpf_1\n\ndmesg:\nwatchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17c010fe45def335fe03a0718935416b04c7f349","https://git.kernel.org/stable/c/1a782fa32e644aa9fbae6c8488f3e61221ac96e1","https://git.kernel.org/stable/c/9262e3e04621558e875eb5afb5e726b648cd5949","https://git.kernel.org/stable/c/cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3","https://git.kernel.org/stable/c/f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f","https://git.kernel.org/stable/c/f83d469e16bb1f75991ca67c56786fb2aaa42bea","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38724","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0002,"ranking_epss":0.05264,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1","https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3","https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d","https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1","https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306","https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68","https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b","https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772","https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38725","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: add phy_mask for ax88772 mdio bus\n\nWithout setting phy_mask for ax88772 mdio bus, current driver may create\nat most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.\nDLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy\ndevice will bind to net phy driver. This is creating issue during system\nsuspend/resume since phy_polling_mode() in phy_state_machine() will\ndirectly deference member of phydev->drv for non-main phy devices. Then\nNULL pointer dereference issue will occur. Due to only external phy or\ninternal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud\nthe issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4faff70959d51078f9ee8372f8cff0d7045e4114","https://git.kernel.org/stable/c/59ed6fbdb1bc03316e09493ffde7066f031c7524","https://git.kernel.org/stable/c/75947d3200de98a9ded9ad8972e02f1a177097fe","https://git.kernel.org/stable/c/a754ab53993b1585132e871c5d811167ad3c52ff","https://git.kernel.org/stable/c/ad1f8313aeec0115f9978bd2d002ef4a8d96c773","https://git.kernel.org/stable/c/ccef5ee4adf56472aa26bdd1f821a6d0cd06089a","https://git.kernel.org/stable/c/ee2cd40b0bb46056949a2319084a729d95389386","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38727","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket's read memory allocation\nconstraints. Firstly, it has:\n\n  rmem < READ_ONCE(sk->sk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket's receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n  rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)\n\nThe checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is\nequal to sk->sk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n  rcu: INFO: rcu_sched self-detected stall on CPU\n  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n  (t=26000 jiffies g=230833 q=259957)\n  NMI backtrace for cpu 0\n  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n  Call Trace:\n  <IRQ>\n  dump_stack lib/dump_stack.c:120\n  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n  update_process_times kernel/time/timer.c:1953\n  tick_sched_handle kernel/time/tick-sched.c:227\n  tick_sched_timer kernel/time/tick-sched.c:1399\n  __hrtimer_run_queues kernel/time/hrtimer.c:1652\n  hrtimer_interrupt kernel/time/hrtimer.c:1717\n  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n  </IRQ>\n\n  netlink_attachskb net/netlink/af_netlink.c:1234\n  netlink_unicast net/netlink/af_netlink.c:1349\n  kauditd_send_queue kernel/audit.c:776\n  kauditd_thread kernel/audit.c:897\n  kthread kernel/kthread.c:328\n  ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01245,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929","https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0","https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922","https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2","https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859","https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4","https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e","https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71","https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38728","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix for slab out of bounds on mount to ksmbd\n\nWith KASAN enabled, it is possible to get a slab out of bounds\nduring mount to ksmbd due to missing check in parse_server_interfaces()\n(see below):\n\n BUG: KASAN: slab-out-of-bounds in\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n Read of size 4 at addr ffff8881433dba98 by task mount/9827\n\n CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G\n OE       6.16.0-rc2-kasan #2 PREEMPT(voluntary)\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,\n BIOS 2.13.1 06/14/2019\n Call Trace:\n  <TASK>\n dump_stack_lvl+0x9f/0xf0\n print_report+0xd1/0x670\n __virt_addr_valid+0x22c/0x430\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? kasan_complete_mode_report_info+0x2a/0x1f0\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n   kasan_report+0xd6/0x110\n   parse_server_interfaces+0x14ee/0x1880 [cifs]\n   __asan_report_load_n_noabort+0x13/0x20\n   parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]\n ? trace_hardirqs_on+0x51/0x60\n SMB3_request_interfaces+0x1ad/0x3f0 [cifs]\n ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]\n ? SMB2_tcon+0x23c/0x15d0 [cifs]\n smb3_qfs_tcon+0x173/0x2b0 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n cifs_mount_get_tcon+0x369/0xb90 [cifs]\n ? dfs_cache_find+0xe7/0x150 [cifs]\n dfs_mount_share+0x985/0x2970 [cifs]\n ? check_path.constprop.0+0x28/0x50\n ? save_trace+0x54/0x370\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? __lock_acquire+0xb82/0x2ba0\n ? __kasan_check_write+0x18/0x20\n cifs_mount+0xbc/0x9e0 [cifs]\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]\n cifs_smb3_do_mount+0x263/0x1990 [cifs]","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7d34ec36abb84fdfb6632a0f2cbda90379ae21fc","https://git.kernel.org/stable/c/8de33d4d72e8fae3502ec3850bd7b14e7c7328b6","https://git.kernel.org/stable/c/9bdb8e98a0073c73ab3e6c631ec78877ceb64565","https://git.kernel.org/stable/c/a0620e1525663edd8c4594f49fb75fe5be4724b0","https://git.kernel.org/stable/c/a542f93a123555d09c3ce8bc947f7b56ad8e6463","https://git.kernel.org/stable/c/f6eda5b0e8f8123564c5b34f5801d63243032eac","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38718","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: linearize cloned gso packets in sctp_rcv\n\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It's not safe to access these frag skbs.\n\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\n\n  BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n   sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n   sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\n   sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n   sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\n   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n   __release_sock+0x1da/0x330 net/core/sock.c:3106\n   release_sock+0x6b/0x250 net/core/sock.c:3660\n   sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\n   sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\n   sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\n   inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\n   sock_sendmsg_nosec net/socket.c:718 [inline]\n\nand\n\n  BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n   sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n   sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\n   sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\n   sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n   __release_sock+0x1d3/0x330 net/core/sock.c:3213\n   release_sock+0x6b/0x270 net/core/sock.c:3767\n   sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\n   sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\n   sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\n   inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\n   sock_sendmsg_nosec net/socket.c:712 [inline]\n\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.0642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5","https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e","https://git.kernel.org/stable/c/4506bcaabe004d07be8ff09116a3024fbd6aa965","https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770","https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb","https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5","https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139","https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250","https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-09-04T16:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38721","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n      if (res < 0) {\n                nf_conntrack_get(&ct->ct_general); // HERE\n                cb->args[1] = (unsigned long)ct;\n                ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet->count from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n        if (res < 0) {\n\t\tif (ct != last)\n\t                nf_conntrack_get(&ct->ct_general);\n\nBut this reference counting isn't needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a 'skip hint', not the actual\nobject so we can apply the same cookie strategy there as well.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19b909a4b1452fb97e477d2f08b97f8d04095619","https://git.kernel.org/stable/c/30cf811058552b8cd0e98dff677ef3f89d6d34ce","https://git.kernel.org/stable/c/41462f4cfc583513833f87f9ee55d12da651a7e3","https://git.kernel.org/stable/c/586892e341fbf698e7cbaca293e1353957db725a","https://git.kernel.org/stable/c/962518c6ca9f9a13df099cafa429f72f68ad61f0","https://git.kernel.org/stable/c/a2cb4df7872de069f809de2f076ec8e54d649fe3","https://git.kernel.org/stable/c/a62d6aa3f31f216b637a4c71b7a8bfc7c57f049b","https://git.kernel.org/stable/c/de788b2e6227462b6dcd0e07474e72c089008f74","https://git.kernel.org/stable/c/e14f72aa66c029db106921d621edcedef68e065b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38711","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: avoid deadlock when linking with ReplaceIfExists\n\nIf smb2_create_link() is called with ReplaceIfExists set and the name\ndoes exist then a deadlock will happen.\n\nksmbd_vfs_kern_path_locked() will return with success and the parent\ndirectory will be locked.  ksmbd_vfs_remove_file() will then remove the\nfile.  ksmbd_vfs_link() will then be called while the parent is still\nlocked.  It will try to lock the same parent and will deadlock.\n\nThis patch moves the ksmbd_vfs_kern_path_unlock() call to *before*\nksmbd_vfs_link() and then simplifies the code, removing the file_present\nflag variable.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02173,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e858a7a51c7b8b009d8f246de7ceb7743b44a71","https://git.kernel.org/stable/c/814cfdb6358d9b84fcbec9918c8f938cc096a43a","https://git.kernel.org/stable/c/9d5012ffe14120f978ee34aef4df3d6cb026b7c4","https://git.kernel.org/stable/c/a726fef6d7d4cfc365d3434e3916dbfe78991a33","https://git.kernel.org/stable/c/a7dddd62578c2eb6cb28b8835556a121b5157323","https://git.kernel.org/stable/c/ac98d54630d5b52e3f684d872f0d82c06c418ea9","https://git.kernel.org/stable/c/d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38712","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()\n\nWhen the volume header contains erroneous values that do not reflect\nthe actual state of the filesystem, hfsplus_fill_super() assumes that\nthe attributes file is not yet created, which later results in hitting\nBUG_ON() when hfsplus_create_attributes_file() is called. Replace this\nBUG_ON() with -EIO error with a message to suggest running fsck tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02477,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03cd1db1494cf930e2fa042c9c13e32bffdb4eba","https://git.kernel.org/stable/c/1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6","https://git.kernel.org/stable/c/9046566fa692f88954dac8c510f37ee17a15fdb7","https://git.kernel.org/stable/c/b3359392b75395a31af739a761f48f4041148226","https://git.kernel.org/stable/c/bb0eea8e375677f586ad11c12e2525ed3fc698c2","https://git.kernel.org/stable/c/c7c6363ca186747ebc2df10c8a1a51e66e0e32d9","https://git.kernel.org/stable/c/ce5e387f396cbb5c061d9837abcac731e9e06f4d","https://git.kernel.org/stable/c/d768e3ed430e89a699bf89d3214dcbbf4648c939","https://git.kernel.org/stable/c/dee5c668ad71ddbcb4b48d95e8a4f371314ad41d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38713","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nThe hfsplus_readdir() method is capable to crash by calling\nhfsplus_uni2asc():\n\n[  667.121659][ T9805] ==================================================================\n[  667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10\n[  667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805\n[  667.124578][ T9805]\n[  667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)\n[  667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  667.124890][ T9805] Call Trace:\n[  667.124893][ T9805]  <TASK>\n[  667.124896][ T9805]  dump_stack_lvl+0x10e/0x1f0\n[  667.124911][ T9805]  print_report+0xd0/0x660\n[  667.124920][ T9805]  ? __virt_addr_valid+0x81/0x610\n[  667.124928][ T9805]  ? __phys_addr+0xe8/0x180\n[  667.124934][ T9805]  ? hfsplus_uni2asc+0x902/0xa10\n[  667.124942][ T9805]  kasan_report+0xc6/0x100\n[  667.124950][ T9805]  ? hfsplus_uni2asc+0x902/0xa10\n[  667.124959][ T9805]  hfsplus_uni2asc+0x902/0xa10\n[  667.124966][ T9805]  ? hfsplus_bnode_read+0x14b/0x360\n[  667.124974][ T9805]  hfsplus_readdir+0x845/0xfc0\n[  667.124984][ T9805]  ? __pfx_hfsplus_readdir+0x10/0x10\n[  667.124994][ T9805]  ? stack_trace_save+0x8e/0xc0\n[  667.125008][ T9805]  ? iterate_dir+0x18b/0xb20\n[  667.125015][ T9805]  ? trace_lock_acquire+0x85/0xd0\n[  667.125022][ T9805]  ? lock_acquire+0x30/0x80\n[  667.125029][ T9805]  ? iterate_dir+0x18b/0xb20\n[  667.125037][ T9805]  ? down_read_killable+0x1ed/0x4c0\n[  667.125044][ T9805]  ? putname+0x154/0x1a0\n[  667.125051][ T9805]  ? __pfx_down_read_killable+0x10/0x10\n[  667.125058][ T9805]  ? apparmor_file_permission+0x239/0x3e0\n[  667.125069][ T9805]  iterate_dir+0x296/0xb20\n[  667.125076][ T9805]  __x64_sys_getdents64+0x13c/0x2c0\n[  667.125084][ T9805]  ? __pfx___x64_sys_getdents64+0x10/0x10\n[  667.125091][ T9805]  ? __x64_sys_openat+0x141/0x200\n[  667.125126][ T9805]  ? __pfx_filldir64+0x10/0x10\n[  667.125134][ T9805]  ? do_user_addr_fault+0x7fe/0x12f0\n[  667.125143][ T9805]  do_syscall_64+0xc9/0x480\n[  667.125151][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9\n[  667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48\n[  667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9\n[  667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9\n[  667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004\n[  667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110\n[  667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260\n[  667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[  667.125207][ T9805]  </TASK>\n[  667.125210][ T9805]\n[  667.145632][ T9805] Allocated by task 9805:\n[  667.145991][ T9805]  kasan_save_stack+0x20/0x40\n[  667.146352][ T9805]  kasan_save_track+0x14/0x30\n[  667.146717][ T9805]  __kasan_kmalloc+0xaa/0xb0\n[  667.147065][ T9805]  __kmalloc_noprof+0x205/0x550\n[  667.147448][ T9805]  hfsplus_find_init+0x95/0x1f0\n[  667.147813][ T9805]  hfsplus_readdir+0x220/0xfc0\n[  667.148174][ T9805]  iterate_dir+0x296/0xb20\n[  667.148549][ T9805]  __x64_sys_getdents64+0x13c/0x2c0\n[  667.148937][ T9805]  do_syscall_64+0xc9/0x480\n[  667.149291][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  667.149809][ T9805]\n[  667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000\n[  667.150030][ T9805]  which belongs to the cache kmalloc-2k of size 2048\n[  667.151282][ T9805] The buggy address is located 0 bytes to the right of\n[  667.151282][ T9805]  allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)\n[  667.1\n---truncated---","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13604b1d7e7b125fb428cddbec6b8d92baad25d5","https://git.kernel.org/stable/c/1ca69007e52a73bd8b84b988b61b319816ca8b01","https://git.kernel.org/stable/c/291bb5d931c6f3cd7227b913302a17be21cf53b0","https://git.kernel.org/stable/c/6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9","https://git.kernel.org/stable/c/73f7da507d787b489761a0fa280716f84fa32b2f","https://git.kernel.org/stable/c/76a4c6636a69d69409aa253b049b1be717a539c5","https://git.kernel.org/stable/c/94458781aee6045bd3d0ad4b80b02886b9e2219b","https://git.kernel.org/stable/c/ccf0ad56a779e6704c0b27f555dec847f50c7557","https://git.kernel.org/stable/c/f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38714","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()\n\nThe hfsplus_bnode_read() method can trigger the issue:\n\n[  174.852007][ T9784] ==================================================================\n[  174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360\n[  174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784\n[  174.854059][ T9784]\n[  174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)\n[  174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  174.854286][ T9784] Call Trace:\n[  174.854289][ T9784]  <TASK>\n[  174.854292][ T9784]  dump_stack_lvl+0x10e/0x1f0\n[  174.854305][ T9784]  print_report+0xd0/0x660\n[  174.854315][ T9784]  ? __virt_addr_valid+0x81/0x610\n[  174.854323][ T9784]  ? __phys_addr+0xe8/0x180\n[  174.854330][ T9784]  ? hfsplus_bnode_read+0x2f4/0x360\n[  174.854337][ T9784]  kasan_report+0xc6/0x100\n[  174.854346][ T9784]  ? hfsplus_bnode_read+0x2f4/0x360\n[  174.854354][ T9784]  hfsplus_bnode_read+0x2f4/0x360\n[  174.854362][ T9784]  hfsplus_bnode_dump+0x2ec/0x380\n[  174.854370][ T9784]  ? __pfx_hfsplus_bnode_dump+0x10/0x10\n[  174.854377][ T9784]  ? hfsplus_bnode_write_u16+0x83/0xb0\n[  174.854385][ T9784]  ? srcu_gp_start+0xd0/0x310\n[  174.854393][ T9784]  ? __mark_inode_dirty+0x29e/0xe40\n[  174.854402][ T9784]  hfsplus_brec_remove+0x3d2/0x4e0\n[  174.854411][ T9784]  __hfsplus_delete_attr+0x290/0x3a0\n[  174.854419][ T9784]  ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10\n[  174.854427][ T9784]  ? __pfx___hfsplus_delete_attr+0x10/0x10\n[  174.854436][ T9784]  ? __asan_memset+0x23/0x50\n[  174.854450][ T9784]  hfsplus_delete_all_attrs+0x262/0x320\n[  174.854459][ T9784]  ? __pfx_hfsplus_delete_all_attrs+0x10/0x10\n[  174.854469][ T9784]  ? rcu_is_watching+0x12/0xc0\n[  174.854476][ T9784]  ? __mark_inode_dirty+0x29e/0xe40\n[  174.854483][ T9784]  hfsplus_delete_cat+0x845/0xde0\n[  174.854493][ T9784]  ? __pfx_hfsplus_delete_cat+0x10/0x10\n[  174.854507][ T9784]  hfsplus_unlink+0x1ca/0x7c0\n[  174.854516][ T9784]  ? __pfx_hfsplus_unlink+0x10/0x10\n[  174.854525][ T9784]  ? down_write+0x148/0x200\n[  174.854532][ T9784]  ? __pfx_down_write+0x10/0x10\n[  174.854540][ T9784]  vfs_unlink+0x2fe/0x9b0\n[  174.854549][ T9784]  do_unlinkat+0x490/0x670\n[  174.854557][ T9784]  ? __pfx_do_unlinkat+0x10/0x10\n[  174.854565][ T9784]  ? __might_fault+0xbc/0x130\n[  174.854576][ T9784]  ? getname_flags.part.0+0x1c5/0x550\n[  174.854584][ T9784]  __x64_sys_unlink+0xc5/0x110\n[  174.854592][ T9784]  do_syscall_64+0xc9/0x480\n[  174.854600][ T9784]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[  174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167\n[  174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08\n[  174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\n[  174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167\n[  174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50\n[  174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40\n[  174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0\n[  174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[  174.854658][ T9784]  </TASK>\n[  174.854661][ T9784]\n[  174.879281][ T9784] Allocated by task 9784:\n[  174.879664][ T9784]  kasan_save_stack+0x20/0x40\n[  174.880082][ T9784]  kasan_save_track+0x14/0x30\n[  174.880500][ T9784]  __kasan_kmalloc+0xaa/0xb0\n[  174.880908][ T9784]  __kmalloc_noprof+0x205/0x550\n[  174.881337][ T9784]  __hfs_bnode_create+0x107/0x890\n[  174.881779][ T9784]  hfsplus_bnode_find+0x2d0/0xd10\n[  174.882222][ T9784]  hfsplus_brec_find+0x2b0/0x520\n[  174.882659][ T9784]  hfsplus_delete_all_attrs+0x23b/0x3\n---truncated---","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/032f7ed6717a4cd3714f9801be39fdfc7f1c7644","https://git.kernel.org/stable/c/291b7f2538920aa229500dbdd6c5f0927a51bc8b","https://git.kernel.org/stable/c/475d770c19929082aab43337e6c077d0e2043df3","https://git.kernel.org/stable/c/5ab59229bef6063edf3a6fc2e3e3fd7cd2181b29","https://git.kernel.org/stable/c/7fa4cef8ea13b37811287ef60674c5fd1dd02ee6","https://git.kernel.org/stable/c/8583d067ae22b7f32ce5277ca5543ac8bf86a3e5","https://git.kernel.org/stable/c/a2abd574d2fe22b8464cf6df5abb6f24d809eac0","https://git.kernel.org/stable/c/c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2","https://git.kernel.org/stable/c/ffee8a7bed0fbfe29da239a922b59c5db897c613","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38715","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix slab-out-of-bounds in hfs_bnode_read()\n\nThis patch introduces is_bnode_offset_valid() method that checks\nthe requested offset value. Also, it introduces\ncheck_and_correct_requested_length() method that checks and\ncorrect the requested length (if it is necessary). These methods\nare used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),\nhfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent\nthe access out of allocated memory and triggering the crash.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/384a66b89f9540a9a8cb0f48807697dfabaece4c","https://git.kernel.org/stable/c/67ecc81f6492275c9c54280532f558483c99c90e","https://git.kernel.org/stable/c/a1a60e79502279f996e55052f50cc14919020475","https://git.kernel.org/stable/c/a431930c9bac518bf99d6b1da526a7f37ddee8d8","https://git.kernel.org/stable/c/e7d2dc2421e821e4045775e6dc226378328de6f6","https://git.kernel.org/stable/c/eec522fd0d28106b14a59ab2d658605febe4a3bb","https://git.kernel.org/stable/c/efc095b35b23297e419c2ab4fc1ed1a8f0781a29","https://git.kernel.org/stable/c/fc7f732984ec91f30be3e574e0644066d07f2b78","https://git.kernel.org/stable/c/fe2891a9c43ab87d1a210d61e6438ca6936e2f62","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38706","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\n\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\nleads to null pointer dereference.\nThis was reproduced with topology loading and marking a link as ignore\ndue to missing hardware component on the system.\nOn module removal the soc_tplg_remove_link() would call\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\nno runtime was created.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d91cb261cac6d885954b8f5da28b5c176c18131","https://git.kernel.org/stable/c/2fce20decc6a83f16dd73744150c4e7ea6c97c21","https://git.kernel.org/stable/c/41f53afe53a57a7c50323f99424b598190acf192","https://git.kernel.org/stable/c/7ce0a7255ce97ed7c54afae83fdbce712a1f0c9e","https://git.kernel.org/stable/c/7f8fc03712194fd4e2df28af7f7f7a38205934ef","https://git.kernel.org/stable/c/82ba7b8cf9f6e3bf392a9f08ba3d1c0b200ccb94","https://git.kernel.org/stable/c/8b465bedc2b417fd27c1d1ab7122882b4b60b1a0","https://git.kernel.org/stable/c/cecc65827ef3df9754e097582d89569139e6cd1e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38707","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add sanity check for file name\n\nThe length of the file name should be smaller than the directory entry size.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27ee9a42b245efe6529e28b03453291a775cb3e4","https://git.kernel.org/stable/c/2ac47f738ddfc1957a33be163bc97ee8f78e85a6","https://git.kernel.org/stable/c/3572737a768dadea904ebc4eb34b6ed575bb72d9","https://git.kernel.org/stable/c/b51642fc52d1c7243a9361555d5c4b24d7569d7e","https://git.kernel.org/stable/c/bde58c1539f3ffddffc94d64007de16964e6b8eb","https://git.kernel.org/stable/c/e841ecb139339602bc1853f5f09daa5d1ea920a2","https://git.kernel.org/stable/c/f99eb9a641f4ef927d8724f4966dcfd1f0e9f835","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38708","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: add missing kref_get in handle_write_conflicts\n\nWith `two-primaries` enabled, DRBD tries to detect \"concurrent\" writes\nand handle write conflicts, so that even if you write to the same sector\nsimultaneously on both nodes, they end up with the identical data once\nthe writes are completed.\n\nIn handling \"superseeded\" writes, we forgot a kref_get,\nresulting in a premature drbd_destroy_device and use after free,\nand further to kernel crashes with symptoms.\n\nRelevance: No one should use DRBD as a random data generator, and apparently\nall users of \"two-primaries\" handle concurrent writes correctly on layer up.\nThat is cluster file systems use some distributed lock manager,\nand live migration in virtualization environments stops writes on one node\nbefore starting writes on the other node.\n\nWhich means that other than for \"test cases\",\nthis code path is never taken in real life.\n\nFYI, in DRBD 9, things are handled differently nowadays.  We still detect\n\"write conflicts\", but no longer try to be smart about them.\nWe decided to disconnect hard instead: upper layers must not submit concurrent\nwrites. If they do, that's their fault.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0002,"ranking_epss":0.05264,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00c9c9628b49e368d140cfa61d7df9b8922ec2a8","https://git.kernel.org/stable/c/0336bfe9c237476bd7c45605a36ca79c2bca62e5","https://git.kernel.org/stable/c/3a896498f6f577e57bf26aaa93b48c22b6d20c20","https://git.kernel.org/stable/c/46e3763dcae0ffcf8fcfaff4fc10a90a92ffdd89","https://git.kernel.org/stable/c/57418de35420cedab035aa1da8a26c0499b7f575","https://git.kernel.org/stable/c/7d483ad300fc0a06f69b019dda8f74970714baf8","https://git.kernel.org/stable/c/810cd546a29bfac90ed1328ea01d693d4bd11cb1","https://git.kernel.org/stable/c/84ef8dd3238330d1795745ece83b19f0295751bf","https://git.kernel.org/stable/c/9f53b2433ad248cd3342cc345f56f5c7904bd8c4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38696","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Don't crash in stack_top() for tasks without ABI or vDSO\n\nNot all tasks have an ABI associated or vDSO mapped,\nfor example kthreads never do.\nIf such a task ever ends up calling stack_top(), it will derefence the\nNULL ABI pointer and crash.\n\nThis can for example happen when using kunit:\n\n    mips_stack_top+0x28/0xc0\n    arch_pick_mmap_layout+0x190/0x220\n    kunit_vm_mmap_init+0xf8/0x138\n    __kunit_add_resource+0x40/0xa8\n    kunit_vm_mmap+0x88/0xd8\n    usercopy_test_init+0xb8/0x240\n    kunit_try_run_case+0x5c/0x1a8\n    kunit_generic_run_threadfn_adapter+0x28/0x50\n    kthread+0x118/0x240\n    ret_from_kernel_thread+0x14/0x1c\n\nOnly dereference the ABI point if it is set.\n\nThe GIC page is also included as it is specific to the vDSO.\nAlso move the randomization adjustment into the same conditional.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24d098b6f69b0aa806ffcb3e18259bee31650b28","https://git.kernel.org/stable/c/5b6839b572b503609b9b58bc6c04a816eefa0794","https://git.kernel.org/stable/c/82d140f6aab5e89a9d3972697a0dbe1498752d9b","https://git.kernel.org/stable/c/ab18e48a503230d675e824a0d68a108bdff42503","https://git.kernel.org/stable/c/bd90dbd196831f5c2620736dc221db2634cf1e8e","https://git.kernel.org/stable/c/cddf47d20b0325dc8a4e57b833fe96e8f36c42a4","https://git.kernel.org/stable/c/e78033e59444d257d095b73ce5d20625294f6ec2","https://git.kernel.org/stable/c/e9f4a6b3421e936c3ee9d74710243897d74dbaa2","https://git.kernel.org/stable/c/f22de2027b206ddfb8a075800bb5d0dacf2da4b8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38697","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: upper bound check of tree index in dbAllocAG\n\nWhen computing the tree index in dbAllocAG, we never check if we are\nout of bounds realative to the size of the stree.\nThis could happen in a scenario where the filesystem metadata are\ncorrupted.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1467a75819e41341cd5ebd16faa2af1ca3c8f4fe","https://git.kernel.org/stable/c/173cfd741ad7073640bfb7e2344c2a0ee005e769","https://git.kernel.org/stable/c/2dd05f09cc323018136a7ecdb3d1007be9ede27f","https://git.kernel.org/stable/c/30e19a884c0b11f33821aacda7e72e914bec26ef","https://git.kernel.org/stable/c/49ea46d9025aa1914b24ea957636cbe4367a7311","https://git.kernel.org/stable/c/5bdb9553fb134fd52ec208a8b378120670f6e784","https://git.kernel.org/stable/c/a4f199203f79ca9cd7355799ccb26800174ff093","https://git.kernel.org/stable/c/c214006856ff52a8ff17ed8da52d50601d54f9ce","https://git.kernel.org/stable/c/c8ca21a2836993d7cb816668458e05e598574e55","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38698","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Regular file corruption check\n\nThe reproducer builds a corrupted file on disk with a negative i_size value.\nAdd a check when opening this file to avoid subsequent operation failures.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00462be586b33076f8b8023e7ba697deedc131db","https://git.kernel.org/stable/c/02edcfda419168d9405bffe55f18ea9c1bf92366","https://git.kernel.org/stable/c/2d04df8116426b6c7b9f8b9b371250f666a2a2fb","https://git.kernel.org/stable/c/6bc86f1d7d5419d5b19483ba203ca0b760c41c51","https://git.kernel.org/stable/c/78989af5bbf55a0cf1165b0fa73921bc02f1543b","https://git.kernel.org/stable/c/9605cb2ea38ba014d0e704cba0dbbb00593fa9fd","https://git.kernel.org/stable/c/9ad054cd2c4ca8c371e555748832aa217c41fc65","https://git.kernel.org/stable/c/9f896c3d0192241d6438be6963682ace8203f502","https://git.kernel.org/stable/c/fd9454b7710b28060faa49b041f8283c435721a3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38699","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Double-free fix\n\nWhen the bfad_im_probe() function fails during initialization, the memory\npointed to by bfad->im is freed without setting bfad->im to NULL.\n\nSubsequently, during driver uninstallation, when the state machine enters\nthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,\nit attempts to free the memory pointed to by bfad->im again, thereby\ntriggering a double-free vulnerability.\n\nSet bfad->im to NULL if probing fails.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13f613228cf3c96a038424cd97aa4d6aadc66294","https://git.kernel.org/stable/c/39cfe2c83146aad956318f866d0ee471b7a61fa5","https://git.kernel.org/stable/c/50d9bd48321038bd6e15af5a454bbcd180cf6f80","https://git.kernel.org/stable/c/684c92bb08a25ed3c0356bc7eb532ed5b19588dd","https://git.kernel.org/stable/c/8456f862cb95bcc3a831e1ba87c0c17068be0f3f","https://git.kernel.org/stable/c/8e03dd9fadf76db5b9799583074a1a2a54f787f1","https://git.kernel.org/stable/c/9337c2affbaebe00b75fdf84ea0e2fcf93c140af","https://git.kernel.org/stable/c/add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9","https://git.kernel.org/stable/c/ba024d92564580bb90ec367248ace8efe16ce815","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38700","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated\n\nIn case of an ib_fast_reg_mr allocation failure during iSER setup, the\nmachine hits a panic because iscsi_conn->dd_data is initialized\nunconditionally, even when no memory is allocated (dd_size == 0).  This\nleads invalid pointer dereference during connection teardown.\n\nFix by setting iscsi_conn->dd_data only if memory is actually allocated.\n\nPanic trace:\n------------\n iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12\n iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers\n BUG: unable to handle page fault for address: fffffffffffffff8\n RIP: 0010:swake_up_locked.part.5+0xa/0x40\n Call Trace:\n  complete+0x31/0x40\n  iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]\n  iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]\n  iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]\n  iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]\n  ? netlink_lookup+0x12f/0x1b0\n  ? netlink_deliver_tap+0x2c/0x200\n  netlink_unicast+0x1ab/0x280\n  netlink_sendmsg+0x257/0x4f0\n  ? _copy_from_user+0x29/0x60\n  sock_sendmsg+0x5f/0x70","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b242ea14386a510010eabfbfc3ce81a101f3802","https://git.kernel.org/stable/c/35782c32528d82aa21f84cb5ceb2abd3526a8159","https://git.kernel.org/stable/c/3ea3a256ed81f95ab0f3281a0e234b01a9cae605","https://git.kernel.org/stable/c/66a373f50b4249d57f5a88c7be9676f9d5884865","https://git.kernel.org/stable/c/9ea6d961566c7d762ed0204b06db05756fdda3b6","https://git.kernel.org/stable/c/a145c269dc5380c063a20a0db7e6df2995962e9d","https://git.kernel.org/stable/c/a33d42b7fc24fe03f239fbb0880dd5b4b4b97c19","https://git.kernel.org/stable/c/f53af99f441ee79599d8df6113a7144d74cf9153","https://git.kernel.org/stable/c/fd5aad080edb501ab5c84b7623d612d0e3033403","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38701","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not BUG when INLINE_DATA_FL lacks system.data xattr\n\nA syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()\nwhen an inode had the INLINE_DATA_FL flag set but was missing the\nsystem.data extended attribute.\n\nSince this can happen due to a maiciouly fuzzed file system, we\nshouldn't BUG, but rather, report it as a corrupted file system.\n\nAdd similar replacements of BUG_ON with EXT4_ERROR_INODE() ii\next4_create_inline_data() and ext4_inline_data_truncate().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02477,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42","https://git.kernel.org/stable/c/1199a6399895f4767f0b9a68a6ff47c3f799b7c7","https://git.kernel.org/stable/c/279c87ef7b9da34f65c2e4db586e730b667a6fb9","https://git.kernel.org/stable/c/2817ac83cb4732597bf36853fe13ca616f4ee4e2","https://git.kernel.org/stable/c/7f322c12df7aeed1755acd3c6fab48c7807795fb","https://git.kernel.org/stable/c/8085a7324d8ec448c4a764af7853e19bbd64e17a","https://git.kernel.org/stable/c/81e7e2e7ba07e7c8cdce43ccad2f91adbc5a919c","https://git.kernel.org/stable/c/8a6f89d42e61788605722dd9faf98797c958a7e5","https://git.kernel.org/stable/c/d960f4b793912f35e9d72bd9d1e90553063fcbf1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38702","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fix potential buffer overflow in do_register_framebuffer()\n\nThe current implementation may lead to buffer overflow when:\n1.  Unregistration creates NULL gaps in registered_fb[]\n2.  All array slots become occupied despite num_registered_fb < FB_MAX\n3.  The registration loop exceeds array bounds\n\nAdd boundary check to prevent registered_fb[FB_MAX] access.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399","https://git.kernel.org/stable/c/2828a433c7d7a05b6f27c8148502095101dd0b09","https://git.kernel.org/stable/c/523b84dc7ccea9c4d79126d6ed1cf9033cf83b05","https://git.kernel.org/stable/c/5c3f5a25c62230b7965804ce7a2e9305c3ca3961","https://git.kernel.org/stable/c/806f85bdd3a60187c21437fc51baace11f659f35","https://git.kernel.org/stable/c/cbe740de32bb0fb7a5213731ff5f26ea6718fca3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38691","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix uninited ptr deref in block/scsi layout\n\nThe error occurs on the third attempt to encode extents. When function\next_tree_prepare_commit() reallocates a larger buffer to retry encoding\nextents, the \"layoutupdate_pages\" page array is initialized only after the\nretry loop. But ext_tree_free_commitdata() is called on every iteration\nand tries to put pages in the array, thus dereferencing uninitialized\npointers.\n\nAn additional problem is that there is no limit on the maximum possible\nbuffer_size. When there are too many extents, the client may create a\nlayoutcommit that is larger than the maximum possible RPC size accepted\nby the server.\n\nDuring testing, we observed two typical scenarios. First, one memory page\nfor extents is enough when we work with small files, append data to the\nend of the file, or preallocate extents before writing. But when we fill\na new large file without preallocating, the number of extents can be huge,\nand counting the number of written extents in ext_tree_encode_commit()\ndoes not help much. Since this number increases even more between\nunlocking and locking of ext_tree, the reallocated buffer may not be\nlarge enough again and again.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24334f3cf8a294f253071b5bf22d754dbb6d0f2d","https://git.kernel.org/stable/c/2896f101110076ac6bf99d7aaf463d61e26f89dd","https://git.kernel.org/stable/c/37c3443a2685528f972d910a6fb87716b96fef46","https://git.kernel.org/stable/c/4f783333cbfa2ee7d4aa8e47f6bd1b3f77534fcf","https://git.kernel.org/stable/c/579b85f893d9885162e1cabf99a4a088916e143e","https://git.kernel.org/stable/c/94ec6d939031a616474376dadbf4a8d0ef8b0bcc","https://git.kernel.org/stable/c/9768797c219326699778fba9cd3b607b2f1e7950","https://git.kernel.org/stable/c/9be5c04beca3202d0a5f09fb4b2ecb644caa0bc5","https://git.kernel.org/stable/c/f0b2eee3fbba9b7e3746ef698424ef5e4a197776","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38693","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar\n\nIn w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash.\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17b30e5ded062bd74f8ca6f317e1d415a8680665","https://git.kernel.org/stable/c/39b06b93f24dff923c4183d564ed28c039150554","https://git.kernel.org/stable/c/454a443eaa792c8865c861a282fe6d4f596abc3a","https://git.kernel.org/stable/c/6bbaec6a036940e22318f0454b50b8000845ab59","https://git.kernel.org/stable/c/7a41ecfc3415ebe3b4c44f96b3337691dcf431a3","https://git.kernel.org/stable/c/99690a494d91a0dc86cebd628da4c62c40552bcb","https://git.kernel.org/stable/c/b3d77a3fc71c084575d3df4ec6544b3fb6ce587d","https://git.kernel.org/stable/c/ed0234c8458b3149f15e496b48a1c9874dd24a1b","https://git.kernel.org/stable/c/f98132a59ccc59a8b97987363bc99c8968934756","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38694","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\n\nIn dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and\nmsg[0].len is zero, former checks on msg[0].buf would be passed. If accessing\nmsg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash. Similar issue occurs when access\nmsg[1].buf[0] and msg[1].buf[1].\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09906650484a09b3a4d4b3d3065395856810becd","https://git.kernel.org/stable/c/0bb32863426afe0badac25c28d59021f211d0f48","https://git.kernel.org/stable/c/19eb5d8e6aa1169d368a4d69aae5572950deb89d","https://git.kernel.org/stable/c/529fd5593b721e6f4370c591f5086649ed149ff6","https://git.kernel.org/stable/c/a0f744d6cdde81d7382e183f77a4080a39b206cd","https://git.kernel.org/stable/c/bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e","https://git.kernel.org/stable/c/c33280d6bd668dbdc5a5f07887cc63a52ab4789c","https://git.kernel.org/stable/c/ce5cac69b2edac3e3246fee03e8f4c2a1075238b","https://git.kernel.org/stable/c/ce8b7c711b9c4f040b5419729d0972db8e374324","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38695","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure\n\nIf a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the\nresultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may\noccur before sli4_hba.hdwqs are allocated.  This may result in a null\npointer dereference when attempting to take the abts_io_buf_list_lock for\nthe first hardware queue.  Fix by adding a null ptr check on\nphba->sli4_hba.hdwq and early return because this situation means there\nmust have been an error during port initialization.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/46a0602c24d7d425dd8e00c749cd64a934aac7ec","https://git.kernel.org/stable/c/571617f171f723b05f02d154a2e549a17eab4935","https://git.kernel.org/stable/c/5e25ee1ecec91c61a8acf938ad338399cad464de","https://git.kernel.org/stable/c/6698796282e828733cde3329c887b4ae9e5545e9","https://git.kernel.org/stable/c/6711ce7e9de4eb1a541ef30638df1294ea4267f8","https://git.kernel.org/stable/c/74bdf54a847dab209d2a8f65852f59b7fa156175","https://git.kernel.org/stable/c/7925dd68807cc8fd755b04ca99e7e6f1c04392e8","https://git.kernel.org/stable/c/add68606a01dcccf18837a53e85b85caf0693b4b","https://git.kernel.org/stable/c/d3f55f46bb37a8ec73bfe3cfe36e3ecfa2945dfa","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38683","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix panic during namespace deletion with VF\n\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() >> default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() >> for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n\n[  231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[  231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  231.450246] #PF: supervisor read access in kernel mode\n[  231.450579] #PF: error_code(0x0000) - not-present page\n[  231.450916] PGD 17b8a8067 P4D 0\n[  231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[  231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[  231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[  231.452692] Workqueue: netns cleanup_net\n[  231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[  231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[  231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[  231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[  231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[  231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[  231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[  231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[  231.457161] FS:  0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[  231.457707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[  231.458434] Call Trace:\n[  231.458600]  <TASK>\n[  231.458777]  ops_undo_list+0x100/0x220\n[  231.459015]  cleanup_net+0x1b8/0x300\n[  231.459285]  process_one_work+0x184/0x340\n\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a70cbd1aef8b8be39992ab7b776ce1390091774","https://git.kernel.org/stable/c/33caa208dba6fa639e8a92fd0c8320b652e5550c","https://git.kernel.org/stable/c/3467c4ebb334658c6fcf3eabb64a6e8b2135e010","https://git.kernel.org/stable/c/3ca41ab55d23a0aa71661a5a56a8f06c11db90dc","https://git.kernel.org/stable/c/4293f6c5ccf735b26afeb6825def14d830e0367b","https://git.kernel.org/stable/c/4eff1e57a8ef98d70451b94e8437e458b27dd234","https://git.kernel.org/stable/c/5276896e6923ebe8c68573779d784aaf7d987cce","https://git.kernel.org/stable/c/d036104947176d030bec64792d54e1b4f4c7f318","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38684","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: use old 'nbands' while purging unused classes\n\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\nwe purge unused DWRR queues; the value of 'q->nbands' is the new one, and\nthe cleanup should be done with the old one. The problem is here since my\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\nassigning a new value of 'q->nbands', so that all purge operations find a\nconsistent configuration:\n\n - old 'q->nbands' because it's needed by ets_class_find()\n - old 'q->nstrict' because it's needed by ets_class_is_strict()\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\n Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\n RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\n Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\n RSP: 0018:ffffba186009f400 EFLAGS: 00010202\n RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\n RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\n R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\n R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\n FS:  00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ets_class_qlen_notify+0x65/0x90 [sch_ets]\n  qdisc_tree_reduce_backlog+0x74/0x110\n  ets_qdisc_change+0x630/0xa40 [sch_ets]\n  __tc_modify_qdisc.constprop.0+0x216/0x7f0\n  tc_modify_qdisc+0x7c/0x120\n  rtnetlink_rcv_msg+0x145/0x3f0\n  netlink_rcv_skb+0x53/0x100\n  netlink_unicast+0x245/0x390\n  netlink_sendmsg+0x21b/0x470\n  ____sys_sendmsg+0x39d/0x3d0\n  ___sys_sendmsg+0x9a/0xe0\n  __sys_sendmsg+0x7a/0xd0\n  do_syscall_64+0x7d/0x160\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f2155114084\n Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\n RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\n RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\n R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\n R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\n  </TASK>\n\n [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\n [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5b3b346bc4c2aa2c428735438a11989d251f32f1","https://git.kernel.org/stable/c/84a24fb446ee07b22b64aae6f0e3f4a38266310a","https://git.kernel.org/stable/c/87c6efc5ce9c126ae4a781bc04504b83780e3650","https://git.kernel.org/stable/c/970c1c731c4ede46d05f5b0355724d1e400cfbca","https://git.kernel.org/stable/c/97ec167cd2e8a81a2d87331a2ed92daf007542c8","https://git.kernel.org/stable/c/bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41","https://git.kernel.org/stable/c/be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b","https://git.kernel.org/stable/c/d69f4a258cd91b3bcef7089eb0401005aae2aed5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38685","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix vmalloc out-of-bounds write in fast_imageblit\n\nThis issue triggers when a userspace program does an ioctl\nFBIOPUT_CON2FBMAP by passing console number and frame buffer number.\nIdeally this maps console to frame buffer and updates the screen if\nconsole is visible.\n\nAs part of mapping it has to do resize of console according to frame\nbuffer info. if this resize fails and returns from vc_do_resize() and\ncontinues further. At this point console and new frame buffer are mapped\nand sets display vars. Despite failure still it continue to proceed\nupdating the screen at later stages where vc_data is related to previous\nframe buffer and frame buffer info and display vars are mapped to new\nframe buffer and eventully leading to out-of-bounds write in\nfast_imageblit(). This bheviour is excepted only when fg_console is\nequal to requested console which is a visible console and updates screen\nwith invalid struct references in fbcon_putcs().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00021,"ranking_epss":0.05556,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/078e62bffca4b7e72e8f3550eb063ab981c36c7a","https://git.kernel.org/stable/c/27b118aebdd84161c8ff5ce49d9d536f2af10754","https://git.kernel.org/stable/c/4c4d7ddaf1d43780b106bedc692679f965dc5a3a","https://git.kernel.org/stable/c/56701bf9eeb63219e378cb7fcbd066ea4eaeeb50","https://git.kernel.org/stable/c/af0db3c1f898144846d4c172531a199bb3ca375d","https://git.kernel.org/stable/c/cfec17721265e72e50cc69c6004fe3475cd38df2","https://git.kernel.org/stable/c/ed9b8e5016230868c8d813d9179523f729fec8c6","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38687","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed.  We need\nto check there are no tasks queued on any of the subdevices' wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev->attach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev->attach_lock` before checking that all of\nthe subdevices are safe to be deleted.  This includes testing for any\nsleepers on the subdevices' wait queues.  It remains locked until the\ndevice has been detached.  This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev->attach_lock`\nis write-locked, which wasn't the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00022,"ranking_epss":0.05906,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/017198079551a2a5cf61eae966af3c4b145e1f3b","https://git.kernel.org/stable/c/0f989f9d05492028afd2bded4b42023c57d8a76e","https://git.kernel.org/stable/c/35b6fc51c666fc96355be5cd633ed0fe4ccf68b2","https://git.kernel.org/stable/c/5724e82df4f9a4be62908362c97d522d25de75dd","https://git.kernel.org/stable/c/5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4","https://git.kernel.org/stable/c/71ca60d2e631cf9c63bcbc7017961c61ff04e419","https://git.kernel.org/stable/c/cd4286123d6948ff638ea9cd5818ae4796d5d252","https://git.kernel.org/stable/c/d85fac8729c9acfd72368faff1d576ec585e5c8f","https://git.kernel.org/stable/c/fe67122ba781df44a1a9716eb1dfd751321ab512","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38679","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Fix OOB read due to missing payload bound check\n\nCurrently, The event_seq_changed() handler processes a variable number\nof properties sent by the firmware. The number of properties is indicated\nby the firmware and used to iterate over the payload. However, the\npayload size is not being validated against the actual message length.\n\nThis can lead to out-of-bounds memory access if the firmware provides a\nproperty count that exceeds the data available in the payload. Such a\ncondition can result in kernel crashes or potential information leaks if\nmemory beyond the buffer is accessed.\n\nFix this by properly validating the remaining size of the payload before\neach property access and updating bounds accordingly as properties are\nparsed.\n\nThis ensures that property parsing is safely bounded within the received\nmessage buffer and protects against malformed or malicious firmware\nbehavior.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00011,"ranking_epss":0.01345,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06d6770ff0d8cc8dfd392329a8cc03e2a83e7289","https://git.kernel.org/stable/c/6f08bfb5805637419902f3d70069fe17a404545b","https://git.kernel.org/stable/c/8f274e2b05fdae7a53cee83979202b5ecb49035c","https://git.kernel.org/stable/c/a3eef5847603cd8a4110587907988c3f93c9605a","https://git.kernel.org/stable/c/bed4921055dd7bb4d2eea2729852ae18cf97a2c6","https://git.kernel.org/stable/c/c956c3758510b448b3d4d10d1da8230e8c9bf668","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38680","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\n\nThe buffer length check before calling uvc_parse_format() only ensured\nthat the buffer has at least 3 bytes (buflen > 2), buf the function\naccesses buffer[3], requiring at least 4 bytes.\n\nThis can lead to an out-of-bounds read if the buffer has exactly 3 bytes.\n\nFix it by checking that the buffer has at least 4 bytes in\nuvc_parse_format().","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e269581b3aa5962fdc52757ab40da286168c087","https://git.kernel.org/stable/c/424980d33b3f816485513e538610168b03fab9f1","https://git.kernel.org/stable/c/6d4a7c0b296162354b6fc759a1475b9d57ddfaa6","https://git.kernel.org/stable/c/782b6a718651eda3478b1824b37a8b3185d2740c","https://git.kernel.org/stable/c/8343f3fe0b755925f83d60b05e92bf4396879758","https://git.kernel.org/stable/c/9ad554217c9b945031c73df4e8176a475e2dea57","https://git.kernel.org/stable/c/a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9","https://git.kernel.org/stable/c/cac702a439050df65272c49184aef7975fe3eff2","https://git.kernel.org/stable/c/ffdd82182953df643aa63d999b6f1653d0c93778","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38681","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required.  The ptdump code can race with concurrent modifications of\nthe kernel page tables.  When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose.  In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx().  Instead of solving this race\ncondition again, let's just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00013,"ranking_epss":0.01912,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1636b5e9c3543b87d673e32a47e7c18698882425","https://git.kernel.org/stable/c/3ee9a8c27bfd72c3f465004fa8455785d61be5e8","https://git.kernel.org/stable/c/59305202c67fea50378dcad0cc199dbc13a0e99a","https://git.kernel.org/stable/c/67995d4244694928ce701928e530b5b4adeb17b4","https://git.kernel.org/stable/c/69bea84b06b5e779627e7afdbf4b60a7d231c76f","https://git.kernel.org/stable/c/ac25ec5fa2bf6e606dc7954488e4dded272fa9cd","https://git.kernel.org/stable/c/ca8c414499f2e5337a95a76be0d21b728ee31c6b","https://git.kernel.org/stable/c/ff40839e018b82c4d756d035f34a63aa2d93be83","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-09-04T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38677","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in dnode page\n\nAs Jiaming Zhang reported:\n\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x17e/0x800 mm/kasan/report.c:480\n kasan_report+0x147/0x180 mm/kasan/report.c:593\n data_blkaddr fs/f2fs/f2fs.h:3053 [inline]\n f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]\n f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855\n f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195\n prepare_write_begin fs/f2fs/data.c:3395 [inline]\n f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594\n generic_perform_write+0x2c7/0x910 mm/filemap.c:4112\n f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]\n f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x546/0xa90 fs/read_write.c:686\n ksys_write+0x149/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is in the corrupted image, there is a dnode has the same\nnode id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to\naccess block address in dnode at offset 934, however it parses the dnode\nas inode node, so that get_dnode_addr() returns 360, then it tries to\naccess page address from 360 + 934 * 4 = 4096 w/ 4 bytes.\n\nTo fix this issue, let's add sanity check for node id of all direct nodes\nduring f2fs_get_dnode_of_data().","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0002,"ranking_epss":0.05264,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6b7784ea07e6aa044f74b39d6b5af5e28746fc81","https://git.kernel.org/stable/c/77de19b6867f2740cdcb6c9c7e50d522b47847a4","https://git.kernel.org/stable/c/888aa660144bcb6ec07839da756ee46bfcf7fc53","https://git.kernel.org/stable/c/901f62efd6e855f93d8b1175540f29f4dc45ba55","https://git.kernel.org/stable/c/92ef491b506a0f4dd971a3a76f86f2d8f5370180","https://git.kernel.org/stable/c/a650654365c57407413e9b1f6ff4d539bf2e99ca","https://git.kernel.org/stable/c/ee4d13f5407cbdf1216cc258f45492075713889a","https://git.kernel.org/stable/c/f1d5093d9fe9f3c74c123741c88666cc853b79c5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-30T10:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-58240","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: separate no-async decryption request handling from async\n\nIf we're not doing async, the handling is much simpler. There's no\nreference counting, we just need to wait for the completion to wake us\nup and return its result.\n\nWe should preferably also use a separate crypto_wait. I'm not seeing a\nUAF as I did in the past, I think aec7961916f3 (\"tls: fix race between\nasync notify and socket close\") took care of it.\n\nThis will make the next fix easier.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04033,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/41532b785e9d79636b3815a64ddf6a096647d011","https://git.kernel.org/stable/c/48905146d11dbf1ddbb2967319016a83976953f5","https://git.kernel.org/stable/c/999115298017a675d8ddf61414fc7a85c89f1186","https://git.kernel.org/stable/c/dec5b6e7b211e405d3bcb504562ab21aa7e5a64d","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-28T10:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38676","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Avoid stack buffer overflow from kernel cmdline\n\nWhile the kernel command line is considered trusted in most environments,\navoid writing 1 byte past the end of \"acpiid\" if the \"str\" argument is\nmaximum length.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ad8509b468fa1058f4f400a1829f29e4ccc4de8","https://git.kernel.org/stable/c/4bdb0f78bddbfa77d3ab458a21dd9cec495d317a","https://git.kernel.org/stable/c/736db11c86f03e717fc4bf771d05efdf10d23acb","https://git.kernel.org/stable/c/8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec","https://git.kernel.org/stable/c/8f80c633cba144f721d38d9380f23d23ab7db10e","https://git.kernel.org/stable/c/9ff52d3af0ef286535749e14e3fe9eceb39a8349","https://git.kernel.org/stable/c/a732502bf3bbe859613b6d7b2b0313b11f0474ac","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-26T13:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38666","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy probe\n\nThe AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,\nreleases the aarp_lock, sleeps, then re-acquires the lock.  During that\nwindow an expire timer thread (__aarp_expire_timer) can remove and\nkfree() the same entry, leading to a use-after-free.\n\nrace condition:\n\n         cpu 0                          |            cpu 1\n    atalk_sendmsg()                     |   atif_proxy_probe_device()\n    aarp_send_ddp()                     |   aarp_proxy_probe_network()\n    mod_timer()                         |   lock(aarp_lock) // LOCK!!\n    timeout around 200ms                |   alloc(aarp_entry)\n    and then call                       |   proxies[hash] = aarp_entry\n    aarp_expire_timeout()               |   aarp_send_probe()\n                                        |   unlock(aarp_lock) // UNLOCK!!\n    lock(aarp_lock) // LOCK!!           |   msleep(100);\n    __aarp_expire_timer(&proxies[ct])   |\n    free(aarp_entry)                    |\n    unlock(aarp_lock) // UNLOCK!!       |\n                                        |   lock(aarp_lock) // LOCK!!\n                                        |   UAF aarp_entry !!\n\n==================================================================\nBUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\nRead of size 4 at addr ffff8880123aa360 by task repro/13278\n\nCPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc1/0x630 mm/kasan/report.c:521\n kasan_report+0xca/0x100 mm/kasan/report.c:634\n aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n sock_do_ioctl+0xdc/0x260 net/socket.c:1190\n sock_ioctl+0x239/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nAllocated:\n aarp_alloc net/appletalk/aarp.c:382 [inline]\n aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n\nFreed:\n kfree+0x148/0x4d0 mm/slub.c:4841\n __aarp_expire net/appletalk/aarp.c:90 [inline]\n __aarp_expire_timer net/appletalk/aarp.c:261 [inline]\n aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317\n\nThe buggy address belongs to the object at ffff8880123aa300\n which belongs to the cache kmalloc-192 of size 192\nThe buggy address is located 96 bytes inside of\n freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)\n\nMemory state around the buggy address:\n ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                       ^\n ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n==================================================================","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/186942d19c0222617ef61f50e1dba91e269a5963","https://git.kernel.org/stable/c/2a6209e4649d45fd85d4193abc481911858ffc6f","https://git.kernel.org/stable/c/5f02ea0f63dd38c41539ea290fcc1693c73aa8e5","https://git.kernel.org/stable/c/6c4a92d07b0850342d3becf2e608f805e972467c","https://git.kernel.org/stable/c/82d19a70ced28b17a38ebf1b6978c6c7db894979","https://git.kernel.org/stable/c/b35694ffabb2af308a1f725d70f60fd8a47d1f3e","https://git.kernel.org/stable/c/e4f1564c5b699eb89b3040688fd6b4e57922f1f6","https://git.kernel.org/stable/c/f90b6bb203f3f38bf2b3d976113d51571df9a482","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38668","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix NULL dereference on unbind due to stale coupling data\n\nFailing to reset coupling_desc.n_coupled after freeing coupled_rdevs can\nlead to NULL pointer dereference when regulators are accessed post-unbind.\n\nThis can happen during runtime PM or other regulator operations that rely\non coupling metadata.\n\nFor example, on ridesx4, unbinding the 'reg-dummy' platform device triggers\na panic in regulator_lock_recursive() due to stale coupling state.\n\nEnsure n_coupled is set to 0 to prevent access to invalid pointers.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00028,"ranking_epss":0.07871,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/233d3c54c9620e95193923859ea1d0b0f5d748ca","https://git.kernel.org/stable/c/5d4261dbb3335221fd9c6e69f909ba79ee6663a7","https://git.kernel.org/stable/c/6c49eac796681e250e34156bafb643930310bd4a","https://git.kernel.org/stable/c/7574892e259bbb16262ebfb4b65a2054a5e03a49","https://git.kernel.org/stable/c/800a2cfb2df7f96b3fb48910fc595e0215f6b019","https://git.kernel.org/stable/c/ca46946a482238b0cdea459fb82fc837fb36260e","https://git.kernel.org/stable/c/ca9bef9ba1a6be640c87bf802d2e9e696021576a","https://git.kernel.org/stable/c/d7e59c5fd7a0f5e16e75a30a89ea2c4ab88612b8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38670","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\n\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\nto different stacks along with the Shadow Call Stack if it is enabled.\nThose two stack changes cannot be done atomically and both functions\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\nis very much broken : if interrupted, we can end up with mismatched stacks\nand Shadow Call Stack leading to clobbered stacks.\n\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\nbut x18 stills points to the old task's SCS. When the interrupt handler\ntries to save the task's SCS pointer, it will save the old task\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\nclobbering it.\n\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\nto the IRQ stack and when switching back. In both cases, we can be\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\nthe task stack. The nested interrupt handler pushes its return addresses\non the IRQ SCS. It then detects that SP points to the task stack,\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\nthe IRQ SCS pointer, which it will also use !\n\nThis leads to tasks returning to addresses on the wrong SCS,\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\nor FPAC if enabled.\n\nThis is possible on a default config, but unlikely.\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\ninstead the GIC is responsible for filtering what interrupts the CPU\nshould receive based on priority.\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\nfrequently depending on the system configuration and workload, leading\nto unpredictable kernel panics.\n\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\nDo the same in `call_on_irq_stack()`, but restore and mask around\nthe branch.\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\nof behaviour between all configurations.\n\nIntroduce and use an assembly macro for saving and masking DAIF,\nas the existing one saves but only masks IF.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b","https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d","https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525","https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61","https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6","https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb","https://git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38671","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qup: jump out of the loop in case of timeout\n\nOriginal logic only sets the return value but doesn't jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\n\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03513,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d33913fce67a93c1eb83396c3c9d6b411dcab33","https://git.kernel.org/stable/c/42c4471b30fa203249f476dd42321cd7efb7f6a8","https://git.kernel.org/stable/c/89459f168b78e5c801dc8b7ad037b62898bc4f57","https://git.kernel.org/stable/c/a7982a14b3012527a9583d12525cd0dc9f8d8934","https://git.kernel.org/stable/c/acfa2948be630ad857535cb36153697f3cbf9ca9","https://git.kernel.org/stable/c/c523bfba46c4b4d7676fb050909533a766698ecd","https://git.kernel.org/stable/c/cbec4406998185e0311ae97dfacc649f9cd79b0b","https://git.kernel.org/stable/c/d05ec13aa3eb868a60dc961b489053a643863ddc","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38663","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: reject invalid file types when reading inodes\n\nTo prevent inodes with invalid file types from tripping through the vfs\nand causing malfunctions or assertion failures, add a missing sanity check\nwhen reading an inode from a block device.  If the file type is not valid,\ntreat it as a filesystem error.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a5c204e175a78556b8ef1f7683249fa5197295a","https://git.kernel.org/stable/c/2cf0c4130bf340be3935d097a3dcbfefdcf65815","https://git.kernel.org/stable/c/42cd46b3a8b1497b9258dc7ac445dbd6beb73e2f","https://git.kernel.org/stable/c/4aead50caf67e01020c8be1945c3201e8a972a27","https://git.kernel.org/stable/c/79663a15a1c70ca84f86f2dbba07b423fe7d5d4f","https://git.kernel.org/stable/c/98872a934ea6a95985fb6a3655a78a5f0c114e82","https://git.kernel.org/stable/c/bf585ee198bba4ff25b0d80a0891df4656cb0d08","https://git.kernel.org/stable/c/dd298c0b889acd3ecaf48b6e840c9ab91882e342","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38664","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix a null pointer dereference in ice_copy_and_init_pkg()\n\nAdd check for the return value of devm_kmemdup()\nto prevent potential null pointer dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0fde7dccbf4c8a6d7940ecaf4c3d80a12f405dd7","https://git.kernel.org/stable/c/1c30093d58cd3d02d8358e2b1f4a06a0aae0bf5b","https://git.kernel.org/stable/c/3028f2a4e746b499043bbb8ab816f975473a0535","https://git.kernel.org/stable/c/35370d3b44efe194fd5ad55bac987e629597d782","https://git.kernel.org/stable/c/435462f8ab2b9c5340a5414ce02f70117d0cfede","https://git.kernel.org/stable/c/4ff12d82dac119b4b99b5a78b5af3bf2474c0a36","https://git.kernel.org/stable/c/6d640a8ea62435a7f6f89869bee4fa99423d07ca","https://git.kernel.org/stable/c/7c5a13c76dd37e9e4f8d48b87376a54f4399ce15","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38665","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode\n\nAndrei Lalaev reported a NULL pointer deref when a CAN device is\nrestarted from Bus Off and the driver does not implement the struct\ncan_priv::do_set_mode callback.\n\nThere are 2 code path that call struct can_priv::do_set_mode:\n- directly by a manual restart from the user space, via\n  can_changelink()\n- delayed automatic restart after bus off (deactivated by default)\n\nTo prevent the NULL pointer deference, refuse a manual restart or\nconfigure the automatic restart delay in can_changelink() and report\nthe error via extack to user space.\n\nAs an additional safety measure let can_restart() return an error if\ncan_priv::do_set_mode is not set instead of dereferencing it\nunchecked.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5","https://git.kernel.org/stable/c/6acceb46180f9e160d4f0c56fcaf39ba562822ae","https://git.kernel.org/stable/c/6bbcf37c5114926c99a1d1e6993a5b35689d2599","https://git.kernel.org/stable/c/c1f3f9797c1f44a762e6f5f72520b2e520537b52","https://git.kernel.org/stable/c/cf81a60a973358dea163f6b14062f17831ceb894","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38652","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in devs.path\n\n- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- truncate -s $((1024*1024*1024)) \\\n  /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- touch /mnt/f2fs/file\n- truncate -s $((1024*1024*1024)) /mnt/f2fs/file\n- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n  -c /mnt/f2fs/file\n- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n  /mnt/f2fs/loop\n\n[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\\xff\\x01,      511,        0 -    3ffff\n[16937.192268] F2FS-fs (loop0): Failed to find devices\n\nIf device path length equals to MAX_PATH_LEN, sbi->devs.path[] may\nnot end up w/ null character due to path array is fully filled, So\naccidently, fields locate after path[] may be treated as part of\ndevice path, result in parsing wrong device path.\n\nstruct f2fs_dev_info {\n...\n\tchar path[MAX_PATH_LEN];\n...\n};\n\nLet's add one byte space for sbi->devs.path[] to store null\ncharacter of device path string.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b1efa5f0e878745e94a98022e8edc675a87d78e","https://git.kernel.org/stable/c/1cf1ff15f262e8baf12201b270b6a79f9d119b2d","https://git.kernel.org/stable/c/345fc8d1838f3f8be7c8ed08d86a13dedef67136","https://git.kernel.org/stable/c/3466721f06edff834f99d9f49f23eabc6b2cb78e","https://git.kernel.org/stable/c/5661998536af52848cc4d52a377e90368196edea","https://git.kernel.org/stable/c/666b7cf6ac9aa074b8319a2b68cba7f2c30023f0","https://git.kernel.org/stable/c/70849d33130a2cf1d6010069ed200669c8651fbd","https://git.kernel.org/stable/c/755427093e4294ac111c3f9e40d53f681a0fbdaa","https://git.kernel.org/stable/c/dc0172c74bd9edaee7bea2ebb35f3dbd37a8ae80","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38653","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nproc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al\n\nCheck pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. \nIt's a gap in proc_reg_open() after commit 654b33ada4ab(\"proc: fix UAF in\nproc_get_inode()\").  Followed by AI Viro's suggestion, fix it in same\nmanner.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fccbfbae1dd36198dc47feac696563244ad81d3","https://git.kernel.org/stable/c/33c778ea0bd0fa62ff590497e72562ff90f82b13","https://git.kernel.org/stable/c/c35b0feb80b48720dfbbf4e33759c7be3faaebb6","https://git.kernel.org/stable/c/d136502e04d8853a9aecb335d07bbefd7a1519a8","https://git.kernel.org/stable/c/fc1072d934f687e1221d685cf1a49a5068318f34","https://git.kernel.org/stable/c/ff7ec8dc1b646296f8d94c39339e8d3833d16c05","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38650","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: remove mutex_lock check in hfsplus_free_extents\n\nSyzbot reported an issue in hfsplus filesystem:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346\n\thfsplus_free_extents+0x700/0xad0\nCall Trace:\n<TASK>\nhfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606\nhfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56\ncont_expand_zero fs/buffer.c:2383 [inline]\ncont_write_begin+0x2cf/0x860 fs/buffer.c:2446\nhfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52\ngeneric_cont_expand_simple+0x151/0x250 fs/buffer.c:2347\nhfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263\nnotify_change+0xe38/0x10f0 fs/attr.c:420\ndo_truncate+0x1fb/0x2e0 fs/open.c:65\ndo_sys_ftruncate+0x2eb/0x380 fs/open.c:193\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTo avoid deadlock, Commit 31651c607151 (\"hfsplus: avoid deadlock\non file truncation\") unlock extree before hfsplus_free_extents(),\nand add check wheather extree is locked in hfsplus_free_extents().\n\nHowever, when operations such as hfsplus_file_release,\nhfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed\nconcurrently in different files, it is very likely to trigger the\nWARN_ON, which will lead syzbot and xfstest to consider it as an\nabnormality.\n\nThe comment above this warning also describes one of the easy\ntriggering situations, which can easily trigger and cause\nxfstest&syzbot to report errors.\n\n[task A]\t\t\t[task B]\n->hfsplus_file_release\n  ->hfsplus_file_truncate\n    ->hfs_find_init\n      ->mutex_lock\n    ->mutex_unlock\n\t\t\t\t->hfsplus_write_begin\n\t\t\t\t  ->hfsplus_get_block\n\t\t\t\t    ->hfsplus_file_extend\n\t\t\t\t      ->hfsplus_ext_read_extent\n\t\t\t\t        ->hfs_find_init\n\t\t\t\t\t  ->mutex_lock\n    ->hfsplus_free_extents\n      WARN_ON(mutex_is_locked) !!!\n\nSeveral threads could try to lock the shared extents tree.\nAnd warning can be triggered in one thread when another thread\nhas locked the tree. This is the wrong behavior of the code and\nwe need to remove the warning.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.01912,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0807e4ac59a546f2346961c5e26a98901594b205","https://git.kernel.org/stable/c/084933961ecda7561dedfb78c4676ccb90c91ada","https://git.kernel.org/stable/c/14922f0cc92e010b160121679c0a6ca072f4e975","https://git.kernel.org/stable/c/314310166ba1fdff7660dfd9d18ea42d7058f7ae","https://git.kernel.org/stable/c/5055b7db94110f228961dea6b74eed0a93a50b01","https://git.kernel.org/stable/c/9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f","https://git.kernel.org/stable/c/a19ce9230b22a0866313932e7964cf05557a6008","https://git.kernel.org/stable/c/fcb96956c921f1aae7e7b477f2435c56f77a31b4","https://git.kernel.org/stable/c/fdd6aca652122d6e97787e88d7dd53ddc8b74e7e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38644","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata->u.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542","https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0","https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4","https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577","https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c","https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38645","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Check device memory pointer before usage\n\nAdd a NULL check before accessing device memory to prevent a crash if\ndev->dm allocation in mlx5_init_once() fails.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3046b011d368162b1b9ca9453eee0fea930e0a93","https://git.kernel.org/stable/c/4249f1307932f1b6bbb8b7eba60d82f0b7e44430","https://git.kernel.org/stable/c/62d7cf455c887941ed6f105cd430ba04ee0b6c9f","https://git.kernel.org/stable/c/70f238c902b8c0461ae6fbb8d1a0bbddc4350eea","https://git.kernel.org/stable/c/9053a69abfb5680c2a95292b96df5d204bc0776f","https://git.kernel.org/stable/c/da899a1fd7c40e2e4302af1db7d0b8540fb22283","https://git.kernel.org/stable/c/eebb225fe6c9103293807b8edabcbad59f9589bc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38634","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cpcap-charger: Fix null check for power_supply_get_by_name\n\nIn the cpcap_usb_detect() function, the power_supply_get_by_name()\nfunction may return `NULL` instead of an error pointer.\nTo prevent potential null pointer dereferences, Added a null check.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27001e4f146624c4b3389b029bdc0f8049819560","https://git.kernel.org/stable/c/4ebbb9106aaa2fd58e0359bc3a2490953db2ef0c","https://git.kernel.org/stable/c/8e9bdb563916287ba1b4258812434e0585ac6d00","https://git.kernel.org/stable/c/9784d832d7c103539cd9afb376534eaa35815d3d","https://git.kernel.org/stable/c/a2436263144980cc99a9860c7b43335847afbe53","https://git.kernel.org/stable/c/d9fa3aae08f99493e67fb79413c0e95d30fca5e9","https://git.kernel.org/stable/c/f642500aa7ed93d2606e4f929244cce9c7467b3a","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38635","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: davinci: Add NULL check in davinci_lpsc_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ndavinci_lpsc_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensuring\nno resources are left allocated.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05716,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9","https://git.kernel.org/stable/c/13de464f445d42738fe18c9a28bab056ba3a290a","https://git.kernel.org/stable/c/1d92608a29251278015f57f3572bc950db7519f0","https://git.kernel.org/stable/c/23f564326deaafacfd7adf6104755b15216d8320","https://git.kernel.org/stable/c/2adc945b70c4d97e9491a6c0c9f3b217a9eecfba","https://git.kernel.org/stable/c/6fb19cdcf040e1dec052a9032acb66cc2ad1d43f","https://git.kernel.org/stable/c/77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13","https://git.kernel.org/stable/c/7843412e5927dafbb844782c56b6380564064109","https://git.kernel.org/stable/c/7943ed1f05f5cb7372dca2aa227f848747a98791","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38639","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_nfacct: don't assume acct name is null-terminated\n\nBUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721\nRead of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851\n[..]\n string+0x231/0x2b0 lib/vsprintf.c:721\n vsnprintf+0x739/0xf00 lib/vsprintf.c:2874\n [..]\n nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41\n xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523\n\nnfnl_acct_find_get() handles non-null input, but the error\nprintk relied on its presence.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/58004aa21e79addaf41667bfe65e93ec51653f18","https://git.kernel.org/stable/c/58007fc7b94fb2702000045ff401eb7f5bde7828","https://git.kernel.org/stable/c/66d41268ede1e1b6e71ba28be923397ff0b2b9c3","https://git.kernel.org/stable/c/7c1ae471da69c09242834e956218ea6a42dd405a","https://git.kernel.org/stable/c/b10cfa2de13d28ddd03210eb234422b7ec92725a","https://git.kernel.org/stable/c/bf58e667af7d96c8eb9411f926a0a0955f41ce21","https://git.kernel.org/stable/c/df13c9c6ce1d55c31d1bd49db65a7fbbd86aab13","https://git.kernel.org/stable/c/e021a1eee196887536a6630c5492c23a4c78d452","https://git.kernel.org/stable/c/e18939176e657a3a20bfbed357b8c55a9f82aba3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38630","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref\n\nfb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot\nallocate a struct fb_modelist.  If that happens, the modelist stays empty but\nthe driver continues to register.  Add a check for its return value to prevent\npoteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 (\"fbdev:\nFix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\").","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40f0a51f6c54d46a94b9f1180339ede7ca7ee190","https://git.kernel.org/stable/c/49377bac9e3bec1635065a033c9679214fe7593e","https://git.kernel.org/stable/c/4b5d36cc3014986e6fac12eaa8433fe56801d4ce","https://git.kernel.org/stable/c/69373502c2b5d364842c702c941d1171e4f35a7c","https://git.kernel.org/stable/c/ac16154cccda8be10ee3ae188f10a06f3890bc5d","https://git.kernel.org/stable/c/cca8f5a3991916729b39d797d01499c335137319","https://git.kernel.org/stable/c/da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7","https://git.kernel.org/stable/c/f00c29e6755ead56baf2a9c1d3c4c0bb40af3612","https://git.kernel.org/stable/c/f060441c153495750804133555cf0a211a856892","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38622","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drop UFO packets in udp_rcv_segment()\n\nWhen sending a packet with virtio_net_hdr to tun device, if the gso_type\nin virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr\nsize, below crash may happen.\n\n  ------------[ cut here ]------------\n  kernel BUG at net/core/skbuff.c:4572!\n  Oops: invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  RIP: 0010:skb_pull_rcsum+0x8e/0xa0\n  Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000\n  RSP: 0018:ffffc900001fba38 EFLAGS: 00000297\n  RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948\n  RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062\n  RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001\n  R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000\n  R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900\n  FS:  000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445\n   udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475\n   udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626\n   __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690\n   ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205\n   ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233\n   ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579\n   ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636\n   ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670\n   __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067\n   netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210\n   napi_complete_done+0x78/0x180 net/core/dev.c:6580\n   tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909\n   tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984\n   vfs_write+0x300/0x420 fs/read_write.c:593\n   ksys_write+0x60/0xd0 fs/read_write.c:686\n   do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63\n   </TASK>\n\nTo trigger gso segment in udp_queue_rcv_skb(), we should also set option\nUDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv\nhook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try\nto pull udphdr, but the skb size has been segmented to gso size, which\nleads to this crash.\n\nPrevious commit cf329aa42b66 (\"udp: cope with UDP GRO packet misdirection\")\nintroduces segmentation in UDP receive path only for GRO, which was never\nintended to be used for UFO, so drop UFO packets in udp_rcv_segment().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522","https://git.kernel.org/stable/c/0d45954034f8edd6d4052e0190d3d6335c37e4de","https://git.kernel.org/stable/c/4c1022220b1b6fea802175e80444923a3bbf93a5","https://git.kernel.org/stable/c/72f97d3cb791e26492236b2be7fd70d2c6222555","https://git.kernel.org/stable/c/791f32c5eab33ca3a153f8f6f763aa0df1ddc320","https://git.kernel.org/stable/c/c0ec2e47f1e92d69b42b17a4a1e543256778393e","https://git.kernel.org/stable/c/d46e51f1c78b9ab9323610feb14238d06d46d519","https://git.kernel.org/stable/c/df6ad849d59256dcc0e2234844ef9f0daf885f5c","https://git.kernel.org/stable/c/fc45b3f9599b657d4a64bcf423d2a977b3e13a49","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38623","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Fix surprise plug detection and recovery\n\nThe existing PowerNV hotplug code did not handle surprise plug events\ncorrectly, leading to a complete failure of the hotplug system after device\nremoval and a required reboot to detect new devices.\n\nThis comes down to two issues:\n\n 1) When a device is surprise removed, often the bridge upstream\n    port will cause a PE freeze on the PHB.  If this freeze is not\n    cleared, the MSI interrupts from the bridge hotplug notification\n    logic will not be received by the kernel, stalling all plug events\n    on all slots associated with the PE.\n\n 2) When a device is removed from a slot, regardless of surprise or\n    programmatic removal, the associated PHB/PE ls left frozen.\n    If this freeze is not cleared via a fundamental reset, skiboot\n    is unable to clear the freeze and cannot retrain / rescan the\n    slot.  This also requires a reboot to clear the freeze and redetect\n    the device in the slot.\n\nIssue the appropriate unfreeze and rescan commands on hotplug events,\nand don't oops on hotplug if pci_bus_to_OF_node() returns NULL.\n\n[bhelgaas: tidy comments]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03513,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d2f63680c5719a5da92639e981c6c9a87fcee08","https://git.kernel.org/stable/c/2ec8ec57bb8ebde3e2a015eff80e5d66e6634fe3","https://git.kernel.org/stable/c/473999ba937eac9776be791deed7c84a21d7880b","https://git.kernel.org/stable/c/48c6935a34981bb56f35be0774ec1f30c6e386f8","https://git.kernel.org/stable/c/6e7b24c71e530a6c1d656e73d8a30ee081656844","https://git.kernel.org/stable/c/6e7b5f922901585b8f11e0d6cda12bda5c59fc8a","https://git.kernel.org/stable/c/78d20b8c13075eae3d884c21db7a09a6bbdda5b2","https://git.kernel.org/stable/c/a2a2a6fc2469524caa713036297c542746d148dc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38624","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Clean up allocated IRQs on unplug\n\nWhen the root of a nested PCIe bridge configuration is unplugged, the\npnv_php driver leaked the allocated IRQ resources for the child bridges'\nhotplug event notifications, resulting in a panic.\n\nFix this by walking all child buses and deallocating all its IRQ resources\nbefore calling pci_hp_remove_devices().\n\nAlso modify the lifetime of the workqueue at struct pnv_php_slot::wq so\nthat it is only destroyed in pnv_php_free_slot(), instead of\npnv_php_disable_irq(). This is required since pnv_php_disable_irq() will\nnow be called by workers triggered by hot unplug interrupts, so the\nworkqueue needs to stay allocated.\n\nThe abridged kernel panic that occurs without this patch is as follows:\n\n  WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c\n  CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2\n  Call Trace:\n   msi_device_data_release+0x34/0x9c (unreliable)\n   release_nodes+0x64/0x13c\n   devres_release_all+0xc0/0x140\n   device_del+0x2d4/0x46c\n   pci_destroy_dev+0x5c/0x194\n   pci_hp_remove_devices+0x90/0x128\n   pci_hp_remove_devices+0x44/0x128\n   pnv_php_disable_slot+0x54/0xd4\n   power_write_file+0xf8/0x18c\n   pci_slot_attr_store+0x40/0x5c\n   sysfs_kf_write+0x64/0x78\n   kernfs_fop_write_iter+0x1b0/0x290\n   vfs_write+0x3bc/0x50c\n   ksys_write+0x84/0x140\n   system_call_exception+0x124/0x230\n   system_call_vectored_common+0x15c/0x2ec\n\n[bhelgaas: tidy comments]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1773c19fa55e944cdd2634e2d9e552f87f2d38d5","https://git.kernel.org/stable/c/28aa3cfce12487614219e7667ec84424e1f43227","https://git.kernel.org/stable/c/32173edf3fe2d447e14e5e3b299387c6f9602a88","https://git.kernel.org/stable/c/398170b7fd0e0db2f8096df5206c75e5ff41415a","https://git.kernel.org/stable/c/4668619092554e1b95c9a5ac2941ca47ba6d548a","https://git.kernel.org/stable/c/8c1ad4af160691e157d688ad9619ced2df556aac","https://git.kernel.org/stable/c/912e200240b6f9758f0b126e64a61c9227f4ad37","https://git.kernel.org/stable/c/bbd302c4b79df10197ffa7270ca3aa572eeca33c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T16:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38617","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po->bind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo->bind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po->num to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po->bind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00064,"ranking_epss":0.20093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.calif.io/p/a-race-within-a-race-exploiting-cve","https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36","https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73","https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c","https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca","https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805","https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9","https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588","https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893","https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df","https://github.com/google/security-research/pull/339","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T14:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38618","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/32950b1907919be86a7a2697d6f93d57068b3865","https://git.kernel.org/stable/c/44bd006d5c93f6a8f28b106cbae2428c5d0275b7","https://git.kernel.org/stable/c/8f01093646b49f6330bb2d36761983fd829472b1","https://git.kernel.org/stable/c/aba0c94f61ec05315fa7815d21aefa4c87f6a9f4","https://git.kernel.org/stable/c/c04a2c1ca25b9b23104124d3b2d349d934e302de","https://git.kernel.org/stable/c/cf86704798c1b9c46fa59dfc2d662f57d1394d79","https://git.kernel.org/stable/c/d1a5b1964cef42727668ac0d8532dae4f8c19386","https://git.kernel.org/stable/c/d73960f0cf03ef1dc9e96ec7a20e538accc26d87","https://git.kernel.org/stable/c/f138be5d7f301fddad4e65ec66dfc3ceebf79be3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-22T14:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38614","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don't\nlimit the depth of the resulting tree for two reasons:\n\n - They don't look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n   the paths is actually considered for the depth check since commit\n   28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07104,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039","https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6","https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036","https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04","https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161","https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6","https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38608","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n\nWhen sending plaintext data, we initially calculated the corresponding\nciphertext length. However, if we later reduced the plaintext data length\nvia socket policy, we failed to recalculate the ciphertext length.\n\nThis results in transmitting buffers containing uninitialized data during\nciphertext transmission.\n\nThis causes uninitialized bytes to be appended after a complete\n\"Application Data\" packet, leading to errors on the receiving end when\nparsing TLS record.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e853c1464bcf61207f8b5c32d2ac5ee495e859d","https://git.kernel.org/stable/c/16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb","https://git.kernel.org/stable/c/178f6a5c8cb3b6be1602de0964cd440243f493c9","https://git.kernel.org/stable/c/1e480387d4b42776f8957fb148af9d75ce93b96d","https://git.kernel.org/stable/c/6ba20ff3cdb96a908b9dc93cf247d0b087672e7c","https://git.kernel.org/stable/c/73fc5d04009d3969ff8e8574f0fd769f04124e59","https://git.kernel.org/stable/c/849d24dc5aed45ebeb3490df429356739256ac40","https://git.kernel.org/stable/c/90d6ef67440cec2a0aad71a0108c8f216437345c","https://git.kernel.org/stable/c/ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38609","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Check governor before using governor->name\n\nCommit 96ffcdf239de (\"PM / devfreq: Remove redundant governor_name from\nstruct devfreq\") removes governor_name and uses governor->name to replace\nit. But devfreq->governor may be NULL and directly using\ndevfreq->governor->name may cause null pointer exception. Move the check of\ngovernor to before using governor->name.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2731c68f536fddcb71332db7f8d78c5eb4684c04","https://git.kernel.org/stable/c/631e101728df2a86b8fb761b49fad9712c651f8a","https://git.kernel.org/stable/c/75323a49aa603cf5484a6d74d0d329e86d756e11","https://git.kernel.org/stable/c/81f50619370045120c133bfdda5b320c8c97d41e","https://git.kernel.org/stable/c/bab7834c03820eb11269bc48f07c3800192460d2","https://git.kernel.org/stable/c/d5632359dbc44862fc1ed04093c1f57529830261","https://git.kernel.org/stable/c/f0479e878d4beb45e73c03e574c59f0a23ccd176","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38610","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()\n\nThe get_pd_power_uw() function can crash with a NULL pointer dereference\nwhen em_cpu_get() returns NULL. This occurs when a CPU becomes impossible\nduring runtime, causing get_cpu_device() to return NULL, which propagates\nthrough em_cpu_get() and leads to a crash when em_span_cpus() dereferences\nthe NULL pointer.\n\nAdd a NULL check after em_cpu_get() and return 0 if unavailable,\nmatching the existing fallback behavior in __dtpm_cpu_setup().\n\n[ rjw: Drop an excess empty code line ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27914f2b795e2b58e9506f281dcdd98fef09d3c2","https://git.kernel.org/stable/c/27e0318f0ea69fcfa32228847debc384ade14578","https://git.kernel.org/stable/c/2fd001a0075ac01dc64a28a8e21226b3d989a91d","https://git.kernel.org/stable/c/46dc57406887dd02565cb264224194a6776d882b","https://git.kernel.org/stable/c/8374ac7d69a57d737e701a851ffe980a0d27d3ad","https://git.kernel.org/stable/c/c6ec27091cf5ac05094c1fe3a6ce914cf711a37c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38612","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()\n\nIn the error paths after fb_info structure is successfully allocated,\nthe memory allocated in fb_deferred_io_init() for info->pagerefs is not\nfreed. Fix that by adding the cleanup function on the error path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3290f62f23fae05f2ec34085eb86dfb3648ef91f","https://git.kernel.org/stable/c/47b3d6e8921bbb7b65c2dab8eaa8864901848c1c","https://git.kernel.org/stable/c/6771f121ae87490ddc19eabb7450383af9e01b6d","https://git.kernel.org/stable/c/6f9e2cf9e9c1a891a683329af35bb33ed9d38b5f","https://git.kernel.org/stable/c/83ea0c7b8d12c67f6c4703d6c458627a7fc45fc0","https://git.kernel.org/stable/c/a3177955f8da3c826a18b75e54881e2e9a9c96f1","https://git.kernel.org/stable/c/b31cf6f7716a5d3e4461763f32d812acdaec6e74","https://git.kernel.org/stable/c/c3b1c45c48117ed4d8797ee89d1155f16b72d490","https://git.kernel.org/stable/c/eb2cb7dab60f9be0b435ac4a674255429a36d72c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38601","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n  ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n  which destroys srng lists.  However, it does not reset per-list\n  ->initialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized\n  flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n <TASK>\n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list ->initialized flag in ath11k_hal_srng_deinit().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd","https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230","https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4","https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54","https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082","https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c","https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e","https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38602","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue since it may\nreturn NULL pointer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e9f85ee3b46453a2f250a57d3a9f10c70c71202","https://git.kernel.org/stable/c/6663c52608d8d8727bf1911e6d9218069ba1c85e","https://git.kernel.org/stable/c/70a1b527eaea9430b1bd87de59f3b9f6bd225701","https://git.kernel.org/stable/c/7dd6350307af6521b6240b295c93b7eec4daebe6","https://git.kernel.org/stable/c/90a0d9f339960448a3acc1437a46730f975efd6a","https://git.kernel.org/stable/c/b398120fbe0acfef60b16f6a0f69902d385d7728","https://git.kernel.org/stable/c/c0e43c3f6c0a79381b468574c241065998412b7c","https://git.kernel.org/stable/c/c80832d445653baba5ac80cd2c2637c437ac881b","https://git.kernel.org/stable/c/ca980f1911a7144d451d1c31298ab8507c6bd88f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38604","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n  <IRQ>\n  rtl8187_tx_cb+0x116/0x150 [rtl8187]\n  __usb_hcd_giveback_urb+0x9d/0x120\n  usb_giveback_urb_bh+0xbb/0x140\n  process_one_work+0x19b/0x3c0\n  bh_worker+0x1a7/0x210\n  tasklet_action+0x10/0x30\n  handle_softirqs+0xf0/0x340\n  __irq_exit_rcu+0xcd/0xf0\n  common_interrupt+0x85/0xa0\n  </IRQ>\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f","https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd","https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968","https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd","https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d","https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb","https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b","https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6","https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38587","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible infinite loop in fib6_info_uses_dev()\n\nfib6_info_uses_dev() seems to rely on RCU without an explicit\nprotection.\n\nLike the prior fix in rt6_nlmsg_size(),\nwe need to make sure fib6_del_route() or fib6_add_rt2node()\nhave not removed the anchor from the list, or we risk an infinite loop.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16d21816c0918f8058b5fc14cbe8595d62046e2d","https://git.kernel.org/stable/c/9cb6de8ee144a94ae7a40bdb32560329ab7276f0","https://git.kernel.org/stable/c/bc85e62394f008fa848c4ba02c936c735a3e8ef5","https://git.kernel.org/stable/c/db65739d406c72776fbdbbc334be827ef05880d2","https://git.kernel.org/stable/c/e09be457b71b983a085312ff9e981f51e4ed3211","https://git.kernel.org/stable/c/f8d8ce1b515a0a6af72b30502670a406cfb75073","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38588","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, &f6i->fib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i->fib6_nsiblings is zero.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d","https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab","https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da","https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8","https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38","https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38579","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix KMSAN uninit-value in extent_info usage\n\nKMSAN reported a use of uninitialized value in `__is_extent_mergeable()`\n and `__is_back_mergeable()` via the read extent tree path.\n\nThe root cause is that `get_read_extent_info()` only initializes three\nfields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the\nremaining fields uninitialized. This leads to undefined behavior\nwhen those fields are accessed later, especially during\nextent merging.\n\nFix it by zero-initializing the `extent_info` struct before population.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01b6f5955e0008af6bc3a181310d2744bb349800","https://git.kernel.org/stable/c/08e8ab00a6d20d5544c932ee85a297d833895141","https://git.kernel.org/stable/c/154467f4ad033473e5c903a03e7b9bca7df9a0fa","https://git.kernel.org/stable/c/44a79437309e0ee2276ac17aaedc71253af253a8","https://git.kernel.org/stable/c/cc1615d5aba4f396cf412579928539a2b124c8a0","https://git.kernel.org/stable/c/dabfa3952c8e6bfe6414dbf32e8b6c5f349dc898","https://git.kernel.org/stable/c/e68b751ec2b15d866967812c57cfdfc1eba6a269","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38581","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for ccp.ko\n\nWhen CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding\nthe ccp device causes the following crash:\n\n$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind\n$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind\n\n[  204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[  204.978026] #PF: supervisor write access in kernel mode\n[  204.979126] #PF: error_code(0x0002) - not-present page\n[  204.980226] PGD 0 P4D 0\n[  204.981317] Oops: Oops: 0002 [#1] SMP NOPTI\n...\n[  204.997852] Call Trace:\n[  204.999074]  <TASK>\n[  205.000297]  start_creating+0x9f/0x1c0\n[  205.001533]  debugfs_create_dir+0x1f/0x170\n[  205.002769]  ? srso_return_thunk+0x5/0x5f\n[  205.004000]  ccp5_debugfs_setup+0x87/0x170 [ccp]\n[  205.005241]  ccp5_init+0x8b2/0x960 [ccp]\n[  205.006469]  ccp_dev_init+0xd4/0x150 [ccp]\n[  205.007709]  sp_init+0x5f/0x80 [ccp]\n[  205.008942]  sp_pci_probe+0x283/0x2e0 [ccp]\n[  205.010165]  ? srso_return_thunk+0x5/0x5f\n[  205.011376]  local_pci_probe+0x4f/0xb0\n[  205.012584]  pci_device_probe+0xdb/0x230\n[  205.013810]  really_probe+0xed/0x380\n[  205.015024]  __driver_probe_device+0x7e/0x160\n[  205.016240]  device_driver_attach+0x2f/0x60\n[  205.017457]  bind_store+0x7c/0xb0\n[  205.018663]  drv_attr_store+0x28/0x40\n[  205.019868]  sysfs_kf_write+0x5f/0x70\n[  205.021065]  kernfs_fop_write_iter+0x145/0x1d0\n[  205.022267]  vfs_write+0x308/0x440\n[  205.023453]  ksys_write+0x6d/0xe0\n[  205.024616]  __x64_sys_write+0x1e/0x30\n[  205.025778]  x64_sys_call+0x16ba/0x2150\n[  205.026942]  do_syscall_64+0x56/0x1e0\n[  205.028108]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  205.029276] RIP: 0033:0x7fbc36f10104\n[  205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5\n\nThis patch sets ccp_debugfs_dir to NULL after destroying it in\nccp5_debugfs_destroy, allowing the directory dentry to be\nrecreated when rebinding the ccp device.\n\nTested on AMD Ryzen 7 1700X.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/181698af38d3f93381229ad89c09b5bd0496661a","https://git.kernel.org/stable/c/20c0ed8dd65834e6bab464f54cd6ff68659bacb9","https://git.kernel.org/stable/c/2d4060f05e74dbee884ba723f6afd9282befc3c5","https://git.kernel.org/stable/c/64ec9a7e7a6398b172ab6feba60e952163a1c3d5","https://git.kernel.org/stable/c/6eadf50c1d894cb34f3237064063207460946040","https://git.kernel.org/stable/c/9dea08eac4f6d6fbbae59992978252e2edab995d","https://git.kernel.org/stable/c/a25ab6dfa0ce323ec308966988be6b675eb9d3e5","https://git.kernel.org/stable/c/ce63a83925964ab7564bd216bd92b80bc365492e","https://git.kernel.org/stable/c/db111468531777cac8b4beb6515a88a54b0c4a74","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38583","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: xilinx: vcu: unregister pll_post only if registered correctly\n\nIf registration of pll_post is failed, it will be set to NULL or ERR,\nunregistering same will fail with following call trace:\n\nUnable to handle kernel NULL pointer dereference at virtual address 008\npc : clk_hw_unregister+0xc/0x20\nlr : clk_hw_unregister_fixed_factor+0x18/0x30\nsp : ffff800011923850\n...\nCall trace:\n clk_hw_unregister+0xc/0x20\n clk_hw_unregister_fixed_factor+0x18/0x30\n xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]\n xvcu_probe+0x2bc/0x53c [xlnx_vcu]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d","https://git.kernel.org/stable/c/51990eecf22f446550befdfd1a9f54147eafd636","https://git.kernel.org/stable/c/7e903da71f8bec4beb7c06707900e1ed8db843ca","https://git.kernel.org/stable/c/86124c5cfceb5ac04d2fddbf1b6f7147332d96a3","https://git.kernel.org/stable/c/88bd875b7f9c3652c27d6e4bb7a23701b764f762","https://git.kernel.org/stable/c/a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed","https://git.kernel.org/stable/c/f1a1be99d5ae53d3b404415f1665eb59e8e02a8c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38572","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb->transport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n <TASK>\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n  skb_gso_segment include/net/gso.h:83 [inline]\n  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n  __dev_xmit_skb net/core/dev.c:4102 [inline]\n  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b","https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1","https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67","https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e","https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703","https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe","https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e","https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789","https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38574","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npptp: ensure minimal skb length in pptp_xmit()\n\nCommit aabc6596ffb3 (\"net: ppp: Add bound checking for skb data\non ppp_sync_txmung\") fixed ppp_sync_txmunge()\n\nWe need a similar fix in pptp_xmit(), otherwise we might\nread uninit data as reported by syzbot.\n\nBUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n  pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n  ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]\n  ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314\n  pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379\n  sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n  __release_sock+0x1d3/0x330 net/core/sock.c:3213\n  release_sock+0x6b/0x270 net/core/sock.c:3767\n  pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904\n  sock_sendmsg_nosec net/socket.c:712 [inline]\n  __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n  ____sys_sendmsg+0x893/0xd80 net/socket.c:2566\n  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n  __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a04db0fd75cb6034fc27a56b67b3b8b9022a98c","https://git.kernel.org/stable/c/26672f1679b143aa34fca0b6046b7fd0c184770d","https://git.kernel.org/stable/c/5005d24377378a20e5c0e53052fc4ebdcdcbc611","https://git.kernel.org/stable/c/504cc4ab91073d2ac7404ad146139f86ecee7193","https://git.kernel.org/stable/c/5de7513f38f3c19c0610294ee478242bea356f8c","https://git.kernel.org/stable/c/97b8c5d322c5c0038cac4bc56fdbe237d0be426f","https://git.kernel.org/stable/c/b7dcda76fd0615c0599c89f36873a6cd48e02dbb","https://git.kernel.org/stable/c/de9c4861fb42f0cd72da844c3c34f692d5895b7b","https://git.kernel.org/stable/c/ea99b88b1999ebcb24d5d3a6b7910030f40d3bba","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38576","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: Make EEH driver device hotplug safe\n\nMultiple race conditions existed between the PCIe hotplug driver and the\nEEH driver, leading to a variety of kernel oopses of the same general\nnature:\n\n<pcie device unplug>\n<eeh driver trigger>\n<hotplug removal trigger>\n<pcie tree reconfiguration>\n<eeh recovery next step>\n<oops in EEH driver bus iteration loop>\n\nA second class of oops is also seen when the underlying bus disappears\nduring device recovery.\n\nRefactor the EEH module to be PCI rescan and remove safe.  Also clean\nup a few minor formatting / readability issues.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1010b4c012b0d78dfb9d3132b49aa2ef024a07a7","https://git.kernel.org/stable/c/19d5036e7ad766cf212aebec23b9f1d7924a62bc","https://git.kernel.org/stable/c/502f08831a9afb72dc98a56ae6504da43e93b250","https://git.kernel.org/stable/c/59c6d3d81d42bf543c90597b4f38c53d6874c5a1","https://git.kernel.org/stable/c/a426e8a6ae161f51888585b065db0f8f93ab2e16","https://git.kernel.org/stable/c/d2c60a8a387e9fcc28447ef36c03f8e49fd052a6","https://git.kernel.org/stable/c/d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25","https://git.kernel.org/stable/c/f56e004b781719d8fdf6c9619b15caf2579bc1f2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38577","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid panic in f2fs_evict_inode\n\nAs syzbot [1] reported as below:\n\nR10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450\nR13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520\n </TASK>\n---[ end trace 0000000000000000 ]---\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff88812d962278 by task syz-executor/564\n\nCPU: 1 PID: 564 Comm: syz-executor Tainted: G        W          6.1.129-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n <TASK>\n __dump_stack+0x21/0x24 lib/dump_stack.c:88\n dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106\n print_address_description+0x71/0x210 mm/kasan/report.c:316\n print_report+0x4a/0x60 mm/kasan/report.c:427\n kasan_report+0x122/0x150 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531\n f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585\n f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703\n f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677\n writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733\n sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789\n f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159\n block_operations fs/f2fs/checkpoint.c:1269 [inline]\n f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658\n kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668\n deactivate_locked_super+0x98/0x100 fs/super.c:332\n deactivate_super+0xaf/0xe0 fs/super.c:363\n cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186\n __cleanup_mnt+0x19/0x20 fs/namespace.c:1193\n task_work_run+0x1c6/0x230 kernel/task_work.c:203\n exit_task_work include/linux/task_work.h:39 [inline]\n do_exit+0x9fb/0x2410 kernel/exit.c:871\n do_group_exit+0x210/0x2d0 kernel/exit.c:1021\n __do_sys_exit_group kernel/exit.c:1032 [inline]\n __se_sys_exit_group kernel/exit.c:1030 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030\n x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\nRIP: 0033:0x7f28b1b8e169\nCode: Unable to access opcode bytes at 0x7f28b1b8e13f.\nRSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360\nR10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360\nR13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520\n </TASK>\n\nAllocated by task 569:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429\n alloc_inode_sb include/linux/fs.h:3245 [inline]\n f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x186/0x880 fs/inode.c:1373\n f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483\n f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487\n __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690\n lookup_slow+0x57/0x70 fs/namei.c:1707\n walk_component+0x2e6/0x410 fs/namei\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15df59809c54fbd687cdf27efbd2103a937459be","https://git.kernel.org/stable/c/42f9ea16aea8b49febaa87950a006a1792209f38","https://git.kernel.org/stable/c/4732ca17c17f5062426cfa982f43593e6b81963b","https://git.kernel.org/stable/c/5cd99d5aa3d39086bdb53eb5c52df16e98b101a0","https://git.kernel.org/stable/c/880ef748e78a1eb7df2d8e11a9ef21e98bcaabe5","https://git.kernel.org/stable/c/9535e440fe5bc6c5ac7cfb407e53bf788b8bf8d4","https://git.kernel.org/stable/c/97df495d754116c8c28ac6a4112f831727bde887","https://git.kernel.org/stable/c/9bbfe83924946552c4c513099c0e8c83af76311a","https://git.kernel.org/stable/c/a509a55f8eecc8970b3980c6f06886bbff0e2f68","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38578","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\nsyzbot reported an UAF issue as below: [1] [2]\n\n[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000\n\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8\n\nCPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G        W          6.1.129-syzkaller-00017-g642656a36791 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x158/0x4e0 mm/kasan/report.c:427\n kasan_report+0x13c/0x170 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553\n f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588\n f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706\n f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677\n writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903\n __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974\n wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081\n wb_check_background_flush fs/fs-writeback.c:2151 [inline]\n wb_do_writeback fs/fs-writeback.c:2239 [inline]\n wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266\n process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299\n worker_thread+0xa60/0x1260 kernel/workqueue.c:2446\n kthread+0x26d/0x300 kernel/kthread.c:386\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n </TASK>\n\nAllocated by task 298:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333\n kasan_slab_alloc include/linux/kasan.h:202 [inline]\n slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768\n slab_alloc_node mm/slub.c:3421 [inline]\n slab_alloc mm/slub.c:3431 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3438 [inline]\n kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454\n alloc_inode_sb include/linux/fs.h:3255 [inline]\n f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x18c/0x7e0 fs/inode.c:1373\n f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486\n f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484\n __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689\n lookup_slow+0x5a/0x80 fs/namei.c:1706\n walk_component+0x2e7/0x410 fs/namei.c:1997\n lookup_last fs/namei.c:2454 [inline]\n path_lookupat+0x16d/0x450 fs/namei.c:2478\n filename_lookup+0x251/0x600 fs/namei.c:2507\n vfs_statx+0x107/0x4b0 fs/stat.c:229\n vfs_fstatat fs/stat.c:267 [inline]\n vfs_lstat include/linux/fs.h:3434 [inline]\n __do_sys_newlstat fs/stat.c:423 [inline]\n __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417\n __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417\n x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\n\nFreed by task 0:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516\n ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241\n __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249\n kasan_slab_free include/linux/kasan.h:178 [inline]\n slab_free_hook mm/slub.c:1745 [inline]\n slab_free_freelist_hook mm/slub.c:1771 [inline]\n slab_free mm/slub.c:3686 [inline]\n kmem_cache_free+0x\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1edf68272b8cba2b2817ef1488ecb9f0f84cb6a0","https://git.kernel.org/stable/c/37e78cad7e9e025e63bb35bc200f44637b009bb1","https://git.kernel.org/stable/c/3d37cadaac1a8e108e576297aab9125b24ea2dfe","https://git.kernel.org/stable/c/4dcd830c420f2190ae32f03626039fde7b57b2ad","https://git.kernel.org/stable/c/6cac47af39b2b8edbb41d47c3bd9c332f83e9932","https://git.kernel.org/stable/c/7c30d79930132466f5be7d0b57add14d1a016bda","https://git.kernel.org/stable/c/917ae5e280bc263f56c83fba0d0f0be2c4828083","https://git.kernel.org/stable/c/a4b0cc9e0bba7525a29f37714e88df12a47997a2","https://git.kernel.org/stable/c/dea243f58a8391e76f42ad5eb59ff210519ee772","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38565","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Exit early on perf_mmap() fail\n\nWhen perf_mmap() fails to allocate a buffer, it still invokes the\nevent_mapped() callback of the related event. On X86 this might increase\nthe perf_rdpmc_allowed reference counter. But nothing undoes this as\nperf_mmap_close() is never called in this case, which causes another\nreference count leak.\n\nReturn early on failure to prevent that.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07091aade394f690e7b655578140ef84d0e8d7b0","https://git.kernel.org/stable/c/163b0d1a209fe0df5476c1df2330ca12b55abf92","https://git.kernel.org/stable/c/27d44145bd576bbef9bf6165bcd78128ec3e6cbd","https://git.kernel.org/stable/c/5ffda7f3ed76ec8defc19d985e33b3b82ba07839","https://git.kernel.org/stable/c/7ff8521f30c4c2fcd4e88bd7640486602bf8a650","https://git.kernel.org/stable/c/92043120a2e992800580855498ab8507e1b22db9","https://git.kernel.org/stable/c/9b90a48c7de828a15c7a4fc565d46999c6e22d6b","https://git.kernel.org/stable/c/de85e72598d89880a02170a1cbc27b35a7d978a9","https://git.kernel.org/stable/c/f41e9eba77bf97626e04296dc5677d02816d2432","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38569","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbenet: fix BUG when creating VFs\n\nbenet crashes as soon as SRIOV VFs are created:\n\n kernel BUG at mm/vmalloc.c:3457!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary)\n [...]\n RIP: 0010:vunmap+0x5f/0x70\n [...]\n Call Trace:\n  <TASK>\n  __iommu_dma_free+0xe8/0x1c0\n  be_cmd_set_mac_list+0x3fe/0x640 [be2net]\n  be_cmd_set_mac+0xaf/0x110 [be2net]\n  be_vf_eth_addr_config+0x19f/0x330 [be2net]\n  be_vf_setup+0x4f7/0x990 [be2net]\n  be_pci_sriov_configure+0x3a1/0x470 [be2net]\n  sriov_numvfs_store+0x20b/0x380\n  kernfs_fop_write_iter+0x354/0x530\n  vfs_write+0x9b9/0xf60\n  ksys_write+0xf3/0x1d0\n  do_syscall_64+0x8c/0x3d0\n\nbe_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh.\nFix it by freeing only after the lock has been released.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ddfe8b127ef1149fddccb79db6e6eaba7738e7d","https://git.kernel.org/stable/c/3697e37e012bbd2bb5a5b467689811ba097b2eff","https://git.kernel.org/stable/c/46d44a23a3723a89deeb65b13cddb17f8d9f2700","https://git.kernel.org/stable/c/5a40f8af2ba1b9bdf46e2db10e8c9710538fbc63","https://git.kernel.org/stable/c/975e73b9102d844a3dc3f091ad631c56145c8b4c","https://git.kernel.org/stable/c/c377ba2be9430d165a98e4b782902ed630bc7546","https://git.kernel.org/stable/c/d5dc09ee5d74277bc47193fe28ce8703e229331b","https://git.kernel.org/stable/c/f4e4e0c4bc4d799d6fa39055acdbc3af066cd13e","https://git.kernel.org/stable/c/f80b34ebc579216407b128e9d155bfcae875c30f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38560","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Evict cache lines during SNP memory validation\n\nAn SNP cache coherency vulnerability requires a cache line eviction\nmitigation when validating memory after a page state change to private.\nThe specific mitigation is to touch the first and last byte of each 4K\npage that is being validated. There is no need to perform the mitigation\nwhen performing a page state change to shared and rescinding validation.\n\nCPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit\nthat, when set, indicates that the software mitigation for this\nvulnerability is not needed.\n\nImplement the mitigation and invoke it when validating memory (making it\nprivate) and the COHERENCY_SFW_NO bit is not set, indicating the SNP\nguest is vulnerable.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fb873971e23c35c53823c62809a474a92bc3022","https://git.kernel.org/stable/c/1fec416c03d0a64cc21aa04ce4aa14254b017e6a","https://git.kernel.org/stable/c/7b306dfa326f70114312b320d083b21fa9481e1e","https://git.kernel.org/stable/c/a762a4c8d9e768b538b3cc60615361a8cf377de8","https://git.kernel.org/stable/c/aed15fc08f15dbb15822b2a0b653f67e76aa0fdf","https://git.kernel.org/stable/c/f92af52e6dbd8d066d77beba451e0230482dc45b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38561","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Preauh_HashValue race condition\n\nIf client send multiple session setup requests to ksmbd,\nPreauh_HashValue race condition could happen.\nThere is no need to free sess->Preauh_HashValue at session setup phase.\nIt can be freed together with session at connection termination phase.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00029,"ranking_epss":0.08254,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6","https://git.kernel.org/stable/c/6613887da1d18dd2ecfd6c6148a873c4d903ebdc","https://git.kernel.org/stable/c/7d7c0c5304c88bcbd7a85e9bcd61d27e998ba5fc","https://git.kernel.org/stable/c/b69fd87076daa66f3d186bd421a7b0ee0cb45829","https://git.kernel.org/stable/c/edeecc7871e8fc0878d53ce286c75040a0e38f6c","https://git.kernel.org/stable/c/fbf5c0845ed15122a770bca9be1d9b60b470d3aa","https://www.zerodayinitiative.com/advisories/ZDI-25-916/","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38562","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference error in generate_encryptionkey\n\nIf client send two session setups with krb5 authenticate to ksmbd,\nnull pointer dereference error in generate_encryptionkey could happen.\nsess->Preauth_HashValue is set to NULL if session is valid.\nSo this patch skip generate encryption key if session is valid.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03678,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/015ef163d65496ae3ba6192c96140a22743f0353","https://git.kernel.org/stable/c/2a30ed6428ce83afedca1a6c5c5c4247bcf12d0e","https://git.kernel.org/stable/c/96a82e19434a2522525baab59c33332658bc7653","https://git.kernel.org/stable/c/9b493ab6f35178afd8d619800df9071992f715de","https://git.kernel.org/stable/c/9c2dbbc959e1fcc6f603a1a843e9cf743ba383bb","https://git.kernel.org/stable/c/d79c8bebaa622ee223128be7c66d8aaeeb634a57","https://www.zerodayinitiative.com/advisories/ZDI-25-917/","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38563","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()'ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04466,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3bd518cc7ea61076bcd725e36ff0e690754977c0","https://git.kernel.org/stable/c/65311aad4c808bedad0c05d9bb8b06c47dae73eb","https://git.kernel.org/stable/c/6757a31a8e295ae4f01717a954afda173f25a121","https://git.kernel.org/stable/c/7b84cb58d1f0aa07656802eae24689566e5f5b1b","https://git.kernel.org/stable/c/b024d7b56c77191cde544f838debb7f8451cd0d6","https://git.kernel.org/stable/c/d52451a9210f2e5a079ba052918c93563518a9ff","https://git.kernel.org/stable/c/e4346ffec2c44d6b0be834d59b20632b5bb5729e","https://git.kernel.org/stable/c/e529888b7e8092912dd8789bdfc76685ccd2ff5f","https://git.kernel.org/stable/c/ff668930871e0198c7f4e325058b8b7c286787bd","https://www.zerodayinitiative.com/advisories/ZDI-25-873/","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38555","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev->os_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -> composite_dev_cleanup():\nit will checks whether cdev->os_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/151c0aa896c47a4459e07fee7d4843f44c1bb18e","https://git.kernel.org/stable/c/2db29235e900a084a656dea7e0939b0abb7bb897","https://git.kernel.org/stable/c/5f06ee9f9a3665d43133f125c17e5258a13f3963","https://git.kernel.org/stable/c/8afb22aa063f706f3343707cdfb8cda4d021dd33","https://git.kernel.org/stable/c/aada327a9f8028c573636fa60c0abc80fb8135c9","https://git.kernel.org/stable/c/bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba","https://git.kernel.org/stable/c/dba96dfa5a0f685b959dd28a52ac8dab0b805204","https://git.kernel.org/stable/c/e1be1f380c82a69f80c68c96a7cfe8759fb30355","https://git.kernel.org/stable/c/e624bf26127645a2f7821e73fdf6dc64bad07835","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T17:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38553","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Restrict conditions for adding duplicating netems to qdisc tree\n\nnetem_enqueue's duplication prevention logic breaks when a netem\nresides in a qdisc tree with other netems - this can lead to a\nsoft lockup and OOM loop in netem_dequeue, as seen in [1].\nEnsure that a duplicating netem cannot exist in a tree with other\nnetems.\n\nPrevious approaches suggested in discussions in chronological order:\n\n1) Track duplication status or ttl in the sk_buff struct. Considered\ntoo specific a use case to extend such a struct, though this would\nbe a resilient fix and address other previous and potential future\nDOS bugs like the one described in loopy fun [2].\n\n2) Restrict netem_enqueue recursion depth like in act_mirred with a\nper cpu variable. However, netem_dequeue can call enqueue on its\nchild, and the depth restriction could be bypassed if the child is a\nnetem.\n\n3) Use the same approach as in 2, but add metadata in netem_skb_cb\nto handle the netem_dequeue case and track a packet's involvement\nin duplication. This is an overly complex approach, and Jamal\nnotes that the skb cb can be overwritten to circumvent this\nsafeguard.\n\n4) Prevent the addition of a netem to a qdisc tree if its ancestral\npath contains a netem. However, filters and actions can cause a\npacket to change paths when re-enqueued to the root from netem\nduplication, leading us to the current solution: prevent a\nduplicating netem from inhabiting the same tree as other netems.\n\n[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/\n[2] https://lwn.net/Articles/719297/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01828,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09317dfb681ac5a96fc69bea0c54441cf91b8270","https://git.kernel.org/stable/c/103c4e27ec9f5fe53022e46e976abf52c7221baf","https://git.kernel.org/stable/c/250f8796006c0f2bc638ce545f601d49ae8d528b","https://git.kernel.org/stable/c/325f5ec67cc0a77f2d0d453445b9857f1cd06c76","https://git.kernel.org/stable/c/795cb393e38977aa991e70a9363da0ee734b2114","https://git.kernel.org/stable/c/ad340a4b4adb855b18b3666f26ad65c8968e2deb","https://git.kernel.org/stable/c/cab2809944989889f88a1a8b5cff1c78460c72cb","https://git.kernel.org/stable/c/ec8e0e3d7adef940cdf9475e2352c0680189d14e","https://git.kernel.org/stable/c/f088b6ebe8797a3f948d2cae47f34bfb45cc6522","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-19T06:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38550","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Delay put pmc->idev in mld_del_delrec()\n\npmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()\ndoes, the reference should be put after ip6_mc_clear_src() return.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5f18e0130194550dff734e155029ae734378b5ea","https://git.kernel.org/stable/c/6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806","https://git.kernel.org/stable/c/728db00a14cacb37f36e9382ab5fad55caf890cc","https://git.kernel.org/stable/c/7929d27c747eafe8fca3eecd74a334503ee4c839","https://git.kernel.org/stable/c/ae3264a25a4635531264728859dbe9c659fad554","https://git.kernel.org/stable/c/dcbc346f50a009d8b7f4e330f9f2e22d6442fa26","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38552","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: plug races between subflow fail and subflow creation\n\nWe have races similar to the one addressed by the previous patch between\nsubflow failing and additional subflow creation. They are just harder to\ntrigger.\n\nThe solution is similar. Use a separate flag to track the condition\n'socket state prevent any additional subflow creation' protected by the\nfallback lock.\n\nThe socket fallback makes such flag true, and also receiving or sending\nan MP_FAIL option.\n\nThe field 'allow_infinite_fallback' is now always touched under the\nrelevant lock, we can drop the ONCE annotation on write.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/659da22dee5ff316ba63bdaeeac7b58b5442f6c2","https://git.kernel.org/stable/c/7c96d519ee15a130842a6513530b4d20acd2bfcd","https://git.kernel.org/stable/c/c476d627584b7589a134a8b48dd5c6639e4401c5","https://git.kernel.org/stable/c/def5b7b2643ebba696fc60ddf675dca13f073486","https://git.kernel.org/stable/c/f81b6fbe13c7fc413b5158cdffc6a59391a2a8db","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38542","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix device refcount leak in atrtr_create()\n\nWhen updating an existing route entry in atrtr_create(), the old device\nreference was not being released before assigning the new device,\nleading to a device refcount leak. Fix this by calling dev_put() to\nrelease the old device reference before holding the new one.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/473f3eadfc73b0fb6d8dee5829d19a5772e387f7","https://git.kernel.org/stable/c/4a17370da6e476d3d275534e9e9cd2d02c57ca46","https://git.kernel.org/stable/c/64124cf0aab0dd1e18c0fb5ae66e45741e727f8b","https://git.kernel.org/stable/c/711c80f7d8b163d3ecd463cd96f07230f488e750","https://git.kernel.org/stable/c/a7852b01793669248dce0348d14df89e77a32afd","https://git.kernel.org/stable/c/b2f5dfa87367fdce9f8b995bc6c38f64f9ea2c90","https://git.kernel.org/stable/c/b92bedf71f25303e203a4e657489d76691a58119","https://git.kernel.org/stable/c/d2e9f50f0bdad73b64a871f25186b899624518c4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38543","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: nvdec: Fix dma_alloc_coherent error check\n\nCheck for NULL return value with dma_alloc_coherent, in line with\nRobin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e0812eedccd0629d73c9d0b1184a5db055df1da","https://git.kernel.org/stable/c/44306a684cd1699b8562a54945ddc43e2abc9eab","https://git.kernel.org/stable/c/61b8d20962d00b7df117011c52f97cbb9c76a669","https://git.kernel.org/stable/c/a560de522374af931fa994d161db3667b0bb2545","https://git.kernel.org/stable/c/d1240029f97ac8c06db4dd4407bbbf83e8d08570","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38546","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix memory leak of struct clip_vcc.\n\nioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to\nvcc->user_back.\n\nThe code assumes that vcc_destroy_socket() passes NULL skb\nto vcc->push() when the socket is close()d, and then clip_push()\nfrees clip_vcc.\n\nHowever, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in\natm_init_atmarp(), resulting in memory leak.\n\nLet's serialise two ioctl() by lock_sock() and check vcc->push()\nin atm_init_atmarp() to prevent memleak.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90","https://git.kernel.org/stable/c/1c075e88d5859a2c6b43b27e0e46fb281cef8039","https://git.kernel.org/stable/c/1fb9fb5a4b5cec2d56e26525ef8c519de858fa60","https://git.kernel.org/stable/c/2fb37ab3226606cbfc9b2b6f9e301b0b735734c5","https://git.kernel.org/stable/c/62dba28275a9a3104d4e33595c7b3328d4032d8d","https://git.kernel.org/stable/c/9e4dbeee56f614e3f1e166e5d0655a999ea185ef","https://git.kernel.org/stable/c/9f771816f14da6d6157a8c30069091abf6b566fb","https://git.kernel.org/stable/c/cb2e4a2f8f268d8fba6662f663a2e57846f14a8d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38548","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (corsair-cpro) Validate the size of the received input buffer\n\nAdd buffer_recv_size to store the size of the received bytes.\nValidate buffer_recv_size in send_usb_cmd().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0db770e2922389753ddbd6663a5516a32b97b743","https://git.kernel.org/stable/c/2771d2ee3d95700f34e1e4df6a445c90565cd4e9","https://git.kernel.org/stable/c/2e6f4d9cfbda52700c126c5a2b93dd2042e8680c","https://git.kernel.org/stable/c/3c4bdc8a852e446080adc8ceb90ddd67a56e1bb8","https://git.kernel.org/stable/c/495a4f0dce9c8c4478c242209748f1ee9e4d5820","https://git.kernel.org/stable/c/4eb5cc48399f89b63acdbfe912fa5c8fe2900147","https://git.kernel.org/stable/c/eda5e38cc4dd2dcb422840540374910ef2818494","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38535","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode\n\nWhen transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code\nassumed that the regulator should be disabled. However, if the regulator\nis marked as always-on, regulator_is_enabled() continues to return true,\nleading to an incorrect attempt to disable a regulator which is not\nenabled.\n\nThis can result in warnings such as:\n\n[  250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004\n_regulator_disable+0xe4/0x1a0\n[  250.155652] unbalanced disables for VIN_SYS_5V0\n\nTo fix this, we move the regulator control logic into\ntegra186_xusb_padctl_id_override() function since it's directly related\nto the ID override state. The regulator is now only disabled when the role\ntransitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID\nregister. This ensures that regulator enable/disable operations are\nproperly balanced and only occur when actually transitioning to/from host\nmode.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.0365,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bb85b5c2bd43b687c3d54eb6328917f90dd38fc","https://git.kernel.org/stable/c/5367cdeb75cb6c687ca468450bceb2602ab239d8","https://git.kernel.org/stable/c/cdcb0ffd6448f6be898956913a42bd08e59fb2ae","https://git.kernel.org/stable/c/ceb645ac6ce052609ee5c8f819a80e8881789b04","https://git.kernel.org/stable/c/cefc1caee9dd06c69e2d807edc5949b329f52b22","https://git.kernel.org/stable/c/eaa420339658615d26c1cc95cd6cf720b9aebfca","https://git.kernel.org/stable/c/ec7f98ff05f0649af0adeb4808c7ba23d6111ef9","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38538","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf->chan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements.  These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved.  In this case, we're\ncopying data from the irqbuf[] array into the nbpf->chan[] array.  If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync.  I added a check to ensure that we don't go beyond the\nend of the irqbuf[] array.  I'm pretty sure this can't happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be.  In the original\ncode we went one element beyond the end of the array so the iterator\nwasn't in the correct place and it would always return -EINVAL.  However,\nnow it will always be in the correct place.  I deleted the check since\nwe know the result.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.05032,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/122160289adf8ebf15060f1cbf6265b55a914948","https://git.kernel.org/stable/c/188c6ba1dd925849c5d94885c8bbdeb0b3dcf510","https://git.kernel.org/stable/c/24861ef8b517a309a4225f2793be0cd8fa0bec9e","https://git.kernel.org/stable/c/4bb016438335ec02b01f96bf1367378c2bfe03e5","https://git.kernel.org/stable/c/84fff8e6f11b9af1407e273995b5257d99ff0cff","https://git.kernel.org/stable/c/aec396b4f736f3f8d2c28a9cd2924a4ada57ae87","https://git.kernel.org/stable/c/d6bbd67ab5de37a74ac85c83c5a26664b62034dd","https://git.kernel.org/stable/c/f366b36c5e3ce29c9a3c8eed3d1631908e4fc8bb","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38539","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add down_write(trace_event_sem) when adding trace event\n\nWhen a module is loaded, it adds trace events defined by the module. It\nmay also need to modify the modules trace printk formats to replace enum\nnames with their values.\n\nIf two modules are loaded at the same time, the adding of the event to the\nftrace_events list can corrupt the walking of the list in the code that is\nmodifying the printk format strings and crash the kernel.\n\nThe addition of the event should take the trace_event_sem for write while\nit adds the new event.\n\nAlso add a lockdep_assert_held() on that semaphore in\n__trace_add_event_dirs() as it iterates the list.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/33e20747b47ddc03569b6bc27a2d6894c1428182","https://git.kernel.org/stable/c/6bc94f20a4c304997288f9a45278c9d0c06987d3","https://git.kernel.org/stable/c/70fecd519caad0c1741c3379d5348c9000a5b29d","https://git.kernel.org/stable/c/7803b28c9aa8d8bd4e19ebcf5f0db9612b0f333b","https://git.kernel.org/stable/c/b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df","https://git.kernel.org/stable/c/ca60064ea03f14e06c763de018403cb56ba3207d","https://git.kernel.org/stable/c/db45632479ceecb669612ed8dbce927e3c6279fc","https://git.kernel.org/stable/c/e70f5ee4c8824736332351b703c46f9469ed7f6c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38540","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n\nThe Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C)\nreport a HID sensor interface that is not actually implemented.\nAttempting to access this non-functional sensor via iio_info causes\nsystem hangs as runtime PM tries to wake up an unresponsive sensor.\n\nAdd these 2 devices to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b297ab6f38ca60a4ca7298b297944ec6043b2f4","https://git.kernel.org/stable/c/2b0931eee48208c25bb77486946dea8e96aa6a36","https://git.kernel.org/stable/c/35f1a5360ac68d9629abbb3930a0a07901cba296","https://git.kernel.org/stable/c/3ce1d87d1f5d80322757aa917182deb7370963b9","https://git.kernel.org/stable/c/54bae4c17c11688339eb73a04fd24203bb6e7494","https://git.kernel.org/stable/c/7ac00f019698f614a49cce34c198d0568ab0e1c2","https://git.kernel.org/stable/c/a2a91abd19c574b598b1c69ad76ad9c7eedaf062","https://git.kernel.org/stable/c/c72536350e82b53a1be0f3bfdf1511bba2827102","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38527","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n  cifs_oplock_break()\n    _cifsFileInfo_put(cfile)\n      cifsFileInfo_put_final()\n        cifs_sb_deactive()\n          [last ref, start releasing sb]\n            kill_sb()\n              kill_anon_super()\n                generic_shutdown_super()\n                  evict_inodes()\n                    dispose_list()\n                      evict()\n                        destroy_inode()\n                          call_rcu(&inode->i_rcu, i_callback)\n    spin_lock(&cinode->open_file_lock)  <- OK\n                            [later] i_callback()\n                              cifs_free_inode()\n                                kmem_cache_free(cinode)\n    spin_unlock(&cinode->open_file_lock)  <- UAF\n    cifs_done_oplock_break(cinode)       <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.03615,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc","https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b","https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995","https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308","https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210","https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38528","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject %p% format string in bprintf-like helpers\n\nstatic const char fmt[] = \"%p%\";\n    bpf_trace_printk(fmt, sizeof(fmt));\n\nThe above BPF program isn't rejected and causes a kernel warning at\nruntime:\n\n    Please remove unsupported %\\x00 in format string\n    WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0\n\nThis happens because bpf_bprintf_prepare skips over the second %,\ndetected as punctuation, while processing %p. This patch fixes it by\nnot skipping over punctuation. %\\x00 is then processed in the next\niteration and rejected.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1c5f5fd47bbda17cb885fe6f03730702cd53d3f8","https://git.kernel.org/stable/c/61d5fa45ed13e42af14c7e959baba9908b8ee6d4","https://git.kernel.org/stable/c/6952aeace93f8c9ea01849efecac24dd3152c9c9","https://git.kernel.org/stable/c/97303e541e12f1fea97834ec64b98991e8775f39","https://git.kernel.org/stable/c/e7be679124bae8cf4fa6e40d7e1661baddfb3289","https://git.kernel.org/stable/c/f8242745871f81a3ac37f9f51853d12854fd0b58","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38529","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: aio_iiro_16: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 << it->options[1]) & 0xdcfc) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test.  Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43ddd82e6a91913cea1c078e782afd8de60c3a53","https://git.kernel.org/stable/c/5ac7c60439236fb691b8c7987390e2327bbf18fa","https://git.kernel.org/stable/c/66acb1586737a22dd7b78abc63213b1bcaa100e4","https://git.kernel.org/stable/c/955e8835855fed8e87f7d8c8075564a1746c1b4c","https://git.kernel.org/stable/c/a88692245c315bf8e225f205297a6f4b13d6856a","https://git.kernel.org/stable/c/c593215385f0c0163015cca4512ed3ff42875d19","https://git.kernel.org/stable/c/e0f3c0867d7d231c70984f05c97752caacd0daba","https://git.kernel.org/stable/c/ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38530","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl812: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 << it->options[1]) & board->irq_bits) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test.  Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00016,"ranking_epss":0.0375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0489c30d080f07cc7f09d04de723d8c2ccdb61ef","https://git.kernel.org/stable/c/16c173abee315953fd17a279352fec4a1faee862","https://git.kernel.org/stable/c/29ef03e5b84431171d6b77b822985b54bc44b793","https://git.kernel.org/stable/c/374d9b3eb4b08407997ef1fce96119d31e0c0bc4","https://git.kernel.org/stable/c/5bfa301e1e59a9b1a7b62a800b54852337c97416","https://git.kernel.org/stable/c/7e470d8efd10725b189ca8951973a8425932398a","https://git.kernel.org/stable/c/a27e27eee313fe1c450b6af1e80e64412546cab4","https://git.kernel.org/stable/c/b14b076ce593f72585412fc7fd3747e03a5e3632","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38520","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Don't call mmput from MMU notifier callback\n\nIf the process is exiting, the mmput inside mmu notifier callback from\ncompactd or fork or numa balancing could release the last reference\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock\nwith below backtrace.\n\nThe deadlock will leak kfd process as mmu notifier release is not called\nand cause VRAM leaking.\n\nThe fix is to take mm reference mmget_non_zero when adding prange to the\ndeferred list to pair with mmput in deferred list work.\n\nIf prange split and add into pchild list, the pchild work_item.mm is not\nused, so remove the mm parameter from svm_range_unmap_split and\nsvm_range_add_child.\n\nThe backtrace of hung task:\n\n INFO: task python:348105 blocked for more than 64512 seconds.\n Call Trace:\n  __schedule+0x1c3/0x550\n  schedule+0x46/0xb0\n  rwsem_down_write_slowpath+0x24b/0x4c0\n  unlink_anon_vmas+0xb1/0x1c0\n  free_pgtables+0xa9/0x130\n  exit_mmap+0xbc/0x1a0\n  mmput+0x5a/0x140\n  svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]\n  mn_itree_invalidate+0x72/0xc0\n  __mmu_notifier_invalidate_range_start+0x48/0x60\n  try_to_unmap_one+0x10fa/0x1400\n  rmap_walk_anon+0x196/0x460\n  try_to_unmap+0xbb/0x210\n  migrate_page_unmap+0x54d/0x7e0\n  migrate_pages_batch+0x1c3/0xae0\n  migrate_pages_sync+0x98/0x240\n  migrate_pages+0x25c/0x520\n  compact_zone+0x29d/0x590\n  compact_zone_order+0xb6/0xf0\n  try_to_compact_pages+0xbe/0x220\n  __alloc_pages_direct_compact+0x96/0x1a0\n  __alloc_pages_slowpath+0x410/0x930\n  __alloc_pages_nodemask+0x3a9/0x3e0\n  do_huge_pmd_anonymous_page+0xd7/0x3e0\n  __handle_mm_fault+0x5e3/0x5f0\n  handle_mm_fault+0xf7/0x2e0\n  hmm_vma_fault.isra.0+0x4d/0xa0\n  walk_pmd_range.isra.0+0xa8/0x310\n  walk_pud_range+0x167/0x240\n  walk_pgd_range+0x55/0x100\n  __walk_page_range+0x87/0x90\n  walk_page_range+0xf6/0x160\n  hmm_range_fault+0x4f/0x90\n  amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]\n  amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]\n  init_user_pages+0xb1/0x2a0 [amdgpu]\n  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]\n  kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]\n  kfd_ioctl+0x29d/0x500 [amdgpu]\n\n(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02173,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/145a56bd68f4bff098d59fbc7c263d20dfef4fc4","https://git.kernel.org/stable/c/a7eb0a25010a674c8fdfbece38353ef7be8c5834","https://git.kernel.org/stable/c/c1bde9d48e09933c361521720f77a8072083c83a","https://git.kernel.org/stable/c/cf234231fcbc7d391e2135b9518613218cc5347f","https://git.kernel.org/stable/c/e90ee15ce28c61f6d83a0511c3e02e2662478350","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38510","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: remove kasan_find_vm_area() to prevent possible deadlock\n\nfind_vm_area() couldn't be called in atomic_context.  If find_vm_area() is\ncalled to reports vm area information, kasan can trigger deadlock like:\n\nCPU0                                CPU1\nvmalloc();\n alloc_vmap_area();\n  spin_lock(&vn->busy.lock)\n                                    spin_lock_bh(&some_lock);\n   <interrupt occurs>\n   <in softirq>\n   spin_lock(&some_lock);\n                                    <access invalid address>\n                                    kasan_report();\n                                     print_report();\n                                      print_address_description();\n                                       kasan_find_vm_area();\n                                        find_vm_area();\n                                         spin_lock(&vn->busy.lock) // deadlock!\n\nTo prevent possible deadlock while kasan reports, remove kasan_find_vm_area().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c3566d831def922cd56322c772a7b20d8b0e0c0","https://git.kernel.org/stable/c/2d89dab1ea6086e6cbe6fe92531b496fb6808cb9","https://git.kernel.org/stable/c/595f78d99b9051600233c0a5c4c47e1097e6ed01","https://git.kernel.org/stable/c/6ee9b3d84775944fb8c8a447961cd01274ac671c","https://git.kernel.org/stable/c/8377d7744bdce5c4b3f1b58924eebd3fdc078dfc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38512","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: prevent A-MSDU attacks in mesh networks\n\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\nbe considered a variant of CVE-2020-24588 but for mesh networks.\n\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\nby an adversary. This is done by parsing a received A-MSDU as a standard\nMSDU, calculating the length of the Mesh Control header, and seeing if\nthe 6 bytes after this header equal the start of an rfc1042 header. If\nequal, this is a strong indication of an ongoing attack attempt.\n\nThis defense was tested with mac80211_hwsim against a mesh network that\nuses an empty Mesh Address Extension field, i.e., when four addresses\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\nwas also tested, and confirmed working, when using both an empty and\n12-byte Mesh Address Extension field.\n\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\nnetworks keep being detected and prevented.\n\nNote that the vulnerability being patched, and the defense being\nimplemented, was also discussed in the following paper and in the\nfollowing IEEE 802.11 presentation:\n\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6e3b09402cc6c3e3474fa548e8adf6897dda05de","https://git.kernel.org/stable/c/737bb912ebbe4571195c56eba557c4d7315b26fb","https://git.kernel.org/stable/c/e01851f6e9a665a6011b14714b271d3e6b0b8d32","https://git.kernel.org/stable/c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80","https://git.kernel.org/stable/c/ec6392061de6681148b63ee6c8744da833498cdd","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38513","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n    \tT0\t\t\t    \t\tT1\nzd_mac_tx_to_dev()\n  /* len == skb_queue_len(q) */\n  while (len > ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t  filter_ack()\n\t\t\t\t\t    spin_lock_irqsave(&q->lock, flags);\n\t\t\t\t\t    /* position == skb_queue_len(q) */\n\t\t\t\t\t    for (i=1; i<position; i++)\n\t\t\t\t    \t      skb = __skb_dequeue(q)\n\n\t\t\t\t\t    if (mac->type == NL80211_IFTYPE_AP)\n\t\t\t\t\t      skb = __skb_dequeue(q);\n\t\t\t\t\t    spin_unlock_irqrestore(&q->lock, flags);\n\n    skb_dequeue() -> NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047","https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298","https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d","https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023","https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae","https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc","https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0","https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38514","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix oops due to non-existence of prealloc backlog struct\n\nIf an AF_RXRPC service socket is opened and bound, but calls are\npreallocated, then rxrpc_alloc_incoming_call() will oops because the\nrxrpc_backlog struct doesn't get allocated until the first preallocation is\nmade.\n\nFix this by returning NULL from rxrpc_alloc_incoming_call() if there is no\nbacklog struct.  This will cause the incoming call to be aborted.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0eef29385d715d4c7fd707b18d4a9b76c76dd5e6","https://git.kernel.org/stable/c/2c2e9ebeb036f9b1b09325ec5cfdfe0e78f357c3","https://git.kernel.org/stable/c/880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4","https://git.kernel.org/stable/c/bf0ca6a1bc4fb904b598137c6718785a107e3adf","https://git.kernel.org/stable/c/d1ff5f9d2c5405681457262e23c720b08977c11f","https://git.kernel.org/stable/c/efc1b2b7c1a308b60df8f36bc2d7ce16d3999364","https://git.kernel.org/stable/c/f5e72b7824d08c206ce106d30cb37c4642900ccc","https://git.kernel.org/stable/c/f7afb3ff01c42c49e8a143cdce400b95844bb506","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38515","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Increment job count before swapping tail spsc queue\n\nA small race exists between spsc_queue_push and the run-job worker, in\nwhich spsc_queue_push may return not-first while the run-job worker has\nalready idled due to the job count being zero. If this race occurs, job\nscheduling stops, leading to hangs while waiting on the job’s DMA\nfences.\n\nSeal this race by incrementing the job count before appending to the\nSPSC queue.\n\nThis race was observed on a drm-tip 6.16-rc1 build with the Xe driver in\nan SVM test case.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00016,"ranking_epss":0.03637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0","https://git.kernel.org/stable/c/8af39ec5cf2be522c8eb43a3d8005ed59e4daaee","https://git.kernel.org/stable/c/c64f5310530baf75328292f9b9f3f2961d185183","https://git.kernel.org/stable/c/e2d6547dc8b9b332f9bc00875197287a6a4db65a","https://git.kernel.org/stable/c/e62f51d0ec8a9baf324caf9a564f8e318d36a551","https://git.kernel.org/stable/c/ef58a95457466849fa7b31fd3953801a5af0f58b","https://git.kernel.org/stable/c/ef841f8e4e1ff67817ca899bedc5ebb00847c0a7","https://git.kernel.org/stable/c/f9a4f28a4fc4ee453a92a9abbe36e26224d17749","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38516","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: qcom: msm: mark certain pins as invalid for interrupts\n\nOn some platforms, the UFS-reset pin has no interrupt logic in TLMM but\nis nevertheless registered as a GPIO in the kernel. This enables the\nuser-space to trigger a BUG() in the pinctrl-msm driver by running, for\nexample: `gpiomon -c 0 113` on RB2.\n\nThe exact culprit is requesting pins whose intr_detection_width setting\nis not 1 or 2 for interrupts. This hits a BUG() in\nmsm_gpio_irq_set_type(). Potentially crashing the kernel due to an\ninvalid request from user-space is not optimal, so let's go through the\npins and mark those that would fail the check as invalid for the irq chip\nas we should not even register them as available irqs.\n\nThis function can be extended if we determine that there are more\ncorner-cases like this.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03513,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d57f7132662e96aace3b8a000616efde289aae1","https://git.kernel.org/stable/c/275605a8b48002fe98675a5c06f3e39c09067ff2","https://git.kernel.org/stable/c/3f8fc02c2582c1dfad1785e9c7bc8b4e1521af0a","https://git.kernel.org/stable/c/6a89563ccf9cd0d745e2291302878a061508573f","https://git.kernel.org/stable/c/93712205ce2f1fb047739494c0399a26ea4f0890","https://git.kernel.org/stable/c/97c9c7daeeb00c6e1d5e84084041f79c2d2dce22","https://git.kernel.org/stable/c/cb4b08a095b1fa4b3fca782757517e4e9a917d8e","https://git.kernel.org/stable/c/cc145e02d6b8494c48f91958d52fa76b7e577f7b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38503","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion when building free space tree\n\nWhen building the free space tree with the block group tree feature\nenabled, we can hit an assertion failure like this:\n\n  BTRFS info (device loop0 state M): rebuilding free space tree\n  assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/free-space-tree.c:1102!\n  Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n  lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n  sp : ffff8000a4ce7600\n  x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8\n  x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001\n  x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160\n  x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff\n  x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0\n  x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff\n  x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00\n  x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001\n  x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0\n  x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e\n  Call trace:\n   populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)\n   btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337\n   btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n   btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n   btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n   reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n   do_remount fs/namespace.c:3365 [inline]\n   path_mount+0xb34/0xde0 fs/namespace.c:4200\n   do_mount fs/namespace.c:4221 [inline]\n   __do_sys_mount fs/namespace.c:4432 [inline]\n   __se_sys_mount fs/namespace.c:4409 [inline]\n   __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n   invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n   el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n   do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n   el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n   el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n  Code: f0047182 91178042 528089c3 9771d47b (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\nThis happens because we are processing an empty block group, which has\nno extents allocated from it, there are no items for this block group,\nincluding the block group item since block group items are stored in a\ndedicated tree when using the block group tree feature. It also means\nthis is the block group with the highest start offset, so there are no\nhigher keys in the extent root, hence btrfs_search_slot_for_read()\nreturns 1 (no higher key found).\n\nFix this by asserting 'ret' is 0 only if the block group tree feature\nis not enabled, in which case we should find a block group item for\nthe block group since it's stored in the extent root and block group\nitem keys are greater than extent item keys (the value for\nBTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and\nBTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).\nIn case 'ret' is 1, we just need to add a record to the free space\ntree which spans the whole block group, and we can achieve this by\nmaking 'ret == 0' as the while loop's condition.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0bcc14f36c7ad37121cf5c0ae18cdde5bfad9c4e","https://git.kernel.org/stable/c/1961d20f6fa8903266ed9bd77c691924c22c8f02","https://git.kernel.org/stable/c/6bbe6530b1db7b4365ce9e86144c18c5d73b2c5b","https://git.kernel.org/stable/c/7c77df23324f60bcff0ea44392e2c82e9486640c","https://git.kernel.org/stable/c/f4428b2d4c68732653e93f748f538bdee639ff80","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T11:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38502","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n  ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n  storage = ctx->prog_item->cgroup_storage[stype];\n\n  if (stype == BPF_CGROUP_STORAGE_SHARED)\n    ptr = &READ_ONCE(storage->buf)->data[0];\n  else\n    ptr = this_cpu_ptr(storage->percpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram's map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.04071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c","https://git.kernel.org/stable/c/41688d1fc5d163a6c2c0e95c0419e2cb31a44648","https://git.kernel.org/stable/c/66da7cee78590259b400e51a70622ccd41da7bb2","https://git.kernel.org/stable/c/7acfa07c585e3d7a64654d38f0a5c762877d0b9b","https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513","https://git.kernel.org/stable/c/c1c74584b9b4043c52e41fec415226e582d266a3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T10:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38501","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: limit repeated connections from clients with the same IP\n\nRepeated connections from clients with the same IP address may exhaust\nthe max connections and prevent other normal client connections.\nThis patch limit repeated connections from clients with the same IP.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00048,"ranking_epss":0.14809,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6073afe64510c302b7a0683a01e32c012eff715d","https://git.kernel.org/stable/c/7e5d91d3e6c62a9755b36f29c35288f06c3cd86b","https://git.kernel.org/stable/c/cb092fc3a62972a4aa47c9fe356c2c6a01cd840b","https://git.kernel.org/stable/c/e6bb9193974059ddbb0ce7763fa3882bd60d4dc3","https://git.kernel.org/stable/c/f1ce9258bcbce2491f9f71f7882b6eed0b33ec65","https://git.kernel.org/stable/c/fa1c47af4ff641cf9197ecdb1f8240cbb30389c1","http://www.openwall.com/lists/oss-security/2025/09/15/2","https://github.com/keymaker-arch/KSMBDrain","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-16T06:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38500","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn't look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net->xfrmi hash, but since it also exists in the\nxfrmi_net->collect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[    8.516540] kernel BUG at net/core/dev.c:12029!\n[    8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[    8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[    8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[    8.516569] Workqueue: netns cleanup_net\n[    8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[    8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[    8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[    8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[    8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[    8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[    8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[    8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[    8.516615] FS:  0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[    8.516619] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[    8.516625] PKRU: 55555554\n[    8.516627] Call Trace:\n[    8.516632]  <TASK>\n[    8.516635]  ? rtnl_is_locked+0x15/0x20\n[    8.516641]  ? unregister_netdevice_queue+0x29/0xf0\n[    8.516650]  ops_undo_list+0x1f2/0x220\n[    8.516659]  cleanup_net+0x1ad/0x2e0\n[    8.516664]  process_one_work+0x160/0x380\n[    8.516673]  worker_thread+0x2aa/0x3c0\n[    8.516679]  ? __pfx_worker_thread+0x10/0x10\n[    8.516686]  kthread+0xfb/0x200\n[    8.516690]  ? __pfx_kthread+0x10/0x10\n[    8.516693]  ? __pfx_kthread+0x10/0x10\n[    8.516697]  ret_from_fork+0x82/0xf0\n[    8.516705]  ? __pfx_kthread+0x10/0x10\n[    8.516709]  ret_from_fork_asm+0x1a/0x30\n[    8.516718]  </TASK>","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47","https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1","https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4","https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b","https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-12T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38499","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo.  \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65","https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3","https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116","https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179","https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2","https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-08-11T16:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38498","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller's mount namespace. This change aligns permission checking\nwith the rest of mount(2).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.08083,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93","https://git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fc","https://git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114","https://git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1","https://git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8","https://git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589","https://git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23","https://git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-30T06:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38491","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision atomic\n\nSyzkaller reported the following splat:\n\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\n  WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\n  Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n  RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n  RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n  RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\n  RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n  Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\n  RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\n  RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\n  RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n  R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\n  FS:  00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\n  Call Trace:\n   <IRQ>\n   tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\n   tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\n   tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\n   tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\n   tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\n   ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\n   ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\n   NF_HOOK include/linux/netfilter.h:317 [inline]\n   NF_HOOK include/linux/netfilter.h:311 [inline]\n   ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\n   dst_input include/net/dst.h:469 [inline]\n   ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\n   NF_HOOK include/linux/netfilter.h:317 [inline]\n   NF_HOOK include/linux/netfilter.h:311 [inline]\n   ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\n   __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\n   __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\n   process_backlog+0x301/0x1360 net/core/dev.c:6440\n   __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\n   napi_poll net/core/dev.c:7517 [inline]\n   net_rx_action+0xb44/0x1010 net/core/dev.c:7644\n   handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\n   do_softirq+0x3f/0x90 kernel/softirq.c:480\n   </IRQ>\n   <TASK>\n   __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\n   local_bh_enable include/linux/bottom_half.h:33 [inline]\n   inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\n   mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\n   mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\n   __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\n   mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\n   inet_release+0xed/0x200 net/ipv4/af_inet.c:435\n   inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\n   __sock_release+0xb3/0x270 net/socket.c:649\n   sock_close+0x1c/0x30 net/socket.c:1439\n   __fput+0x402/0xb70 fs/file_table.c:465\n   task_work_run+0x150/0x240 kernel/task_work.c:227\n   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n   exit_to_user_mode_loop+0xd4\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05098,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5","https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30","https://git.kernel.org/stable/c/5586518bec27666c747cd52aabb62d485686d0bf","https://git.kernel.org/stable/c/75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2","https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38494","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: do not bypass hid_hw_raw_request\n\nhid_hw_raw_request() is actually useful to ensure the provided buffer\nand length are valid. Directly calling in the low level transport driver\nfunction bypassed those checks and allowed invalid paramto be used.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":7e-05,"ranking_epss":0.00441,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e5017d84d650ca0eeaf4a3fe9264c5dbc886b81","https://git.kernel.org/stable/c/19d1314d46c0d8a5c08ab53ddeb62280c77698c0","https://git.kernel.org/stable/c/40e25aa7e4e0f2440c73a683ee448e41c7c344ed","https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f","https://git.kernel.org/stable/c/c2ca42f190b6714d6c481dfd3d9b62ea091c946b","https://git.kernel.org/stable/c/d18f63e848840100dbc351a82e7042eac5a28cf5","https://git.kernel.org/stable/c/dd8e8314f2ce225dade5248dcfb9e2ac0edda624","https://git.kernel.org/stable/c/f10923b8d32a473b229477b63f23bbd72b1e9910","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38495","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: ensure the allocated report buffer can contain the reserved report ID\n\nWhen the report ID is not used, the low level transport drivers expect\nthe first byte to be 0. However, currently the allocated buffer not\naccount for that extra byte, meaning that instead of having 8 guaranteed\nbytes for implement to be working, we only have 7.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":6e-05,"ranking_epss":0.00303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4f15ee98304b96e164ff2340e1dfd6181c3f42aa","https://git.kernel.org/stable/c/7228e36c7875e4b035374cf68ca5e44dffa596b2","https://git.kernel.org/stable/c/7fa83d0043370003e9a0b46ab7ae8f53b00fab06","https://git.kernel.org/stable/c/9f2892f7233a8f1320fe671d0f95f122191bfbcd","https://git.kernel.org/stable/c/a262370f385e53ff7470efdcdaf40468e5756717","https://git.kernel.org/stable/c/a47d9d9895bad9ce0e840a39836f19ca0b2a343a","https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2","https://git.kernel.org/stable/c/fcda39a9c5b834346088c14b1374336b079466c1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38497","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Fix OOB read on empty string write\n\nWhen writing an empty string to either 'qw_sign' or 'landingPage'\nsysfs attributes, the store functions attempt to access page[l - 1]\nbefore validating that the length 'l' is greater than zero.\n\nThis patch fixes the vulnerability by adding a check at the beginning\nof os_desc_qw_sign_store() and webusb_landingPage_store() to handle\nthe zero-length input case gracefully by returning immediately.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.0394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15a87206879951712915c03c8952a73d6a74721e","https://git.kernel.org/stable/c/22b7897c289cc25d99c603f5144096142a30d897","https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468","https://git.kernel.org/stable/c/3014168731b7930300aab656085af784edc861f6","https://git.kernel.org/stable/c/58bdd5160184645771553ea732da5c2887fc9bd1","https://git.kernel.org/stable/c/783ea37b237a9b524f1e5ca018ea17d772ee0ea0","https://git.kernel.org/stable/c/78b41148cfea2a3f04d87adf3a71b21735820a37","https://git.kernel.org/stable/c/d68b7c8fefbaeae8f065b84e40cf64baf4cc0c76","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38482","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das6402: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* IRQs 2,3,5,6,7, 10,11,15 are valid for \"enhanced\" mode */\n\tif ((1 << it->options[1]) & 0x8cec) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test.  Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.0394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3eab654f5d199ecd45403c6588cda63e491fcfca","https://git.kernel.org/stable/c/4a3c18cde02e35aba87e0ad5672b3e1c72dda5a4","https://git.kernel.org/stable/c/70f2b28b5243df557f51c054c20058ae207baaac","https://git.kernel.org/stable/c/73f34d609397805c20d6b2ef5c07a4cbf7c4d63a","https://git.kernel.org/stable/c/8a3637027ceeba4ca5e500b23cb7d24c25592513","https://git.kernel.org/stable/c/a15e9c175f783298c4ee48146be6841335400406","https://git.kernel.org/stable/c/a18a42e77545afcacd6a2b8d9fc16191b87454df","https://git.kernel.org/stable/c/de8da1063cce9234d55c8270d9bdf4cf84411c80","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38483","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das16m1: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */\n\tif ((1 << it->options[1]) & 0xdcfc) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds.  Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00017,"ranking_epss":0.0394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/076b13ee60eb01ed0d140ef261f95534562a3077","https://git.kernel.org/stable/c/539bdff832adac9ea653859fa0b6bc62e743329c","https://git.kernel.org/stable/c/65c03e6fc524eb2868abedffd8a4613d78abc288","https://git.kernel.org/stable/c/adb7df8a8f9d788423e161b779764527dd3ec2d0","https://git.kernel.org/stable/c/b3c95fa508e5dc3da60520eea92a5241095ceef1","https://git.kernel.org/stable/c/d1291c69f46d6572b2cf75960dd8975d7ab2176b","https://git.kernel.org/stable/c/ed93c6f68a3be06e4e0c331c6e751f462dee3932","https://git.kernel.org/stable/c/f211572818ed5bec2b3f5d4e0719ef8699b3c269","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38485","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush\n\nfxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with\niio_for_each_active_channel()) without making sure the indio_dev\nstays in buffer mode.\nThere is a race if indio_dev exits buffer mode in the middle of the\ninterrupt that flushes the fifo. Fix this by calling\nsynchronize_irq() to ensure that no interrupt is currently running when\ndisabling buffer mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[...]\n_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290\nfxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178\nfxls8962af_interrupt from irq_thread_fn+0x1c/0x7c\nirq_thread_fn from irq_thread+0x110/0x1f4\nirq_thread from kthread+0xe0/0xfc\nkthread from ret_from_fork+0x14/0x2c","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1803d372460aaa9ae0188a30c9421d3f157f2f04","https://git.kernel.org/stable/c/1fe16dc1a2f5057772e5391ec042ed7442966c9a","https://git.kernel.org/stable/c/6ecd61c201b27ad2760b3975437ad2b97d725b98","https://git.kernel.org/stable/c/bfcda3e1015791b3a63fb4d3aad408da9cf76e8f","https://git.kernel.org/stable/c/dda42f23a8f5439eaac9521ce0531547d880cc54","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38487","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: lpc-snoop: Don't disable channels that aren't enabled\n\nMitigate e.g. the following:\n\n    # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind\n    ...\n    [  120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write\n    [  120.373866] [00000004] *pgd=00000000\n    [  120.377910] Internal error: Oops: 805 [#1] SMP ARM\n    [  120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE\n    ...\n    [  120.679543] Call trace:\n    [  120.679559]  misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac\n    [  120.692462]  aspeed_lpc_snoop_remove from platform_remove+0x28/0x38\n    [  120.700996]  platform_remove from device_release_driver_internal+0x188/0x200\n    ...","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05821,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/166afe964e8433d52c641f5d1c09102bacee9a92","https://git.kernel.org/stable/c/329a80adc0e5f815d0514a6d403aaaf0995cd9be","https://git.kernel.org/stable/c/56448e78a6bb4e1a8528a0e2efe94eff0400c247","https://git.kernel.org/stable/c/62e51f51d97477ea4e78c82e7076a171dac86c75","https://git.kernel.org/stable/c/9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51","https://git.kernel.org/stable/c/ac10ed9862104936a412f8b475c869e99f048448","https://git.kernel.org/stable/c/b361598b7352f02456619a6105c7da952ef69f8f","https://git.kernel.org/stable/c/dc5598482e2d3b234f6d72d6f5568e24f603e51a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38488","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n  crypt_message()\n    // Allocate the creq buffer containing the req\n    creq = smb2_get_aead_req(..., &req);\n\n    // Async encryption returns -EINPROGRESS immediately\n    rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n    // Free creq while async operation is still in progress\n    kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn't\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn't freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15a0a5de49507062bc3be4014a403d8cea5533de","https://git.kernel.org/stable/c/2a76bc2b24ed889a689fb1c9015307bf16aafb5b","https://git.kernel.org/stable/c/5d047b12f86cc3b9fde1171c02d9bccf4dba0632","https://git.kernel.org/stable/c/6550b2bef095d0dd2d2c8390d2ea4c3837028833","https://git.kernel.org/stable/c/8ac90f6824fc44d2e55a82503ddfc95defb19ae0","https://git.kernel.org/stable/c/9a1d3e8d40f151c2d5a5f40c410e6e433f62f438","https://git.kernel.org/stable/c/b220bed63330c0e1733dc06ea8e75d5b9962b6b6","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38472","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n    [exception RIP: __nf_ct_delete_from_lists+172]\n    [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n    [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct->timeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry.  If we ignore\nct->status and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n  - ct hlist pointers are overloaded and store/cache the raw tuple hash\n  - ct->timeout matches the relative time expected for a new udp flow\n    rather than the absolute 'jiffies' value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t<preemption>\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct->status set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z.  cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t->refcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t->timeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct->status |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t<resumes>\n\t\t\tnf_ct_expired()\n\t\t\t -> yes (ct->timeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -> set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn't guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t<unblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev>\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout 'cpu y' race, 'garbage' hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free'd and E gets\ndestroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn't matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04898,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7","https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9","https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379","https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22","https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38473","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan->data is NULL.\n\nLet's not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c","https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05","https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33","https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0","https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0","https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec","https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08","https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38474","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: net: sierra: check for no status endpoint\n\nThe driver checks for having three endpoints and\nhaving bulk in and out endpoints, but not that\nthe third endpoint is interrupt input.\nRectify the omission.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a263ccb905b4ae2af381cd4280bd8d2477b98b8","https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158","https://git.kernel.org/stable/c/5408cc668e596c81cdd29e137225432aa40d1785","https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9","https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6","https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d","https://git.kernel.org/stable/c/a6a238c4126eb3ddb495d3f960193ca5bb778d92","https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38476","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet's fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[   57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n </IRQ>\n <TASK>\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n </TASK>\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36","https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4","https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d","https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc","https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce","https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297","https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38477","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when 'agg' is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6","https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64","https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1","https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d","https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79","https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e","https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd","https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38478","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn->n` elements in some\ncases.  The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that.  For Comedi instruction codes\nthat write to the subdevice, the first `insn->n` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized.  That could be a problem if the subdevice instruction\nhandler reads the uninitialized data.  Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0.  For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/020eed5681d0f9bced73970368078a92d6cfaa9c","https://git.kernel.org/stable/c/13e4d9038a1e869445a996a3f604a84ef52fe8f4","https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e","https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4","https://git.kernel.org/stable/c/6f38c6380c3b38a05032b8881e41137385a6ce02","https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649","https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29","https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38480","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions.  In that case, the subdevice's `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory.  It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated.  However, if `insn->n` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`.  This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn->n` is 0, before reaching the code\nthat accesses `data[0]`.  Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn->n`, which is 0 in this case.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03771,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88","https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00","https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656","https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000","https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870","https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1","https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5","https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38481","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large\n\nThe handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to\nhold the array of `struct comedi_insn`, getting the length from the\n`n_insns` member of the `struct comedi_insnlist` supplied by the user.\nThe allocation will fail with a WARNING and a stack dump if it is too\nlarge.\n\nAvoid that by failing with an `-EINVAL` error if the supplied `n_insns`\nvalue is unreasonable.\n\nDefine the limit on the `n_insns` value in the `MAX_INSNS` macro.  Set\nthis to the same value as `MAX_SAMPLES` (65536), which is the maximum\nallowed sum of the values of the member `n` in the array of `struct\ncomedi_insn`, and sensible comedi instructions will have an `n` of at\nleast 1.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03771,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08ae4b20f5e82101d77326ecab9089e110f224cc","https://git.kernel.org/stable/c/454d732dfd0aef7d7aa950c409215ca06d717e93","https://git.kernel.org/stable/c/69dc06b9514522de532e997a21d035cd29b0db44","https://git.kernel.org/stable/c/992d600f284e719242a434166e86c1999649b71c","https://git.kernel.org/stable/c/c68257588e87f45530235701a42496b7e9e56adb","https://git.kernel.org/stable/c/c9d3d9667443caafa804cd07940aeaef8e53aa90","https://git.kernel.org/stable/c/d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3","https://git.kernel.org/stable/c/e3b8322cc8081d142ee4c1a43e1d702bdba1ed76","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38468","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n   the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n   just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n   since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->\n   htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n   __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n   NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n   which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n   hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0)               |  htb_enqueue() {\n 0) + 13.635 us   |    netem_enqueue();\n 0)   4.719 us    |    htb_activate_prios();\n 0) # 2249.199 us |  }\n 0)               |  htb_dequeue() {\n 0)   2.355 us    |    htb_lookup_leaf();\n 0)               |    netem_dequeue() {\n 0) + 11.061 us   |      blackhole_enqueue();\n 0)               |      qdisc_tree_reduce_backlog() {\n 0)               |        qdisc_lookup_rcu() {\n 0)   1.873 us    |          qdisc_match_from_root();\n 0)   6.292 us    |        }\n 0)   1.894 us    |        htb_search();\n 0)               |        htb_qlen_notify() {\n 0)   2.655 us    |          htb_deactivate_prios();\n 0)   6.933 us    |        }\n 0) + 25.227 us   |      }\n 0)   1.983 us    |      blackhole_dequeue();\n 0) + 86.553 us   |    }\n 0) # 2932.761 us |    qdisc_warn_nonwc();\n 0)               |    htb_lookup_leaf() {\n 0)               |      BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628","https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4","https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355","https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344","https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535","https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301","https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f","https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38470","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the \"rx-vlan-filter\" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the \"rx-vlan-filter\"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the \"rx-vlan-filter\"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the \"rx-vlan-filter\" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n    vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n    vlan_filter_push_vids\n        ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n    vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n        vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n    BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n\"rx-vlan-filter\" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n  comm \"ip\", pid 384, jiffies 4296130254\n  hex dump (first 32 bytes):\n    00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00  . 0.............\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 81ce31fa):\n    __kmalloc_cache_noprof+0x2b5/0x340\n    vlan_vid_add+0x434/0x940\n    vlan_device_event.cold+0x75/0xa8\n    notifier_call_chain+0xca/0x150\n    __dev_notify_flags+0xe3/0x250\n    rtnl_configure_link+0x193/0x260\n    rtnl_newlink_create+0x383/0x8e0\n    __rtnl_newlink+0x22c/0xa40\n    rtnl_newlink+0x627/0xb00\n    rtnetlink_rcv_msg+0x6fb/0xb70\n    netlink_rcv_skb+0x11f/0x350\n    netlink_unicast+0x426/0x710\n    netlink_sendmsg+0x75a/0xc20\n    __sock_sendmsg+0xc1/0x150\n    ____sys_sendmsg+0x5aa/0x7b0\n    ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS:  00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n <TASK\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/047b61a24d7c866c502aeeea482892969a68f216","https://git.kernel.org/stable/c/35142b3816832889e50164d993018ea5810955ae","https://git.kernel.org/stable/c/579d4f9ca9a9a605184a9b162355f6ba131f678d","https://git.kernel.org/stable/c/8984bcbd1edf5bee5be06ad771d157333b790c33","https://git.kernel.org/stable/c/93715aa2d80e6c5cea1bb486321fc4585076928b","https://git.kernel.org/stable/c/ba48d3993af23753e1f1f01c8d592de9c7785f24","https://git.kernel.org/stable/c/bb515c41306454937464da055609b5fb0a27821b","https://git.kernel.org/stable/c/d43ef15bf4856c8c4c6c3572922331a5f06deb77","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38471","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n    BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n    (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n    Read of size 4 at addr ffff888013085750 by task tls/13529\n\n    CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n    Call Trace:\n     kasan_report+0xca/0x100\n     tls_strp_check_rcv+0x898/0x9a0 [tls]\n     tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n     tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n     inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp->stm.full_len\").","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02","https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b","https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb","https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6","https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-28T12:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38467","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: exynos7_drm_decon: add vblank check in IRQ handling\n\nIf there's support for another console device (such as a TTY serial),\nthe kernel occasionally panics during boot. The panic message and a\nrelevant snippet of the call stack is as follows:\n\n  Unable to handle kernel NULL pointer dereference at virtual address 000000000000000\n  Call trace:\n    drm_crtc_handle_vblank+0x10/0x30 (P)\n    decon_irq_handler+0x88/0xb4\n    [...]\n\nOtherwise, the panics don't happen. This indicates that it's some sort\nof race condition.\n\nAdd a check to validate if the drm device can handle vblanks before\ncalling drm_crtc_handle_vblank() to avoid this.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/391e5ea5b877230b844c9bd8bbcd91b681b1ce2d","https://git.kernel.org/stable/c/87825fbd1e176cd5b896940f3959e7c9a916945d","https://git.kernel.org/stable/c/996740652e620ef8ee1e5c65832cf2ffa498577d","https://git.kernel.org/stable/c/a2130463fc9451005660b0eda7b61d5f746f7d74","https://git.kernel.org/stable/c/a40a35166f7e4f6dcd4b087d620c8228922dcb0a","https://git.kernel.org/stable/c/b4e72c0bf878f02faa00a7dc7c9ffc4ff7c116a7","https://git.kernel.org/stable/c/b846350aa272de99bf6fecfa6b08e64ebfb13173","https://git.kernel.org/stable/c/e9d9b25f376737b81f06de9c5aa422b488f47184","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38462","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_{g2h,h2g} TOCTOU\n\nvsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.\ntransport_{g2h,h2g} may become NULL after the NULL check.\n\nIntroduce vsock_transport_local_cid() to protect from a potential\nnull-ptr-deref.\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_find_cid+0x47/0x90\nCall Trace:\n __vsock_bind+0x4b2/0x720\n vsock_bind+0x90/0xe0\n __sys_bind+0x14d/0x1e0\n __x64_sys_bind+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0\nCall Trace:\n __x64_sys_ioctl+0x12d/0x190\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/209fd720838aaf1420416494c5505096478156b4","https://git.kernel.org/stable/c/3734d78210cceb2ee5615719a62a5c55ed381ff8","https://git.kernel.org/stable/c/401239811fa728fcdd53e360a91f157ffd23e1f4","https://git.kernel.org/stable/c/5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17","https://git.kernel.org/stable/c/6a1bcab67bea797d83aa9dd948a0ac6ed52d121d","https://git.kernel.org/stable/c/80d7dc15805a93d520a249ac6d13d4f4df161c1b","https://git.kernel.org/stable/c/c5496ee685c48ed1cc183cd4263602579bb4a615","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38464","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_conn_close().\n\nsyzbot reported a null-ptr-deref in tipc_conn_close() during netns\ndismantle. [0]\n\ntipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls\ntipc_conn_close() for each tipc_conn.\n\nThe problem is that tipc_conn_close() is called after releasing the\nIDR lock.\n\nAt the same time, there might be tipc_conn_recv_work() running and it\ncould call tipc_conn_close() for the same tipc_conn and release its\nlast ->kref.\n\nOnce we release the IDR lock in tipc_topsrv_stop(), there is no\nguarantee that the tipc_conn is alive.\n\nLet's hold the ref before releasing the lock and put the ref after\ntipc_conn_close() in tipc_topsrv_stop().\n\n[0]:\nBUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\nRead of size 8 at addr ffff888099305a08 by task kworker/u4:3/435\n\nCPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1fc/0x2ef lib/dump_stack.c:118\n print_address_description.cold+0x54/0x219 mm/kasan/report.c:256\n kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354\n kasan_report mm/kasan/report.c:412 [inline]\n __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433\n tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\n tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]\n tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722\n ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153\n cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nAllocated by task 23:\n kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625\n kmalloc include/linux/slab.h:515 [inline]\n kzalloc include/linux/slab.h:709 [inline]\n tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192\n tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nFreed by task 23:\n __cache_free mm/slab.c:3503 [inline]\n kfree+0xcc/0x210 mm/slab.c:3822\n tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]\n kref_put include/linux/kref.h:70 [inline]\n conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nThe buggy address belongs to the object at ffff888099305a00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 8 bytes inside of\n 512-byte region [ffff888099305a00, ffff888099305c00)\nThe buggy address belongs to the page:\npage:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0\nflags: 0xfff00000000100(slab)\nraw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940\nraw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                      ^\n ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04165,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03dcdd2558e1e55bf843822fe4363dcb48743f2b","https://git.kernel.org/stable/c/15a6f4971e2f157d57e09ea748d1fbc714277aa4","https://git.kernel.org/stable/c/1dbf7cd2454a28b1da700085b99346b5445aeabb","https://git.kernel.org/stable/c/3b89e17b2fd64012682bed158d9eb3d2e96dec42","https://git.kernel.org/stable/c/50aa2d121bc2cfe2d825f8a331ea75dfaaab6a50","https://git.kernel.org/stable/c/667eeab4999e981c96b447a4df5f20bdf5c26f13","https://git.kernel.org/stable/c/be4b8392da7978294f2f368799d29dd509fb6c4d","https://git.kernel.org/stable/c/dab8ded2e5ff41012a6ff400b44dbe76ccf3592a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38465","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk->sk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n  if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n  \tatomic_add(skb->truesize, &sk->sk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk->sk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk->sk_rmem_alloc.\n\nLet's fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q      Send-Q Local Address:Port                Peer Address:Port\n  -1668710080 0               rtnl:nl_wraparound/293               *\n\nAfter:\n  [root@fedora ~]# ss -f netlink\n  Recv-Q     Send-Q Local Address:Port                Peer Address:Port\n  2147483072 0               rtnl:nl_wraparound/290               *\n  ^\n  `--- INT_MAX - 576","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04405,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4b8e18af7bea92f8b7fb92d40aeae729209db250","https://git.kernel.org/stable/c/55baecb9eb90238f60a8350660d6762046ebd3bd","https://git.kernel.org/stable/c/76602d8e13864524382b0687dc32cd8f19164d5a","https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c","https://git.kernel.org/stable/c/ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc","https://git.kernel.org/stable/c/c4ceaac5c5ba0b992ee1dc88e2a02421549e5c98","https://git.kernel.org/stable/c/cd7ff61bfffd7000143c42bbffb85eeb792466d6","https://git.kernel.org/stable/c/fd69af06101090eaa60b3d216ae715f9c0a58e5b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38466","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is 'mistaken' for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/183bdb89af1b5193b1d1d9316986053b15ca6fa4","https://git.kernel.org/stable/c/8e8bf7bc6aa6f583336c2fda280b6cea0aed5612","https://git.kernel.org/stable/c/a0a8009083e569b5526c64f7d3f2a62baca95164","https://git.kernel.org/stable/c/ba677dbe77af5ffe6204e0f3f547f3ba059c6302","https://git.kernel.org/stable/c/c0aec35f861fa746ca45aa816161c74352e6ada8","https://git.kernel.org/stable/c/d5074256b642cdeb46a70ce2f15193e766edca68","https://git.kernel.org/stable/c/d7ef1afd5b3f43f4924326164cee5397b66abd9c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38455","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight\n\nReject migration of SEV{-ES} state if either the source or destination VM\nis actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the\nsection between incrementing created_vcpus and online_vcpus.  The bulk of\nvCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs\nin parallel, and so sev_info.es_active can get toggled from false=>true in\nthe destination VM after (or during) svm_vcpu_create(), resulting in an\nSEV{-ES} VM effectively having a non-SEV{-ES} vCPU.\n\nThe issue manifests most visibly as a crash when trying to free a vCPU's\nNULL VMSA page in an SEV-ES VM, but any number of things can go wrong.\n\n  BUG: unable to handle page fault for address: ffffebde00000000\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n  CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G     U     O        6.15.0-smp-DEV #2 NONE\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n  RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]\n  RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]\n  RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]\n  RIP: 0010:PageHead include/linux/page-flags.h:866 [inline]\n  RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067\n  Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0\n  RSP: 0018:ffff8984551978d0 EFLAGS: 00010246\n  RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98\n  RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000\n  RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000\n  R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000\n  R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000\n  FS:  0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0\n  DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169\n   svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515\n   kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396\n   kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline]\n   kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490\n   kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895\n   kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310\n   kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369\n   __fput+0x3e4/0x9e0 fs/file_table.c:465\n   task_work_run+0x1a9/0x220 kernel/task_work.c:227\n   exit_task_work include/linux/task_work.h:40 [inline]\n   do_exit+0x7f0/0x25b0 kernel/exit.c:953\n   do_group_exit+0x203/0x2d0 kernel/exit.c:1102\n   get_signal+0x1357/0x1480 kernel/signal.c:3034\n   arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337\n   exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n   exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n   __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n   syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218\n   do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f87a898e969\n   </TASK>\n  Modules linked in: gq(O)\n  gsmi: Log Shutdown Reason 0x03\n  CR2: ffffebde00000000\n  ---[ end trace 0000000000000000 ]---\n\nDeliberately don't check for a NULL VMSA when freeing the vCPU, as crashing\nthe host is likely desirable due to the VMSA being consumed by hardware.\nE.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a\nbogus VMSA page.  Accessing P\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8c8e8d4d7544bb783e15078eda8ba2580e192246","https://git.kernel.org/stable/c/b5725213149597cd9c2b075b87bc4e0f87e906c1","https://git.kernel.org/stable/c/e0d9a7cf37ca09c513420dc88e0d0e805a4f0820","https://git.kernel.org/stable/c/ecf371f8b02d5e31b9aa1da7f159f1b2107bdb01","https://git.kernel.org/stable/c/fd044c99d831e9f837518816c7c366b04014d405","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38456","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:msghandler: Fix potential memory corruption in ipmi_create_user()\n\nThe \"intf\" list iterator is an invalid pointer if the correct\n\"intf->intf_num\" is not found.  Calling atomic_dec(&intf->nr_users) on\nand invalid pointer will lead to memory corruption.\n\nWe don't really need to call atomic_dec() if we haven't called\natomic_add_return() so update the if (intf->in_shutdown) path as well.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06041,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7c1a6ddb99858e7d68961f74ae27caeeeca67b6a","https://git.kernel.org/stable/c/9e0d33e75c1604c3fad5586ad4dfa3b2695a3950","https://git.kernel.org/stable/c/cbc1670297f675854e982d23c8583900ff0cc67a","https://git.kernel.org/stable/c/e2d5c005dfc96fe857676d1d8ac46b29275cb89b","https://git.kernel.org/stable/c/fa332f5dc6fc662ad7d3200048772c96b861cf6b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38457","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion's patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs' init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc's qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn't correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04405,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803","https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e","https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af","https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a","https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f","https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e","https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea","https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38458","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix NULL pointer dereference in vcc_sendmsg()\n\natmarpd_dev_ops does not implement the send method, which may cause crash\nas bellow.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: Oops: 0010 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246\nRAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000\nRDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000\nRBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287\nR10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00\nR13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88\nFS:  00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n ____sys_sendmsg+0x52d/0x830 net/socket.c:2566\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620\n __sys_sendmmsg+0x227/0x430 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04405,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07b585ae3699c0a5026f86ac846f144e34875eee","https://git.kernel.org/stable/c/22fc46cea91df3dce140a7dc6847c6fcf0354505","https://git.kernel.org/stable/c/27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8","https://git.kernel.org/stable/c/34a09d6240a25185ef6fc5a19dbb3cdbb6a78bc0","https://git.kernel.org/stable/c/7f1cad84ac1a6af42d9d57e879de47ce37995024","https://git.kernel.org/stable/c/7f8a9b396037daae453a108faec5b28886361323","https://git.kernel.org/stable/c/9ec7e943aee5c28c173933f9defd40892fb3be3d","https://git.kernel.org/stable/c/a16fbe6087e91c8e7c4aa50e1af7ad56edbd9e3e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38459","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc->push(),\nand the second call copies it to clip_vcc->old_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc->old_push(),\ntriggering the infinite recursion.\n\nLet's prevent the second ioctl(ATMARP_MKIP) by checking\nvcc->user_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n <TASK>\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n </TASK>\nModules linked in:","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.03394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e","https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352","https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f","https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31","https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8","https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45","https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88","https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38460","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix potential null-ptr-deref in to_atmarpd().\n\natmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip\ncauses unregister hang\").\n\nHowever, it is not enough because to_atmarpd() is called without RTNL,\nespecially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.\n\nAlso, there is no RTNL dependency around atmarpd.\n\nLet's use a private mutex and RCU to protect access to atmarpd in\nto_atmarpd().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04405,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06935c50cfa3ac57cce80bba67b6d38ec1406e92","https://git.kernel.org/stable/c/3251ce3979f41bd228f77a7615f9dd616d06a110","https://git.kernel.org/stable/c/36caab990b69ef4eec1d81c52a19f080b7daa059","https://git.kernel.org/stable/c/706cc36477139c1616a9b2b96610a8bb520b7119","https://git.kernel.org/stable/c/70eac9ba7ce25d99c1d99bbf4ddb058940f631f9","https://git.kernel.org/stable/c/a4c5785feb979cd996a99cfaad8bf353b2e79301","https://git.kernel.org/stable/c/ee4d9e4ddf3f9c4ee2ec0a3aad6196ee36d30e57","https://git.kernel.org/stable/c/f58e4270c73e7f086322978d585ea67c8076ce49","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38461","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_* TOCTOU\n\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\n\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\n\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\n vsock_connect+0x59c/0xc40\n __sys_connect+0xe8/0x100\n __x64_sys_connect+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/36a439049b34cca0b3661276049b84a1f76cc21a","https://git.kernel.org/stable/c/687aa0c5581b8d4aa87fd92973e4ee576b550cdf","https://git.kernel.org/stable/c/7b73bddf54777fb62d4d8c7729d0affe6df04477","https://git.kernel.org/stable/c/8667e8d0eb46bc54fdae30ba2f4786407d3d88eb","https://git.kernel.org/stable/c/9ce53e744f18e73059d3124070e960f3aa9902bf","https://git.kernel.org/stable/c/9d24bb6780282b0255b9929abe5e8f98007e2c6e","https://git.kernel.org/stable/c/ae2c712ba39c7007de63cb0c75b51ce1caaf1da5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38448","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix race condition in TTY wakeup\n\nA race condition occurs when gs_start_io() calls either gs_start_rx() or\ngs_start_tx(), as those functions briefly drop the port_lock for\nusb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear\nport.tty and port_usb, respectively.\n\nUse the null-safe TTY Port helper function to wake up TTY.\n\nExample\n  CPU1:\t\t\t      CPU2:\n  gserial_connect() // lock\n  \t\t\t      gs_close() // await lock\n  gs_start_rx()     // unlock\n  usb_ep_queue()\n  \t\t\t      gs_close() // lock, reset port.tty and unlock\n  gs_start_rx()     // lock\n  tty_wakeup()      // NPE","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18d58a467ccf011078352d91b4d6a0108c7318e8","https://git.kernel.org/stable/c/a5012673d49788f16bb4e375b002d7743eb642d9","https://git.kernel.org/stable/c/abf3620cba68e0e51e5c21054ce4f925f75b3661","https://git.kernel.org/stable/c/c529c3730bd09115684644e26bf01ecbd7e2c2c9","https://git.kernel.org/stable/c/c6eb4a05af3d0ba3bc4e8159287722fb9abc6359","https://git.kernel.org/stable/c/c8c80a3a35c2e3488409de2d5376ef7e662a2bf5","https://git.kernel.org/stable/c/d43657b59f36e88289a6066f15bc9a80df5014eb","https://git.kernel.org/stable/c/ee8d688e2ba558f3bb8ac225113740be5f335417","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38451","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: fix GPF in bitmap_get_stats()\n\nThe commit message of commit 6ec1f0239485 (\"md/md-bitmap: fix stats\ncollection for external bitmaps\") states:\n\n    Remove the external bitmap check as the statistics should be\n    available regardless of bitmap storage location.\n\n    Return -EINVAL only for invalid bitmap with no storage (neither in\n    superblock nor in external file).\n\nBut, the code does not adhere to the above, as it does only check for\na valid super-block for \"internal\" bitmaps. Hence, we observe:\n\nOops: GPF, probably for non-canonical address 0x1cd66f1f40000028\nRIP: 0010:bitmap_get_stats+0x45/0xd0\nCall Trace:\n\n seq_read_iter+0x2b9/0x46a\n seq_read+0x12f/0x180\n proc_reg_read+0x57/0xb0\n vfs_read+0xf6/0x380\n ksys_read+0x6d/0xf0\n do_syscall_64+0x8c/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nWe fix this by checking the existence of a super-block for both the\ninternal and external case.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d82a729530bd2110ba66e4a1f73461c776edec2","https://git.kernel.org/stable/c/3e0542701b37aa25b025d8531583458e4f014c2e","https://git.kernel.org/stable/c/a18f9b08c70e10ea3a897058fee8a4f3b4c146ec","https://git.kernel.org/stable/c/a23b16ba3274961494f5ad236345d238364349ff","https://git.kernel.org/stable/c/c17fb542dbd1db745c9feac15617056506dd7195","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38437","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potential use-after-free in oplock/lease break ack\n\nIf ksmbd_iov_pin_rsp return error, use-after-free can happen by\naccessing opinfo->state and opinfo_put and ksmbd_fd_put could\ncalled twice.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/50f930db22365738d9387c974416f38a06e8057e","https://git.kernel.org/stable/c/8106adc21a2270c16abf69cd74ccd7c79c6e7acd","https://git.kernel.org/stable/c/815f1161d6dbc4c54ccf94b7d3fdeab34b4d7477","https://git.kernel.org/stable/c/97c355989928a5f60b228ef5266c1be67a46cdf9","https://git.kernel.org/stable/c/e38ec88a2b42c494601b1213816d75f0b54d9bf0","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38439","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n\nWhen transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()\nwith the proper length instead of 0.  This bug triggers this warning\non a system with IOMMU enabled:\n\nWARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170\nRIP: 0010:__iommu_dma_unmap+0x159/0x170\nCode: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45\nb8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00\nRSP: 0018:ff22d31181150c88 EFLAGS: 00010206\nRAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000\nR10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000\nR13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00\nFS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0\nPKRU: 55555554\nCall Trace:\n<IRQ>\n? show_regs+0x6d/0x80\n? __warn+0x89/0x160\n? __iommu_dma_unmap+0x159/0x170\n? report_bug+0x17e/0x1b0\n? handle_bug+0x46/0x90\n? exc_invalid_op+0x18/0x80\n? asm_exc_invalid_op+0x1b/0x20\n? __iommu_dma_unmap+0x159/0x170\n? __iommu_dma_unmap+0xb3/0x170\niommu_dma_unmap_page+0x4f/0x100\ndma_unmap_page_attrs+0x52/0x220\n? srso_alias_return_thunk+0x5/0xfbef5\n? xdp_return_frame+0x2e/0xd0\nbnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]\n__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]\nbnxt_poll+0xd3/0x1e0 [bnxt_en]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16ae306602163fcb7ae83f2701b542e43c100cee","https://git.kernel.org/stable/c/3cdf199d4755d477972ee87110b2aebc88b3cfad","https://git.kernel.org/stable/c/50dad9909715094e7d9ca25e9e0412b875987519","https://git.kernel.org/stable/c/5909679a82cd74cf0343d9e3ddf4b6931aa7e613","https://git.kernel.org/stable/c/8d672a1a6bfc81fef9151925c9c0481f4acf4bec","https://git.kernel.org/stable/c/e260f4d49370c85a4701d43c6d16b8c39f8b605f","https://git.kernel.org/stable/c/f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a","https://git.kernel.org/stable/c/f9eaf6d036075dc820520e1194692c0619b7297b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38441","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()\n\nsyzbot found a potential access to uninit-value in nf_flow_pppoe_proto()\n\nBlamed commit forgot the Ethernet header.\n\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n  nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n  nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623\n  nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n  nf_ingress net/core/dev.c:5742 [inline]\n  __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837\n  __netif_receive_skb_one_core net/core/dev.c:5975 [inline]\n  __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090\n  netif_receive_skb_internal net/core/dev.c:6176 [inline]\n  netif_receive_skb+0x57/0x630 net/core/dev.c:6235\n  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n  tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938\n  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984\n  new_sync_write fs/read_write.c:593 [inline]\n  vfs_write+0xb4b/0x1580 fs/read_write.c:686\n  ksys_write fs/read_write.c:738 [inline]\n  __do_sys_write fs/read_write.c:749 [inline]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18cdb3d982da8976b28d57691eb256ec5688fad2","https://git.kernel.org/stable/c/9fbc49429a23b02595ba82536c5ea425fdabb221","https://git.kernel.org/stable/c/a3aea97d55964e70a1e6426aa4cafdc036e8a2dd","https://git.kernel.org/stable/c/cfbf0665969af2c69d10c377d4c3d306e717efb4","https://git.kernel.org/stable/c/e0dd2e9729660f3f4fcb16e0aef87342911528ef","https://git.kernel.org/stable/c/eed8960b289327235185b7c32649c3470a3e969b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38443","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nThere is a use-after-free issue in nbd:\n\nblock nbd6: Receive control failed (result -104)\nblock nbd6: shutting down sockets\n==================================================================\nBUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022\nWrite of size 4 at addr ffff8880295de478 by task kworker/u33:0/67\n\nCPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: nbd6-recv recv_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]\n recv_work+0x694/0xa80 drivers/block/nbd.c:1022\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n </TASK>\n\nnbd_genl_connect() does not properly stop the device on certain\nerror paths after nbd_start_device() has been called. This causes\nthe error path to put nbd->config while recv_work continue to use\nthe config after putting it, leading to use-after-free in recv_work.\n\nThis patch moves nbd_start_device() after the backend file creation.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/002aca89753f666d878ca0eb8584c372684ac4ba","https://git.kernel.org/stable/c/8586552df591e0a367eff44af0c586213eeecc3f","https://git.kernel.org/stable/c/91fa560c73a8126868848ed6cd70607cbf8d87e2","https://git.kernel.org/stable/c/aa9552438ebf015fc5f9f890dbfe39f0c53cf37e","https://git.kernel.org/stable/c/cb121c47f364b51776c4db904a6a5a90ab0a7ec5","https://git.kernel.org/stable/c/d46186eb7bbd9a11c145120f2d77effa8d4d44c2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38444","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nraid10: cleanup memleak at raid10_make_request\n\nIf raid10_read_request or raid10_write_request registers a new\nrequest and the REQ_NOWAIT flag is set, the code does not\nfree the malloc from the mempool.\n\nunreferenced object 0xffff8884802c3200 (size 192):\n   comm \"fio\", pid 9197, jiffies 4298078271\n   hex dump (first 32 bytes):\n     00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00  .........A......\n     08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n   backtrace (crc c1a049a2):\n     __kmalloc+0x2bb/0x450\n     mempool_alloc+0x11b/0x320\n     raid10_make_request+0x19e/0x650 [raid10]\n     md_handle_request+0x3b3/0x9e0\n     __submit_bio+0x394/0x560\n     __submit_bio_noacct+0x145/0x530\n     submit_bio_noacct_nocheck+0x682/0x830\n     __blkdev_direct_IO_async+0x4dc/0x6b0\n     blkdev_read_iter+0x1e5/0x3b0\n     __io_read+0x230/0x1110\n     io_read+0x13/0x30\n     io_issue_sqe+0x134/0x1180\n     io_submit_sqes+0x48c/0xe90\n     __do_sys_io_uring_enter+0x574/0x8b0\n     do_syscall_64+0x5c/0xe0\n     entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nV4: changing backing tree to see if CKI tests will pass.\nThe patch code has not changed between any versions.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10c6021a609deb95f23f0cc2f89aa9d4bffb14c7","https://git.kernel.org/stable/c/2941155d9a5ae098b480d551f3a5f8605d4f9af5","https://git.kernel.org/stable/c/43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24","https://git.kernel.org/stable/c/8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d","https://git.kernel.org/stable/c/9af149ca9d0dab6e59e813519d309eff62499864","https://git.kernel.org/stable/c/ed7bcd9f617e4107ac0813c516e72e6b8f6029bd","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38445","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: Fix stack memory use after return in raid1_reshape\n\nIn the raid1_reshape function, newpool is\nallocated on the stack and assigned to conf->r1bio_pool.\nThis results in conf->r1bio_pool.wait.head pointing\nto a stack address.\nAccessing this address later can lead to a kernel panic.\n\nExample access path:\n\nraid1_reshape()\n{\n\t// newpool is on the stack\n\tmempool_t newpool, oldpool;\n\t// initialize newpool.wait.head to stack address\n\tmempool_init(&newpool, ...);\n\tconf->r1bio_pool = newpool;\n}\n\nraid1_read_request() or raid1_write_request()\n{\n\talloc_r1bio()\n\t{\n\t\tmempool_alloc()\n\t\t{\n\t\t\t// if pool->alloc fails\n\t\t\tremove_element()\n\t\t\t{\n\t\t\t\t--pool->curr_nr;\n\t\t\t}\n\t\t}\n\t}\n}\n\nmempool_free()\n{\n\tif (pool->curr_nr < pool->min_nr) {\n\t\t// pool->wait.head is a stack address\n\t\t// wake_up() will try to access this invalid address\n\t\t// which leads to a kernel panic\n\t\treturn;\n\t\twake_up(&pool->wait);\n\t}\n}\n\nFix:\nreinit conf->r1bio_pool.wait after assigning newpool.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00018,"ranking_epss":0.04777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12b00ec99624f8da8c325f2dd6e807df26df0025","https://git.kernel.org/stable/c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d","https://git.kernel.org/stable/c/5f35e48b76655e45522df338876dfef88dafcc71","https://git.kernel.org/stable/c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb","https://git.kernel.org/stable/c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64","https://git.kernel.org/stable/c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98","https://git.kernel.org/stable/c/d8a6853d00fbaa810765c8ed2f452a5832273968","https://git.kernel.org/stable/c/df5894014a92ff0196dbc212a7764e97366fd2b7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38422","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices\n\nMaximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb\nand 64 Kb respectively. Adjust max size definitions and return correct\nEEPROM length based on device. Also prevent out-of-bound read/write.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/088279ff18cdc437d6fac5890e0c52c624f78a5b","https://git.kernel.org/stable/c/3b9935586a9b54d2da27901b830d3cf46ad66a1e","https://git.kernel.org/stable/c/51318d644c993b3f7a60b8616a6a5adc1e967cd2","https://git.kernel.org/stable/c/6b4201d74d0a49af2123abf2c9d142e59566714b","https://git.kernel.org/stable/c/9c41d2a2aa3817946eb613522200cab55513ddaa","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38424","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix sample vs do_exit()\n\nBaisheng Gao reported an ARM64 crash, which Mark decoded as being a\nsynchronous external abort -- most likely due to trying to access\nMMIO in bad ways.\n\nThe crash further shows perf trying to do a user stack sample while in\nexit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address\nspace it is trying to access.\n\nIt turns out that we stop perf after we tear down the userspace mm; a\nreceipie for disaster, since perf likes to access userspace for\nvarious reasons.\n\nFlip this order by moving up where we stop perf in do_exit().\n\nAdditionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER\nto abort when the current task does not have an mm (exit_mm() makes\nsure to set current->mm = NULL; before commencing with the actual\nteardown). Such that CPU wide events don't trip on this same problem.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ee6044a693735396bb47eeaba1ac3ae26c1c99b","https://git.kernel.org/stable/c/456019adaa2f5366b89c868dea9b483179bece54","https://git.kernel.org/stable/c/4f6fc782128355931527cefe3eb45338abd8ab39","https://git.kernel.org/stable/c/507c9a595bad3abd107c6a8857d7fd125d89f386","https://git.kernel.org/stable/c/7311970d07c4606362081250da95f2c7901fc0db","https://git.kernel.org/stable/c/7b8f3c72175c6a63a95cf2e219f8b78e2baad34e","https://git.kernel.org/stable/c/975ffddfa2e19823c719459d2364fcaa17673964","https://git.kernel.org/stable/c/a9f6aab7910a0ef2895797f15c947f6d1053160f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38425","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: check msg length in SMBUS block read\n\nFor SMBUS block read, do not continue to read if the message length\npassed from the device is '0' or greater than the maximum allowed bytes.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.04979,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3f03f77ce688d02da284174e1884b6065d6159bd","https://git.kernel.org/stable/c/75a864f21ceeb8c1e8ce1b7589174fec2c3a039e","https://git.kernel.org/stable/c/a6e04f05ce0b070ab39d5775580e65c7d943da0b","https://git.kernel.org/stable/c/be5f6a65509cd5675362f15eb0440fb28b0f9d64","https://git.kernel.org/stable/c/c39d1a9ae4ad66afcecab124d7789722bfe909fa","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38428","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ims-pcu - check record size in ims_pcu_flash_firmware()\n\nThe \"len\" variable comes from the firmware and we generally do\ntrust firmware, but it's always better to double check.  If the \"len\"\nis too large it could result in memory corruption when we do\n\"memcpy(fragment->data, rec->data, len);\"","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06164,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17474a56acf708bf6b2d174c06ed26abad0a9fd6","https://git.kernel.org/stable/c/5a8cd6ae8393e2eaebf51d420d5374821ef2af87","https://git.kernel.org/stable/c/74661516daee1eadebede8dc607b6830530096ec","https://git.kernel.org/stable/c/8e03f1c7d50343bf21da54873301bc4fa647479f","https://git.kernel.org/stable/c/a95ef0199e80f3384eb992889322957d26c00102","https://git.kernel.org/stable/c/c1b9d140b0807c6aee4bb53e1bfa4e391e3dc204","https://git.kernel.org/stable/c/d63706d9f73846106fde28b284f08e01b92ce9f1","https://git.kernel.org/stable/c/e5a2481dc2a0b430f49276d7482793a8923631d6","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38430","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: nfsd4_spo_must_allow() must check this is a v4 compound request\n\nIf the request being processed is not a v4 compound request, then\nexamining the cstate can have undefined results.\n\nThis patch adds a check that the rpc procedure being executed\n(rq_procinfo) is the NFSPROC4_COMPOUND procedure.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00032,"ranking_epss":0.09042,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807","https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af","https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f","https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603","https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4","https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9","https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19","https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38420","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: do not ping device which has failed to load firmware\n\nSyzkaller reports [1, 2] crashes caused by an attempts to ping\nthe device which has failed to load firmware. Since such a device\ndoesn't pass 'ieee80211_register_hw()', an internal workqueue\nmanaged by 'ieee80211_queue_work()' is not yet created and an\nattempt to queue work on it causes null-ptr-deref.\n\n[1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff\n[2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0140d3d37f0f1759d1fdedd854c7875a86e15f8d","https://git.kernel.org/stable/c/11ef72b3312752c2ff92f3c1e64912be3228ed36","https://git.kernel.org/stable/c/15d25307692312cec4b57052da73387f91a2e870","https://git.kernel.org/stable/c/301268dbaac8e9013719e162a000202eac8054be","https://git.kernel.org/stable/c/4e9ab5c48ad5153cc908dd29abad0cd2a92951e4","https://git.kernel.org/stable/c/527fad1ae32ffa2d4853a1425fe1c8dbb8c9744c","https://git.kernel.org/stable/c/8a3734a6f4c05fd24605148f21fb2066690d61b3","https://git.kernel.org/stable/c/bfeede26e97ce4a15a0b961118de4a0e28c9907a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T15:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38415","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check return result of sb_min_blocksize\n\nSyzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug.\n\nSyzkaller forks multiple processes which after mounting the Squashfs\nfilesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). \nNow if this ioctl occurs at the same time another process is in the\nprocess of mounting a Squashfs filesystem on /dev/loop0, the failure\noccurs.  When this happens the following code in squashfs_fill_super()\nfails.\n\n----\nmsblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);\nmsblk->devblksize_log2 = ffz(~msblk->devblksize);\n----\n\nsb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.\n\nAs a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2\nis set to 64.\n\nThis subsequently causes the\n\nUBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36\nshift exponent 64 is too large for 64-bit type 'u64' (aka\n'unsigned long long')\n\nThis commit adds a check for a 0 return by sb_min_blocksize().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00025,"ranking_epss":0.06997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0aff95d9bc7fb5400ca8af507429c4b067bdb425","https://git.kernel.org/stable/c/295ab18c2dbce8d0ac6ecf7c5187e16e1ac8b282","https://git.kernel.org/stable/c/4f99357dadbf9c979ad737156ad4c37fadf7c56b","https://git.kernel.org/stable/c/549f9e3d7b60d53808c98b9fde49b4f46d0524a5","https://git.kernel.org/stable/c/5c51aa862cbeed2f3887f0382a2708956710bd68","https://git.kernel.org/stable/c/6abf6b78c6fb112eee495f5636ffcc350dd2ce25","https://git.kernel.org/stable/c/734aa85390ea693bb7eaf2240623d41b03705c84","https://git.kernel.org/stable/c/db7096ea160e40d78c67fce52e7cc51bde049497","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38416","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: uart: Set tty->disc_data only in success path\n\nSetting tty->disc_data before opening the NCI device means we need to\nclean it up on error paths.  This also opens some short window if device\nstarts sending data, even before NCIUARTSETDRIVER IOCTL succeeded\n(broken hardware?).  Close the window by exposing tty->disc_data only on\nthe success path, when opening of the NCI device and try_module_get()\nsucceeds.\n\nThe code differs in error path in one aspect: tty->disc_data won't be\never assigned thus NULL-ified.  This however should not be relevant\ndifference, because of \"tty->disc_data=NULL\" in nci_uart_tty_open().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07285,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/000bfbc6bc334a93fffca8f5aa9583e7b6356cb5","https://git.kernel.org/stable/c/55c3dbd8389636161090a2b2b6d2d709b9602e9c","https://git.kernel.org/stable/c/a514fca2b8e95838a3ba600f31a18fa60b76d893","https://git.kernel.org/stable/c/a8acc7080ad55c5402a1b818b3008998247dda87","https://git.kernel.org/stable/c/ac6992f72bd8e22679c1e147ac214de6a7093c23","https://git.kernel.org/stable/c/dc7722619a9c307e9938d735cf4a2210d3d48dcb","https://git.kernel.org/stable/c/e9799db771b2d574d5bf0dfb3177485e5f40d4d6","https://git.kernel.org/stable/c/fc27ab48904ceb7e4792f0c400f1ef175edf16fe","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38418","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Release rproc->clean_table after rproc_attach() fails\n\nWhen rproc->state = RPROC_DETACHED is attached to remote processor\nthrough rproc_attach(), if rproc_handle_resources() returns failure,\nthen the clean table should be released, otherwise the following\nmemory leak will occur.\n\nunreferenced object 0xffff000086a99800 (size 1024):\ncomm \"kworker/u12:3\", pid 59, jiffies 4294893670 (age 121.140s)\nhex dump (first 32 bytes):\n00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............\n00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............\nbacktrace:\n [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc\n [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230\n [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260\n [<0000000037818dae>] kmemdup+0x34/0x60\n [<00000000610f7f57>] rproc_boot+0x35c/0x56c\n [<0000000065f8871a>] rproc_add+0x124/0x17c\n [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4\n [<000000003bcaa37d>] platform_probe+0x68/0xd8\n [<00000000771577f9>] really_probe+0x110/0x27c\n [<00000000531fea59>] __driver_probe_device+0x78/0x12c\n [<0000000080036a04>] driver_probe_device+0x3c/0x118\n [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8\n [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4\n [<000000001a53b53e>] __device_attach+0xfc/0x18c\n [<00000000d1a2a32c>] device_initial_probe+0x14/0x20\n [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4\n unreferenced object 0xffff0000864c9690 (size 16):","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3562c09feeb8d8e9d102ce6840e8c7d57a7feb5c","https://git.kernel.org/stable/c/3ee979709e16a83b257bc9a544a7ff71fd445ea9","https://git.kernel.org/stable/c/6fe9486d709e4a60990843832501ef6556440ca7","https://git.kernel.org/stable/c/bcd241230fdbc6005230f80a4f8646ff5a84f15b","https://git.kernel.org/stable/c/bf876fd9dc2d0c9fff96aef63d4346719f206fc1","https://git.kernel.org/stable/c/f4ef928ca504c996f9222eb2c59ac6d6eefd9c75","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38419","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()\n\nWhen rproc->state = RPROC_DETACHED and rproc_attach() is used\nto attach to the remote processor, if rproc_handle_resources()\nreturns a failure, the resources allocated by imx_rproc_prepare()\nshould be released, otherwise the following memory leak will occur.\n\nSince almost the same thing is done in imx_rproc_prepare() and\nrproc_resource_cleanup(), Function rproc_resource_cleanup() is able\nto deal with empty lists so it is better to fix the \"goto\" statements\nin rproc_attach(). replace the \"unprepare_device\" goto statement with\n\"clean_up_resources\" and get rid of the \"unprepare_device\" label.\n\nunreferenced object 0xffff0000861c5d00 (size 128):\ncomm \"kworker/u12:3\", pid 59, jiffies 4294893509 (age 149.220s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............\nbacktrace:\n [<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c\n [<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0\n [<00000000521c0345>] kmalloc_trace+0x40/0x158\n [<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8\n [<000000002815755e>] imx_rproc_prepare+0xe0/0x180\n [<0000000003f61b4e>] rproc_boot+0x2ec/0x528\n [<00000000e7e994ac>] rproc_add+0x124/0x17c\n [<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4\n [<00000000efc298a1>] platform_probe+0x68/0xd8\n [<00000000110be6fe>] really_probe+0x110/0x27c\n [<00000000e245c0ae>] __driver_probe_device+0x78/0x12c\n [<00000000f61f6f5e>] driver_probe_device+0x3c/0x118\n [<00000000a7874938>] __device_attach_driver+0xb8/0xf8\n [<0000000065319e69>] bus_for_each_drv+0x84/0xe4\n [<00000000db3eb243>] __device_attach+0xfc/0x18c\n [<0000000072e4e1a4>] device_initial_probe+0x14/0x20","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5434d9f2fd68722b514c14b417b53a8af02c4d24","https://git.kernel.org/stable/c/7692c9fbedd9087dc9050903f58095915458d9b1","https://git.kernel.org/stable/c/82208ce9505abb057afdece7c62a14687c52c9ca","https://git.kernel.org/stable/c/92776ca0ccfe78b9bfe847af206bad641fb11121","https://git.kernel.org/stable/c/9515d74c9d1ae7308a02e8bd4f894eb8137cf8df","https://git.kernel.org/stable/c/c56d6ef2711ee51b54f160ad0f25a381561f0287","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38406","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath6kl: remove WARN on bad firmware input\n\nIf the firmware gives bad input, that's nothing to do with\nthe driver's stack at this point etc., so the WARN_ON()\ndoesn't add any value. Additionally, this is one of the\ntop syzbot reports now. Just print a message, and as an\nadded bonus, print the sizes too.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04405,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27d07deea35ae67f2e75913242e25bdb7e1114e5","https://git.kernel.org/stable/c/327997afbb5e62532c28c1861ab5534c01969c9a","https://git.kernel.org/stable/c/347827bd0c5680dac2dd59674616840c4d5154f1","https://git.kernel.org/stable/c/46b47d4b06fa7f234d93f0f8ac43798feafcff89","https://git.kernel.org/stable/c/7a2afdc5af3b82b601f6a2f0d1c90d5f0bc27aeb","https://git.kernel.org/stable/c/89bd133529a4d2d68287128b357e49adc00ec690","https://git.kernel.org/stable/c/e6c49f0b203a987c306676d241066451b74db1a5","https://git.kernel.org/stable/c/e7417421d89358da071fd2930f91e67c7128fbff","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38409","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix another leak in the submit error path\n\nput_unused_fd() doesn't free the installed file, if we've already done\nfd_install().  So we need to also free the sync_file.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653583/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00b3401f692082ddf6342500d1be25560bba46d4","https://git.kernel.org/stable/c/30d3819b0b9173e31b84d662a592af8bad351427","https://git.kernel.org/stable/c/3f6ce8433a9035b0aa810e1f5b708e9dc1c367b0","https://git.kernel.org/stable/c/c40ad1c04d306f7fde26337fdcf8a5979657d93f","https://git.kernel.org/stable/c/f681c2aa8676a890eacc84044717ab0fd26e058f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38410","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix a fence leak in submit error path\n\nIn error paths, we could unref the submit without calling\ndrm_sched_entity_push_job(), so msm_job_free() will never get\ncalled.  Since drm_sched_job_cleanup() will NULL out the\ns_fence, we can use that to detect this case.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653584/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dc817f852e5f8ec8501d19ef7dcc01affa181d0","https://git.kernel.org/stable/c/0eaa495b3d5710e5ba72051d2e01bb28292c625c","https://git.kernel.org/stable/c/201eba5c9652a900c0b248070263f9acd3735689","https://git.kernel.org/stable/c/5d319f75ccf7f0927425a7545aa1a22b3eedc189","https://git.kernel.org/stable/c/5deab0fa6cfd0cd7def17598db15ceb84f950584","https://git.kernel.org/stable/c/fe2695b2f63bd77e0e03bc0fc779164115bb4699","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38412","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks\n\nAfter retrieving WMI data blocks in sysfs callbacks, check for the\nvalidity of them before dereferencing their content.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0deb3eb78ebf225cb41aa9b2b2150f46cbfd359e","https://git.kernel.org/stable/c/5df3b870bc389a1767c72448a3ce1c576ef4deab","https://git.kernel.org/stable/c/68e9963583d11963ceca5d276e9c44684509f759","https://git.kernel.org/stable/c/92c2d914b5337431d885597a79a3a3d9d55e80b7","https://git.kernel.org/stable/c/aaf847dcb4114fe8b25d4c1c790bedcb6088cb3d","https://git.kernel.org/stable/c/eb617dd25ca176f3fee24f873f0fd60010773d67","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38403","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/vmci: Clear the vmci transport packet properly when initializing it\n\nIn vmci_transport_packet_init memset the vmci_transport_packet before\npopulating the fields to avoid any uninitialised data being left in the\nstructure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.03952,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a01021317375b8d1895152f544421ce49299eb1","https://git.kernel.org/stable/c/19c2cc01ff9a8031398a802676ffb0f4692dd95d","https://git.kernel.org/stable/c/1c1bcb0e78230f533b4103e8cf271d17c3f469f0","https://git.kernel.org/stable/c/223e2288f4b8c262a864e2c03964ffac91744cd5","https://git.kernel.org/stable/c/2d44723a091bc853272e1a51a488a3d22b80be5e","https://git.kernel.org/stable/c/75705b44e0b9aaa74f4c163d93d388bcba9e386a","https://git.kernel.org/stable/c/94d0c326cb3ee6b0f8bd00e209550b93fcc5c839","https://git.kernel.org/stable/c/e9a673153d578fd439919a24e99851b2f87ecbce","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38404","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: displayport: Fix potential deadlock\n\nThe deadlock can occur due to a recursive lock acquisition of\n`cros_typec_altmode_data::mutex`.\nThe call chain is as follows:\n1. cros_typec_altmode_work() acquires the mutex\n2. typec_altmode_vdm() -> dp_altmode_vdm() ->\n3. typec_altmode_exit() -> cros_typec_altmode_exit()\n4. cros_typec_altmode_exit() attempts to acquire the mutex again\n\nTo prevent this, defer the `typec_altmode_exit()` call by scheduling\nit rather than calling it directly from within the mutex-protected\ncontext.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/099cf1fbb8afc3771f408109f62bdec66f85160e","https://git.kernel.org/stable/c/63cff9f57e86b2dc25d7487ca0118df89a665296","https://git.kernel.org/stable/c/749d9076735fb497aae60fbea9fff563f9ea3254","https://git.kernel.org/stable/c/76cf1f33e7319fe74c94ac92f9814094ee8cc84b","https://git.kernel.org/stable/c/7be0d1ea71f52595499da39cea484a895e8ed042","https://git.kernel.org/stable/c/80c25d7916a44715338d4f8924c8e52af50d0b9f","https://git.kernel.org/stable/c/c782f98eef14197affa8a7b91e6981420f109ea9","https://git.kernel.org/stable/c/eb08fca56f1f39e4038cb9bac9864464b13b00aa","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T14:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38396","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/66d29d757c968d2bee9124816da5d718eb352959","https://git.kernel.org/stable/c/6ca45ea48530332a4ba09595767bd26d3232743b","https://git.kernel.org/stable/c/cbe4134ea4bc493239786220bd69cb8a13493190","https://git.kernel.org/stable/c/e3eed01347721cd7a8819568161c91d538fbf229","https://git.kernel.org/stable/c/f94c422157f3e43dd31990567b3e5d54b3e5b32b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38399","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()\n\nThe function core_scsi3_decode_spec_i_port(), in its error code path,\nunconditionally calls core_scsi3_lunacl_undepend_item() passing the\ndest_se_deve pointer, which may be NULL.\n\nThis can lead to a NULL pointer dereference if dest_se_deve remains\nunset.\n\nSPC-3 PR SPEC_I_PT: Unable to locate dest_tpg\nUnable to handle kernel paging request at virtual address dfff800000000012\nCall trace:\n  core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)\n  core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]\n  core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]\n  target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]\n\nFix this by adding a NULL check before calling\ncore_scsi3_lunacl_undepend_item()","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1129e0e0a833acf90429e0f13951068d5f026e4f","https://git.kernel.org/stable/c/1627dda4d70ceb1ba62af2e401af73c09abb1eb5","https://git.kernel.org/stable/c/55dfffc5e94730370b08de02c0cf3b7c951bbe9e","https://git.kernel.org/stable/c/70ddb8133fdb512d4b1f2b4fd1c9e518514f182c","https://git.kernel.org/stable/c/7296c938df2445f342be456a6ff0b3931d97f4e5","https://git.kernel.org/stable/c/c412185d557578d3f936537ed639c4ffaaed4075","https://git.kernel.org/stable/c/d8ab68bdb294b09a761e967dad374f2965e1913f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38400","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.\n\nsyzbot reported a warning below [1] following a fault injection in\nnfs_fs_proc_net_init(). [0]\n\nWhen nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.\n\nLater, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning\nis logged as the directory is not empty.\n\nLet's handle the error of nfs_fs_proc_net_init() properly.\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n <TASK>\n  dump_stack_lvl (lib/dump_stack.c:123)\n should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)\n should_failslab (mm/failslab.c:46)\n kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)\n __proc_create (fs/proc/generic.c:427)\n proc_create_reg (fs/proc/generic.c:554)\n proc_create_net_data (fs/proc/proc_net.c:120)\n nfs_fs_proc_net_init (fs/nfs/client.c:1409)\n nfs_net_init (fs/nfs/inode.c:2600)\n ops_init (net/core/net_namespace.c:138)\n setup_net (net/core/net_namespace.c:443)\n copy_net_ns (net/core/net_namespace.c:576)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))\n ksys_unshare (kernel/fork.c:3123)\n __x64_sys_unshare (kernel/fork.c:3190)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\n[1]:\nremove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'\n WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727\nModules linked in:\nCPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727\nCode: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00\nRSP: 0018:ffffc90003637b08 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8\nRDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001\nRBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00\nR13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000\nFS:  0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76\n  ops_exit_list net/core/net_namespace.c:200 [inline]\n  ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253\n  setup_net+0x2e1/0x510 net/core/net_namespace.c:457\n  copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574\n  create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110\n  unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218\n  ksys_unshare+0x45b/0xa40 kernel/fork.c:3121\n  __do_sys_unshare kernel/fork.c:3192 [inline]\n  __se_sys_unshare kernel/fork.c:3190 [inline]\n  __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa1a6b8e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3c94212b57bedec3a386ef3da1ef00602f5c3d1d","https://git.kernel.org/stable/c/412534a1fb76958b88dca48360c6f3ad4f3390f4","https://git.kernel.org/stable/c/6acf340f8c1d296bcf535986175f5d0d6f2aab09","https://git.kernel.org/stable/c/7701c245ff1ac1a126bf431e72b24547519046ff","https://git.kernel.org/stable/c/8785701fd7cd52ae74c0d2b35b82568df74e9dbb","https://git.kernel.org/stable/c/b92397ce96743e4cc090207e2df2a856cb4cef08","https://git.kernel.org/stable/c/d0877c479f44fe475f4c8c02c88ce9ad43e90298","https://git.kernel.org/stable/c/e8d6f3ab59468e230f3253efe5cb63efa35289f7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38401","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtk-sd: Prevent memory corruption from DMA map failure\n\nIf msdc_prepare_data() fails to map the DMA region, the request is\nnot prepared for data receiving, but msdc_start_data() proceeds\nthe DMA with previous setting.\nSince this will lead a memory corruption, we have to stop the\nrequest operation soon after the msdc_prepare_data() fails to\nprepare it.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00022,"ranking_epss":0.05758,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3419bc6a7b65cbbb91417bb9970208478e034c79","https://git.kernel.org/stable/c/48bf4f3dfcdab02b22581d8e350a2d23130b72c0","https://git.kernel.org/stable/c/5ac9e9e2e9cd6247d8c2d99780eae4556049e1cc","https://git.kernel.org/stable/c/61cdd663564674ea21ceb50aa9d3697cbe9e45f9","https://git.kernel.org/stable/c/63e8953f16acdcb23e2d4dd8a566d3c34df3e200","https://git.kernel.org/stable/c/a5f5f67b284d81776d4a3eb1f8607e4b7f91f11c","https://git.kernel.org/stable/c/d54771571f74a82c59830a32e76af78a8e57ac69","https://git.kernel.org/stable/c/f5de469990f19569627ea0dd56536ff5a13beaa3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38387","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert\n\nThe obj_event may be loaded immediately after inserted, then if the\nlist_head is not initialized then we may get a poisonous pointer.  This\nfixes the crash below:\n\n mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)\n mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056\n mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0\n mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps\n IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n Mem abort info:\n   ESR = 0x96000006\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n Data abort info:\n   ISV = 0, ISS = 0x00000006\n   CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000\n [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] SMP\n Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)\n  [last unloaded: mst_pci]\n CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G           OE K   5.10.134-13.1.an8.aarch64 #1\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023\n pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)\n pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]\n lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]\n sp : ffff80001005bcf0\n x29: ffff80001005bcf0 x28: 0000000000000001\n x27: ffff244e0740a1d8 x26: ffff244e0740a1d0\n x25: ffffda56beff5ae0 x24: ffffda56bf911618\n x23: ffff244e0596a480 x22: ffff244e0596a480\n x21: ffff244d8312ad90 x20: ffff244e0596a480\n x19: fffffffffffffff0 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffda56be66d620\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000040 x10: ffffda56bfcafb50\n x9 : ffffda5655c25f2c x8 : 0000000000000010\n x7 : 0000000000000000 x6 : ffff24545a2e24b8\n x5 : 0000000000000003 x4 : ffff80001005bd28\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : ffff244e0596a480 x0 : ffff244d8312ad90\n Call trace:\n  dispatch_event_fd+0x68/0x300 [mlx5_ib]\n  devx_event_notifier+0xcc/0x228 [mlx5_ib]\n  atomic_notifier_call_chain+0x58/0x80\n  mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]\n  atomic_notifier_call_chain+0x58/0x80\n  irq_int_handler+0x20/0x30 [mlx5_core]\n  __handle_irq_event_percpu+0x60/0x220\n  handle_irq_event_percpu+0x3c/0x90\n  handle_irq_event+0x58/0x158\n  handle_fasteoi_irq+0xfc/0x188\n  generic_handle_irq+0x34/0x48\n  ...","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00ed215f593876385451423924fe0358c556179c","https://git.kernel.org/stable/c/23a3b32a274a8d6f33480d0eff436eb100981651","https://git.kernel.org/stable/c/716b555fc0580c2aa4c2c32ae4401c7e3ad9873e","https://git.kernel.org/stable/c/8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a","https://git.kernel.org/stable/c/93fccfa71c66a4003b3d2fef3a38de7307e14a4e","https://git.kernel.org/stable/c/972e968aac0dce8fe8faad54f6106de576695d8e","https://git.kernel.org/stable/c/9a28377a96fb299c180dd9cf0be3b0a038a52d4e","https://git.kernel.org/stable/c/e8069711139249994450c214cec152b917b959e0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38389","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix timeline left held on VMA alloc error\n\nThe following error has been reported sporadically by CI when a test\nunbinds the i915 driver on a ring submission platform:\n\n<4> [239.330153] ------------[ cut here ]------------\n<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)\n<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n<4> [239.330942] Call Trace:\n<4> [239.330944]  <TASK>\n<4> [239.330949]  i915_driver_late_release+0x2b/0xa0 [i915]\n<4> [239.331202]  i915_driver_release+0x86/0xa0 [i915]\n<4> [239.331482]  devm_drm_dev_init_release+0x61/0x90\n<4> [239.331494]  devm_action_release+0x15/0x30\n<4> [239.331504]  release_nodes+0x3d/0x120\n<4> [239.331517]  devres_release_all+0x96/0xd0\n<4> [239.331533]  device_unbind_cleanup+0x12/0x80\n<4> [239.331543]  device_release_driver_internal+0x23a/0x280\n<4> [239.331550]  ? bus_find_device+0xa5/0xe0\n<4> [239.331563]  device_driver_detach+0x14/0x20\n...\n<4> [357.719679] ---[ end trace 0000000000000000 ]---\n\nIf the test also unloads the i915 module then that's followed with:\n\n<3> [357.787478] =============================================================================\n<3> [357.788006] BUG i915_vma (Tainted: G     U  W        N ): Objects remaining on __kmem_cache_shutdown()\n<3> [357.788031] -----------------------------------------------------------------------------\n<3> [357.788204] Object 0xffff888109e7f480 @offset=29824\n<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244\n<4> [357.788994]  i915_vma_instance+0xee/0xc10 [i915]\n<4> [357.789290]  init_status_page+0x7b/0x420 [i915]\n<4> [357.789532]  intel_engines_init+0x1d8/0x980 [i915]\n<4> [357.789772]  intel_gt_init+0x175/0x450 [i915]\n<4> [357.790014]  i915_gem_init+0x113/0x340 [i915]\n<4> [357.790281]  i915_driver_probe+0x847/0xed0 [i915]\n<4> [357.790504]  i915_pci_probe+0xe6/0x220 [i915]\n...\n\nCloser analysis of CI results history has revealed a dependency of the\nerror on a few IGT tests, namely:\n- igt@api_intel_allocator@fork-simple-stress-signal,\n- igt@api_intel_allocator@two-level-inception-interruptible,\n- igt@gem_linear_blits@interruptible,\n- igt@prime_mmap_coherency@ioctl-errors,\nwhich invisibly trigger the issue, then exhibited with first driver unbind\nattempt.\n\nAll of the above tests perform actions which are actively interrupted with\nsignals.  Further debugging has allowed to narrow that scope down to\nDRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring\nsubmission, in particular.\n\nIf successful then that function, or its execlists or GuC submission\nequivalent, is supposed to be called only once per GEM context engine,\nfollowed by raise of a flag that prevents the function from being called\nagain.  The function is expected to unwind its internal errors itself, so\nit may be safely called once more after it returns an error.\n\nIn case of ring submission, the function first gets a reference to the\nengine's legacy timeline and then allocates a VMA.  If the VMA allocation\nfails, e.g. when i915_vma_instance() called from inside is interrupted\nwith a signal, then ring_context_alloc() fails, leaving the timeline held\nreferenced.  On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the\ntimeline is got, and only that last one is put on successful completion.\nAs a consequence, the legacy timeline, with its underlying engine status\npage's VMA object, is still held and not released on driver unbind.\n\nGet the legacy timeline only after successful allocation of the context\nengine's VMA.\n\nv2: Add a note on other submission methods (Krzysztof Karas):\n    Both execlists and GuC submission use lrc_alloc() which seems free\n    from a similar issue.\n\n(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/40e09506aea1fde1f3e0e04eca531bbb23404baf","https://git.kernel.org/stable/c/4c778c96e469fb719b11683e0a3be8ea68052fa2","https://git.kernel.org/stable/c/5a7ae7bebdc4c2ecd48a2c061319956f65c09473","https://git.kernel.org/stable/c/60b757730884e4a223152a68d9b5f625dac94119","https://git.kernel.org/stable/c/a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6","https://git.kernel.org/stable/c/c542d62883f62ececafcb630a1c5010133826bea","https://git.kernel.org/stable/c/e47d7d6edc40a6ace7cc04e5893759fee68569f5","https://git.kernel.org/stable/c/f10af34261448610d4048ac6e6af87f80e3881a4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38391","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: do not index invalid pin_assignments\n\nA poorly implemented DisplayPort Alt Mode port partner can indicate\nthat its pin assignment capabilities are greater than the maximum\nvalue, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show\nwill cause a BRK exception due to an out of bounds array access.\n\nPrevent for loop in pin_assignment_show from accessing\ninvalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX\nvalue in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop\ncondition.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/114a977e0f6bf278e05eade055e13fc271f69cf7","https://git.kernel.org/stable/c/2f535517b5611b7221ed478527e4b58e29536ddf","https://git.kernel.org/stable/c/45e9444b3b97eaf51a5024f1fea92f44f39b50c6","https://git.kernel.org/stable/c/47cb5d26f61d80c805d7de4106451153779297a1","https://git.kernel.org/stable/c/5581e694d3a1c2f32c5a51d745c55b107644e1f8","https://git.kernel.org/stable/c/621d5a3ef0231ab242f2d31eecec40c38ca609c5","https://git.kernel.org/stable/c/af4db5a35a4ef7a68046883bfd12468007db38f1","https://git.kernel.org/stable/c/c93bc959788ed9a1af7df57cb539837bdf790cee","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38393","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN\n\nWe found a few different systems hung up in writeback waiting on the same\npage lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in\npnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count\nwas zero.\n\nIt seems most likely that this is another race between the waiter and waker\nsimilar to commit ed0172af5d6f (\"SUNRPC: Fix a race to wake a sync task\").\nFix it up by applying the advised barrier.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00014,"ranking_epss":0.02606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08287df60bac5b008b6bcdb03053988335d3d282","https://git.kernel.org/stable/c/1f4da20080718f258e189a2c5f515385fa393da6","https://git.kernel.org/stable/c/864a54c1243ed3ca60baa4bc492dede1361f4c83","https://git.kernel.org/stable/c/8846fd02c98da8b79e6343a20e6071be6f372180","https://git.kernel.org/stable/c/8ca65fa71024a1767a59ffbc6a6e2278af84735e","https://git.kernel.org/stable/c/c01776287414ca43412d1319d2877cbad65444ac","https://git.kernel.org/stable/c/e4b13885e7ef1e64e45268feef1e5f0707c47e72","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38395","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: gpio: Fix the out-of-bounds access to drvdata::gpiods\n\ndrvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But\nthe memory is allocated for only one pointer. This will lead to\nout-of-bounds access later in the code if 'config::ngpios' is > 1. So\nfix the code to allocate enough memory to hold 'config::ngpios' of GPIO\ndescriptors.\n\nWhile at it, also move the check for memory allocation failure to be below\nthe allocation to make it more readable.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00018,"ranking_epss":0.04777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24418bc77a66cb5be9f5a837431ba3674ed8b52f","https://git.kernel.org/stable/c/3830ab97cda9599872625cc0dc7b00160193634f","https://git.kernel.org/stable/c/56738cbac3bbb1d39a71a07f57484dec1db8b239","https://git.kernel.org/stable/c/9fe71972869faed1f8f9b3beb9040f9c1b300c79","https://git.kernel.org/stable/c/a1e12fac214d4f49fcb186dbdf9c5592e7fa0a7a","https://git.kernel.org/stable/c/a3cd5ae7befbac849e0e0529c94ca04e8093cfd2","https://git.kernel.org/stable/c/c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3","https://git.kernel.org/stable/c/e4d19e5d71b217940e33f2ef6c6962b7b68c5606","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38382","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix iteration of extrefs during log replay\n\nAt __inode_add_ref() when processing extrefs, if we jump into the next\nlabel we have an undefined value of victim_name.len, since we haven't\ninitialized it before we did the goto. This results in an invalid memory\naccess in the next iteration of the loop since victim_name.len was not\ninitialized to the length of the name of the current extref.\n\nFix this by initializing victim_name.len with the current extref's name\nlength.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d11d274e2e1d7c79e2ca8461ce3ff3a95c11171","https://git.kernel.org/stable/c/539969fc472886a1d63565459514d47e27fef461","https://git.kernel.org/stable/c/54a7081ed168b72a8a2d6ef4ba3a1259705a2926","https://git.kernel.org/stable/c/7ac790dc2ba00499a8d671d4a24de4d4ad27e234","https://git.kernel.org/stable/c/aee57a0293dca675637e5504709f9f8fd8e871be","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38384","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spinand: fix memory leak of ECC engine conf\n\nMemory allocated for the ECC engine conf is not released during spinand\ncleanup. Below kmemleak trace is seen for this memory leak:\n\nunreferenced object 0xffffff80064f00e0 (size 8):\n  comm \"swapper/0\", pid 1, jiffies 4294937458\n  hex dump (first 8 bytes):\n    00 00 00 00 00 00 00 00                          ........\n  backtrace (crc 0):\n    kmemleak_alloc+0x30/0x40\n    __kmalloc_cache_noprof+0x208/0x3c0\n    spinand_ondie_ecc_init_ctx+0x114/0x200\n    nand_ecc_init_ctx+0x70/0xa8\n    nanddev_ecc_engine_init+0xec/0x27c\n    spinand_probe+0xa2c/0x1620\n    spi_mem_probe+0x130/0x21c\n    spi_probe+0xf0/0x170\n    really_probe+0x17c/0x6e8\n    __driver_probe_device+0x17c/0x21c\n    driver_probe_device+0x58/0x180\n    __device_attach_driver+0x15c/0x1f8\n    bus_for_each_drv+0xec/0x150\n    __device_attach+0x188/0x24c\n    device_initial_probe+0x10/0x20\n    bus_probe_device+0x11c/0x160\n\nFix the leak by calling nanddev_ecc_engine_cleanup() inside\nspinand_cleanup().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.02971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6463cbe08b0cbf9bba8763306764f5fd643023e1","https://git.kernel.org/stable/c/68d3417305ee100dcad90fd6e5846b22497aa394","https://git.kernel.org/stable/c/93147abf80a831dd3b5660b3309b4f09546073b2","https://git.kernel.org/stable/c/c40b207cafd006c610832ba52a81cedee77adcb9","https://git.kernel.org/stable/c/d5c1e3f32902ab518519d05515ee6030fd6c59ae","https://git.kernel.org/stable/c/f99408670407abb6493780e38cb4ece3fbb52cfc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38385","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect\n\nRemove redundant netif_napi_del() call from disconnect path.\n\nA WARN may be triggered in __netif_napi_del_locked() during USB device\ndisconnect:\n\n  WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n\nThis happens because netif_napi_del() is called in the disconnect path while\nNAPI is still enabled. However, it is not necessary to call netif_napi_del()\nexplicitly, since unregister_netdev() will handle NAPI teardown automatically\nand safely. Removing the redundant call avoids triggering the warning.\n\nFull trace:\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV\n lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV\n lan78xx 1-1:1.0 enu1: Link is Down\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n Modules linked in: flexcan can_dev fuse\n CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT\n Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)\n Workqueue: usb_hub_wq hub_event\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __netif_napi_del_locked+0x2b4/0x350\n lr : __netif_napi_del_locked+0x7c/0x350\n sp : ffffffc085b673c0\n x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8\n x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb\n x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000\n x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000\n x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028\n x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8\n x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000\n x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001\n x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000\n Call trace:\n  __netif_napi_del_locked+0x2b4/0x350 (P)\n  lan78xx_disconnect+0xf4/0x360\n  usb_unbind_interface+0x158/0x718\n  device_remove+0x100/0x150\n  device_release_driver_internal+0x308/0x478\n  device_release_driver+0x1c/0x30\n  bus_remove_device+0x1a8/0x368\n  device_del+0x2e0/0x7b0\n  usb_disable_device+0x244/0x540\n  usb_disconnect+0x220/0x758\n  hub_event+0x105c/0x35e0\n  process_one_work+0x760/0x17b0\n  worker_thread+0x768/0xce8\n  kthread+0x3bc/0x690\n  ret_from_fork+0x10/0x20\n irq event stamp: 211604\n hardirqs last  enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98\n hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80\n softirqs last  enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8\n softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20\n ---[ end trace 0000000000000000 ]---\n lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00019,"ranking_epss":0.0512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17a37b9a5dd945d86110838fb471e7139ba993a2","https://git.kernel.org/stable/c/510a6095d754df9d727f644ec5076b7929d6c9ea","https://git.kernel.org/stable/c/6c7ffc9af7186ed79403a3ffee9a1e5199fc7450","https://git.kernel.org/stable/c/7135056a49035597198280820c61b8c5dbe4a1d0","https://git.kernel.org/stable/c/968a419c95131e420f12bbdba19e96e2f6b071c4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38386","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02613,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803","https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16","https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d","https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f","https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5","https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1","https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87","https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38371","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable interrupts before resetting the GPU\n\nCurrently, an interrupt can be triggered during a GPU reset, which can\nlead to GPU hangs and NULL pointer dereference in an interrupt context\nas shown in the following trace:\n\n [  314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n [  314.043822] Mem abort info:\n [  314.046606]   ESR = 0x0000000096000005\n [  314.050347]   EC = 0x25: DABT (current EL), IL = 32 bits\n [  314.055651]   SET = 0, FnV = 0\n [  314.058695]   EA = 0, S1PTW = 0\n [  314.061826]   FSC = 0x05: level 1 translation fault\n [  314.066694] Data abort info:\n [  314.069564]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n [  314.075039]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [  314.080080]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [  314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000\n [  314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n [  314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n [  314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n [  314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1  Debian 1:6.12.25-1+rpt1\n [  314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n [  314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [  314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]\n [  314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]\n [  314.160198] sp : ffffffc080003ea0\n [  314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000\n [  314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0\n [  314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000\n [  314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000\n [  314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000\n [  314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001\n [  314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874\n [  314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180\n [  314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb\n [  314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n [  314.234807] Call trace:\n [  314.237243]  v3d_irq+0xec/0x2e0 [v3d]\n [  314.240906]  __handle_irq_event_percpu+0x58/0x218\n [  314.245609]  handle_irq_event+0x54/0xb8\n [  314.249439]  handle_fasteoi_irq+0xac/0x240\n [  314.253527]  handle_irq_desc+0x48/0x68\n [  314.257269]  generic_handle_domain_irq+0x24/0x38\n [  314.261879]  gic_handle_irq+0x48/0xd8\n [  314.265533]  call_on_irq_stack+0x24/0x58\n [  314.269448]  do_interrupt_handler+0x88/0x98\n [  314.273624]  el1_interrupt+0x34/0x68\n [  314.277193]  el1h_64_irq_handler+0x18/0x28\n [  314.281281]  el1h_64_irq+0x64/0x68\n [  314.284673]  default_idle_call+0x3c/0x168\n [  314.288675]  do_idle+0x1fc/0x230\n [  314.291895]  cpu_startup_entry+0x3c/0x50\n [  314.295810]  rest_init+0xe4/0xf0\n [  314.299030]  start_kernel+0x5e8/0x790\n [  314.302684]  __primary_switched+0x80/0x90\n [  314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)\n [  314.312775] ---[ end trace 0000000000000000 ]---\n [  314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n [  314.324249] SMP: stopping secondary CPUs\n [  314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000\n [  314.334076] PHYS_OFFSET: 0x0\n [  314.336946] CPU features: 0x08,00002013,c0200000,0200421b\n [  314.342337] Memory Limit: none\n [  314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nBefore resetting the G\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06485,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/226862f50a7a88e4e4de9abbf36c64d19acd6fd0","https://git.kernel.org/stable/c/2446e25e9246e0642a41d91cbf54c33b275da3c3","https://git.kernel.org/stable/c/387da3b6d1a90e3210bc9a7fb56703bdad2ac18a","https://git.kernel.org/stable/c/576a6739e08ac06c67f2916f71204557232388b0","https://git.kernel.org/stable/c/9ff95ed0371aec4d9617e478e9c69cde86cd7c38","https://git.kernel.org/stable/c/b9c403d1236cecb10dd0246a30d81e4b265f8e8d","https://git.kernel.org/stable/c/c8851a6ab19d9f390677c42a3cc01ff9b2eb6241","https://git.kernel.org/stable/c/dc805c927cd832bb8f790b756880ae6c769d5fbc","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38375","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: ensure the received length does not exceed allocated size\n\nIn xdp_linearize_page, when reading the following buffers from the ring,\nwe forget to check the received length with the true allocate size. This\ncan lead to an out-of-bound read. This commit adds that missing check.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8","https://git.kernel.org/stable/c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73","https://git.kernel.org/stable/c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58","https://git.kernel.org/stable/c/773e95c268b5d859f51f7547559734fd2a57660c","https://git.kernel.org/stable/c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b","https://git.kernel.org/stable/c/982beb7582c193544eb9c6083937ec5ac1c9d651","https://git.kernel.org/stable/c/bc68bc3563344ccdc57d1961457cdeecab8f81ef","https://git.kernel.org/stable/c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38377","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrose: fix dangling neighbour pointers in rose_rt_device_down()\n\nThere are two bugs in rose_rt_device_down() that can cause\nuse-after-free:\n\n1. The loop bound `t->count` is modified within the loop, which can\n   cause the loop to terminate early and miss some entries.\n\n2. When removing an entry from the neighbour array, the subsequent entries\n   are moved up to fill the gap, but the loop index `i` is still\n   incremented, causing the next entry to be skipped.\n\nFor example, if a node has three neighbours (A, A, B) with count=3 and A\nis being removed, the second A is not checked.\n\n    i=0: (A, A, B) -> (A, B) with count=2\n          ^ checked\n    i=1: (A, B)    -> (A, B) with count=2\n             ^ checked (B, not A!)\n    i=2: (doesn't occur because i < count is false)\n\nThis leaves the second A in the array with count=2, but the rose_neigh\nstructure has been freed. Code that accesses these entries assumes that\nthe first `count` entries are valid pointers, causing a use-after-free\nwhen it accesses the dangling pointer.\n\nFix both issues by iterating over the array in reverse order with a fixed\nloop bound. This ensures that all entries are examined and that the removal\nof an entry doesn't affect subsequent iterations.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.0272,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea","https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a","https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157","https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db","https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4","https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756","https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4","https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38362","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check for get_first_active_display()\n\nThe function mod_hdcp_hdcp1_enable_encryption() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference in\nmod_hdcp_hdcp2_enable_encryption().\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02351,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1ebcdf38887949def1a553ff3e45c98ed95a3cd0","https://git.kernel.org/stable/c/34d3e10ab905f06445f8dbd8a3d9697095e71bae","https://git.kernel.org/stable/c/4ce9f2dc9ff7cc410e8c5d936ec551e26b9599a9","https://git.kernel.org/stable/c/5148c7ea69e9c5bf2f05081190f45ba96d3d1e7a","https://git.kernel.org/stable/c/b3005145eab98d36777660b8893466e4f630ae1c","https://git.kernel.org/stable/c/c3e9826a22027a21d998d3e64882fa377b613006","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38363","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix a possible null pointer dereference\n\nIn tegra_crtc_reset(), new memory is allocated with kzalloc(), but\nno check is performed. Before calling __drm_atomic_helper_crtc_reset,\nstate should be checked to prevent possible null pointer dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.0461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31ac2c680a8ac11dc54a5b339a07e138bcedd924","https://git.kernel.org/stable/c/5ff3636bcc32e1cb747f6f820bcf2bb6990a7d41","https://git.kernel.org/stable/c/780351a5f61416ed2ba1199cc57e4a076fca644d","https://git.kernel.org/stable/c/99a25fc7933b88d5e16668bf6ba2d098e1754406","https://git.kernel.org/stable/c/ab390ab81241cf8bf37c0a0ac2e9c6606bf3e991","https://git.kernel.org/stable/c/ac4ca634f0c9f227538711d725339293f7047b02","https://git.kernel.org/stable/c/c7fc459ae6f988e0d5045a270bd600ab08bc61f1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38364","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()\n\nTemporarily clear the preallocation flag when explicitly requesting\nallocations.  Pre-existing allocations are already counted against the\nrequest through mas_node_count_gfp(), but the allocations will not happen\nif the MA_STATE_PREALLOC flag is set.  This flag is meant to avoid\nre-allocating in bulk allocation mode, and to detect issues with\npreallocation calculations.\n\nThe MA_STATE_PREALLOC flag should also always be set on zero allocations\nso that detection of underflow allocations will print a WARN_ON() during\nconsumption.\n\nUser visible effect of this flaw is a WARN_ON() followed by a null pointer\ndereference when subsequent requests for larger number of nodes is\nignored, such as the vma merge retry in mmap_region() caused by drivers\naltering the vma flags (which happens in v6.6, at least)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9e32f4700867abbd5d19abfcf698dbd0d2ce36a4","https://git.kernel.org/stable/c/cf95f8426f889949b738f51ffcd72884411f3a6a","https://git.kernel.org/stable/c/d69cd64bd5af41c6fd409313504089970edaf02f","https://git.kernel.org/stable/c/e63032e66bca1d06e600033f3369ba3db3af0870","https://git.kernel.org/stable/c/fba46a5d83ca8decb338722fb4899026d8d9ead2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38365","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a race between renames and directory logging\n\nWe have a race between a rename and directory inode logging that if it\nhappens and we crash/power fail before the rename completes, the next time\nthe filesystem is mounted, the log replay code will end up deleting the\nfile that was being renamed.\n\nThis is best explained following a step by step analysis of an interleaving\nof steps that lead into this situation.\n\nConsider the initial conditions:\n\n1) We are at transaction N;\n\n2) We have directories A and B created in a past transaction (< N);\n\n3) We have inode X corresponding to a file that has 2 hardlinks, one in\n   directory A and the other in directory B, so we'll name them as\n   \"A/foo_link1\" and \"B/foo_link2\". Both hard links were persisted in a\n   past transaction (< N);\n\n4) We have inode Y corresponding to a file that as a single hard link and\n   is located in directory A, we'll name it as \"A/bar\". This file was also\n   persisted in a past transaction (< N).\n\nThe steps leading to a file loss are the following and for all of them we\nare under transaction N:\n\n 1) Link \"A/foo_link1\" is removed, so inode's X last_unlink_trans field\n    is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir();\n\n 2) Task A starts a rename for inode Y, with the goal of renaming from\n    \"A/bar\" to \"A/baz\", so we enter btrfs_rename();\n\n 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling\n    btrfs_insert_inode_ref();\n\n 4) Because the rename happens in the same directory, we don't set the\n    last_unlink_trans field of directoty A's inode to the current\n    transaction id, that is, we don't cal btrfs_record_unlink_dir();\n\n 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY\n    and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode()\n    (actually the dir index item is added as a delayed item, but the\n    effect is the same);\n\n 6) Now before task A adds the new entry \"A/baz\" to directory A by\n    calling btrfs_add_link(), another task, task B is logging inode X;\n\n 7) Task B starts a fsync of inode X and after logging inode X, at\n    btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since\n    inode X has a last_unlink_trans value of N, set at in step 1;\n\n 8) At btrfs_log_all_parents() we search for all parent directories of\n    inode X using the commit root, so we find directories A and B and log\n    them. Bu when logging direct A, we don't have a dir index item for\n    inode Y anymore, neither the old name \"A/bar\" nor for the new name\n    \"A/baz\" since the rename has deleted the old name but has not yet\n    inserted the new name - task A hasn't called yet btrfs_add_link() to\n    do that.\n\n    Note that logging directory A doesn't fallback to a transaction\n    commit because its last_unlink_trans has a lower value than the\n    current transaction's id (see step 4);\n\n 9) Task B finishes logging directories A and B and gets back to\n    btrfs_sync_file() where it calls btrfs_sync_log() to persist the log\n    tree;\n\n10) Task B successfully persisted the log tree, btrfs_sync_log() completed\n    with success, and a power failure happened.\n\n    We have a log tree without any directory entry for inode Y, so the\n    log replay code deletes the entry for inode Y, name \"A/bar\", from the\n    subvolume tree since it doesn't exist in the log tree and the log\n    tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY\n    item that covers the index range for the dentry that corresponds to\n    \"A/bar\").\n\n    Since there's no other hard link for inode Y and the log replay code\n    deletes the name \"A/bar\", the file is lost.\n\nThe issue wouldn't happen if task B synced the log only after task A\ncalled btrfs_log_new_name(), which would update the log with the new name\nfor inode Y (\"A/bar\").\n\nFix this by pinning the log root during renames before removing the old\ndirectory entry, and unpinning af\n---truncated---","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00015,"ranking_epss":0.02959,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2088895d5903082bb9021770b919e733c57edbc1","https://git.kernel.org/stable/c/3ca864de852bc91007b32d2a0d48993724f4abad","https://git.kernel.org/stable/c/51bd363c7010d033d3334daf457c824484bf9bf0","https://git.kernel.org/stable/c/8c6874646c21bd820cf475e2874e62c133954023","https://git.kernel.org/stable/c/aeeae8feeaae4445a86f9815273e81f902dc1f5b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38354","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gpu: Fix crash when throttling GPU immediately during boot\n\nThere is a small chance that the GPU is already hot during boot. In that\ncase, the call to of_devfreq_cooling_register() will immediately try to\napply devfreq cooling, as seen in the following crash:\n\n  Unable to handle kernel paging request at virtual address 0000000000014110\n  pc : a6xx_gpu_busy+0x1c/0x58 [msm]\n  lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm]\n  Call trace:\n   a6xx_gpu_busy+0x1c/0x58 [msm] (P)\n   devfreq_simple_ondemand_func+0x3c/0x150\n   devfreq_update_target+0x44/0xd8\n   qos_max_notifier_call+0x30/0x84\n   blocking_notifier_call_chain+0x6c/0xa0\n   pm_qos_update_target+0xd0/0x110\n   freq_qos_apply+0x3c/0x74\n   apply_constraint+0x88/0x148\n   __dev_pm_qos_update_request+0x7c/0xcc\n   dev_pm_qos_update_request+0x38/0x5c\n   devfreq_cooling_set_cur_state+0x98/0xf0\n   __thermal_cdev_update+0x64/0xb4\n   thermal_cdev_update+0x4c/0x58\n   step_wise_manage+0x1f0/0x318\n   __thermal_zone_device_update+0x278/0x424\n   __thermal_cooling_device_register+0x2bc/0x308\n   thermal_of_cooling_device_register+0x10/0x1c\n   of_devfreq_cooling_register_power+0x240/0x2bc\n   of_devfreq_cooling_register+0x14/0x20\n   msm_devfreq_init+0xc4/0x1a0 [msm]\n   msm_gpu_init+0x304/0x574 [msm]\n   adreno_gpu_init+0x1c4/0x2e0 [msm]\n   a6xx_gpu_init+0x5c8/0x9c8 [msm]\n   adreno_bind+0x2a8/0x33c [msm]\n   ...\n\nAt this point we haven't initialized the GMU at all yet, so we cannot read\nthe GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before\nin commit 6694482a70e9 (\"drm/msm: Avoid unclocked GMU register access in\n6xx gpu_busy\"): msm_devfreq_init() does call devfreq_suspend_device(), but\nunlike msm_devfreq_suspend(), it doesn't set the df->suspended flag\naccordingly. This means the df->suspended flag does not match the actual\ndevfreq state after initialization and msm_devfreq_get_dev_status() will\nend up accessing GMU registers, causing the crash.\n\nFix this by setting df->suspended correctly during initialization.\n\nPatchwork: https://patchwork.freedesktop.org/patch/650772/","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.04991,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1847ea44e3bdf7da8ff4158bc01b43a2e46394bd","https://git.kernel.org/stable/c/7946a10f8da75abc494e4bb80243e153e93e459a","https://git.kernel.org/stable/c/a6f673cc9488fd722c601fe020601dba14db21b2","https://git.kernel.org/stable/c/ae2015b0dbc0eea7aaf022194371f451f784d994","https://git.kernel.org/stable/c/b71717735be48d7743a34897e9e44a0b53e30c0e","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-25T13:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38352","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won't be\nable to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk->exit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail\nanyway in this case.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"epss":0.00088,"ranking_epss":0.25234,"kev":true,"propose_action":"Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff","https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b","https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b","https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb","https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200","https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b","https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7","https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","https://github.com/farazsth98/chronomaly","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"],"published_time":"2025-07-22T08:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38350","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes' dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent's parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n    tc qdisc add dev lo root handle 1: drr\n    tc filter add dev lo parent 1: basic classid 1:1\n    tc class add dev lo parent 1: classid 1:1 drr\n    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n    tc qdisc add dev lo parent 2:1 handle 3: netem\n    tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n    tc class delete dev lo classid 1:1\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00022,"ranking_epss":0.05952,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09","https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43","https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb","https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5","https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472","https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070","https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7","https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-19T07:15:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-6558","summary":"Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00218,"ranking_epss":0.44426,"kev":true,"propose_action":"Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.","ransomware_campaign":"Unknown","references":["https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html","https://issues.chromium.org/issues/427162086","http://seclists.org/fulldisclosure/2025/Aug/0","http://seclists.org/fulldisclosure/2025/Jul/30","http://seclists.org/fulldisclosure/2025/Jul/32","http://seclists.org/fulldisclosure/2025/Jul/35","http://seclists.org/fulldisclosure/2025/Jul/37","http://www.openwall.com/lists/oss-security/2025/08/02/1","https://lists.debian.org/debian-lts-announce/2025/08/msg00015.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6558"],"published_time":"2025-07-15T18:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38342","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoftware node: Correct a OOB check in software_node_get_reference_args()\n\nsoftware_node_get_reference_args() wants to get @index-th element, so\nthe property value requires at least '(index + 1) * sizeof(*ref)' bytes\nbut that can not be guaranteed by current OOB check, and may cause OOB\nfor malformed property.\n\nFix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00023,"ranking_epss":0.06012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/142acd739eb6f08c148a96ae8309256f1422ff4b","https://git.kernel.org/stable/c/31e4e12e0e9609850cefd4b2e1adf782f56337d6","https://git.kernel.org/stable/c/4b3383110b6df48e0ba5936af2cb68d5eb6bd43b","https://git.kernel.org/stable/c/56ce76e8d406cc72b89aee7931df5cf3f18db49d","https://git.kernel.org/stable/c/7af18e42bdefe1dba5bcb32555a4d524fd504939","https://git.kernel.org/stable/c/9324127b07dde8529222dc19233aa57ec810856c","https://git.kernel.org/stable/c/f9397cf7bfb680799fb8c7f717c8f756384c3280","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38344","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi parse and parseext cache leaks\n\nACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5\n\nI'm Seunghun Han, and I work for National Security Research Institute of\nSouth Korea.\n\nI have been doing a research on ACPI and found an ACPI cache leak in ACPI\nearly abort cases.\n\nBoot log of ACPI cache leak is as follows:\n[    0.352414] ACPI: Added _OSI(Module Device)\n[    0.353182] ACPI: Added _OSI(Processor Device)\n[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.356028] ACPI: Unable to start the ACPI Interpreter\n[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects\n[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #10\n[    0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.361873] Call Trace:\n[    0.362243]  ? dump_stack+0x5c/0x81\n[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.363296]  ? acpi_os_delete_cache+0xa/0x10\n[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.364000]  ? acpi_terminate+0xa/0x14\n[    0.364000]  ? acpi_init+0x2af/0x34f\n[    0.364000]  ? __class_create+0x4c/0x80\n[    0.364000]  ? video_setup+0x7f/0x7f\n[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.364000]  ? do_one_initcall+0x4e/0x1a0\n[    0.364000]  ? kernel_init_freeable+0x189/0x20a\n[    0.364000]  ? rest_init+0xc0/0xc0\n[    0.364000]  ? kernel_init+0xa/0x100\n[    0.364000]  ? ret_from_fork+0x25/0x30\n\nI analyzed this memory leak in detail. I found that “Acpi-State” cache and\n“Acpi-Parse” cache were merged because the size of cache objects was same\nslab cache size.\n\nI finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked\nusing SLAB_NEVER_MERGE flag in kmem_cache_create() function.\n\nReal ACPI cache leak point is as follows:\n[    0.360101] ACPI: Added _OSI(Module Device)\n[    0.360101] ACPI: Added _OSI(Processor Device)\n[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)\n[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)\n[    0.364016] ACPI: Unable to start the ACPI Interpreter\n[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects\n[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.372000] Call Trace:\n[    0.372000]  ? dump_stack+0x5c/0x81\n[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b\n[    0.372000]  ? acpi_terminate+0xa/0x14\n[    0.372000]  ? acpi_init+0x2af/0x34f\n[    0.372000]  ? __class_create+0x4c/0x80\n[    0.372000]  ? video_setup+0x7f/0x7f\n[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.372000]  ? do_one_initcall+0x4e/0x1a0\n[    0.372000]  ? kernel_init_freeable+0x189/0x20a\n[    0.372000]  ? rest_init+0xc0/0xc0\n[    0.372000]  ? kernel_init+0xa/0x100\n[    0.372000]  ? ret_from_fork+0x25/0x30\n[    0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects\n[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W\n4.12.0-rc4-next-20170608+ #8\n[    0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[    0.392000] Call Trace:\n[    0.392000]  ? dump_stack+0x5c/0x81\n[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0\n[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27\n[    0.392000]  ? acpi_os_delete_cache+0xa/0x10\n[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b\n[    0.392000]  ? acpi_terminate+0xa/0x14\n[    0.392000]  ? acpi_init+0x2af/0x3\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04199,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a119fdaed67566aa3e0b5222dced4d08bbce463","https://git.kernel.org/stable/c/198c2dab022e5e94a99fff267b669d693bc7bb49","https://git.kernel.org/stable/c/1e0e629e88b1f7751ce69bf70cda6d1598d45271","https://git.kernel.org/stable/c/1fee4324b5660de080cefc3fc91c371543bdb8f6","https://git.kernel.org/stable/c/3e0c59180ec83bdec43b3d3482cff23d86d380d0","https://git.kernel.org/stable/c/41afebc9a0762aafc35d2df88f4e1b798155a940","https://git.kernel.org/stable/c/960236150cd3f08e13b397dd5ae4ccf7a2986c00","https://git.kernel.org/stable/c/bed18f0bdcd6737a938264a59d67923688696fc4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38345","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n>[    0.585957] ACPI: Added _OSI(Module Device)\n>[    0.587218] ACPI: Added _OSI(Processor Device)\n>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n>[    0.597858] ACPI: Unable to start the ACPI Interpreter\n>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n>[    0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n>[    0.609177] Call Trace:\n>[    0.610063]  ? dump_stack+0x5c/0x81\n>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0\n>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27\n>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10\n>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b\n>[    0.619293]  ? acpi_terminate+0xa/0x14\n>[    0.620394]  ? acpi_init+0x2af/0x34f\n>[    0.621616]  ? __class_create+0x4c/0x80\n>[    0.623412]  ? video_setup+0x7f/0x7f\n>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27\n>[    0.625861]  ? do_one_initcall+0x4e/0x1a0\n>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f\n>[    0.628972]  ? rest_init+0x80/0x80\n>[    0.630043]  ? kernel_init+0xa/0x100\n>[    0.631084]  ? ret_from_fork+0x25/0x30\n>[    0.633343] vgaarb: loaded\n>[    0.635036] EDAC MC: Ver: 3.0.0\n>[    0.638601] PCI: Probing PCI hardware\n>[    0.639833] PCI host bridge to bus 0000:00\n>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]\n> ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state->operand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (<= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04199,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/156fd20a41e776bbf334bd5e45c4f78dfc90ce1c","https://git.kernel.org/stable/c/1c0d9115a001979cb446ba5e8331dd1d29a10bbf","https://git.kernel.org/stable/c/4fa430a8bca708c7776f6b9d001257f48b19a5b7","https://git.kernel.org/stable/c/5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4","https://git.kernel.org/stable/c/64c4bcf0308dd1d752ef31d560040b8725e29984","https://git.kernel.org/stable/c/755a8006b76792922ff7b1c9674d8897a476b5d7","https://git.kernel.org/stable/c/76d37168155880f2b04a0aad92ceb0f9d799950e","https://git.kernel.org/stable/c/e0783910ca4368b01466bc8dcdcc13c3e0b7db53","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38346","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix UAF when lookup kallsym after ftrace disabled\n\nThe following issue happens with a buggy module:\n\nBUG: unable to handle page fault for address: ffffffffc05d0218\nPGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nRIP: 0010:sized_strscpy+0x81/0x2f0\nRSP: 0018:ffff88812d76fa08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000\nRDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d\nRBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68\nR10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038\nR13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff\nFS:  00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ftrace_mod_get_kallsym+0x1ac/0x590\n update_iter_mod+0x239/0x5b0\n s_next+0x5b/0xa0\n seq_read_iter+0x8c9/0x1070\n seq_read+0x249/0x3b0\n proc_reg_read+0x1b0/0x280\n vfs_read+0x17f/0x920\n ksys_read+0xf3/0x1c0\n do_syscall_64+0x5f/0x2e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue may happen as follows:\n(1) Add kprobe tracepoint;\n(2) insmod test.ko;\n(3)  Module triggers ftrace disabled;\n(4) rmmod test.ko;\n(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;\nftrace_mod_get_kallsym()\n...\nstrscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);\n...\n\nThe problem is when a module triggers an issue with ftrace and\nsets ftrace_disable. The ftrace_disable is set when an anomaly is\ndiscovered and to prevent any more damage, ftrace stops all text\nmodification. The issue that happened was that the ftrace_disable stops\nmore than just the text modification.\n\nWhen a module is loaded, its init functions can also be traced. Because\nkallsyms deletes the init functions after a module has loaded, ftrace\nsaves them when the module is loaded and function tracing is enabled. This\nallows the output of the function trace to show the init function names\ninstead of just their raw memory addresses.\n\nWhen a module is removed, ftrace_release_mod() is called, and if\nftrace_disable is set, it just returns without doing anything more. The\nproblem here is that it leaves the mod_list still around and if kallsyms\nis called, it will call into this code and access the module memory that\nhas already been freed as it will return:\n\n  strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);\n\nWhere the \"mod\" no longer exists and triggers a UAF bug.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00027,"ranking_epss":0.07684,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03a162933c4a03b9f1a84f7d8482903c7e1e11bb","https://git.kernel.org/stable/c/6805582abb720681dd1c87ff677f155dcf4e86c9","https://git.kernel.org/stable/c/83a692a9792aa86249d68a8ac0b9d55ecdd255fa","https://git.kernel.org/stable/c/8690cd3258455bbae64f809e1d3ee0f043661c71","https://git.kernel.org/stable/c/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c","https://git.kernel.org/stable/c/d064c68781c19f378af1ae741d9132d35d24b2bb","https://git.kernel.org/stable/c/f78a786ad9a5443a29eef4dae60cde85b7375129","https://git.kernel.org/stable/c/f914b52c379c12288b7623bb814d0508dbe7481d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38347","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on ino and xnid\n\nsyzbot reported a f2fs bug as below:\n\nINFO: task syz-executor140:5308 blocked for more than 143 seconds.\n      Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor140 state:D stack:24016 pid:5308  tgid:5308  ppid:5306   task_flags:0x400140 flags:0x00000006\nCall Trace:\n <TASK>\n context_switch kernel/sched/core.c:5378 [inline]\n __schedule+0x190e/0x4c90 kernel/sched/core.c:6765\n __schedule_loop kernel/sched/core.c:6842 [inline]\n schedule+0x14b/0x320 kernel/sched/core.c:6857\n io_schedule+0x8d/0x110 kernel/sched/core.c:7690\n folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317\n __folio_lock mm/filemap.c:1664 [inline]\n folio_lock include/linux/pagemap.h:1163 [inline]\n __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917\n pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87\n find_get_page_flags include/linux/pagemap.h:842 [inline]\n f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776\n __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463\n read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306\n lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]\n f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533\n __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179\n f2fs_acl_create fs/f2fs/acl.c:375 [inline]\n f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418\n f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539\n f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666\n f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765\n f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808\n f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]\n f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766\n vfs_mknod+0x36d/0x3b0 fs/namei.c:4191\n unix_bind_bsd net/unix/af_unix.c:1286 [inline]\n unix_bind+0x563/0xe30 net/unix/af_unix.c:1379\n __sys_bind_socket net/socket.c:1817 [inline]\n __sys_bind+0x1e4/0x290 net/socket.c:1848\n __do_sys_bind net/socket.c:1853 [inline]\n __se_sys_bind net/socket.c:1851 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1851\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLet's dump and check metadata of corrupted inode, it shows its xattr_nid\nis the same to its i_ino.\n\ndump.f2fs -i 3 chaseyu.img.raw\ni_xattr_nid                             [0x       3 : 3]\n\nSo that, during mknod in the corrupted directory, it tries to get and\nlock inode page twice, result in deadlock.\n\n- f2fs_mknod\n - f2fs_add_inline_entry\n  - f2fs_get_inode_page --- lock dir's inode page\n   - f2fs_init_acl\n    - f2fs_acl_create(dir,..)\n     - __f2fs_get_acl\n      - f2fs_getxattr\n       - lookup_all_xattrs\n        - __get_node_page --- try to lock dir's inode page\n\nIn order to fix this, let's add sanity check on ino and xnid.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0004,"ranking_epss":0.12088,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/061cf3a84bde038708eb0f1d065b31b7c2456533","https://git.kernel.org/stable/c/44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d","https://git.kernel.org/stable/c/5a06d97d5340c00510f24e80e8de821bd3bd9285","https://git.kernel.org/stable/c/aaddc6c696bd1bff20eaacfa88579d6eae64d541","https://git.kernel.org/stable/c/c4029044cc408b149e63db7dc8617a0783a3f10d","https://git.kernel.org/stable/c/e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14","https://git.kernel.org/stable/c/ecff54aa20b5b21db82e63e46066b55e43d72e78","https://git.kernel.org/stable/c/fed611bd8c7b76b070aa407d0c7558e20d9e1f68","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38348","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv->eeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;\n|\n|        if (priv->fw_var >= 0x509) {\n|                memcpy(priv->eeprom, eeprom->v2.data,\n|                       le16_to_cpu(eeprom->v2.len));\n|        } else {\n|                memcpy(priv->eeprom, eeprom->v1.data,\n|                       le16_to_cpu(eeprom->v1.len));\n|        }\n| [...]\n\nThe eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it's possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload >a< firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036","https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422","https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57","https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb","https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94","https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d","https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99","https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38335","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: gpio-keys - fix a sleep while atomic with PREEMPT_RT\n\nWhen enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in\nhard irq context, but the input_event() takes a spin_lock, which isn't\nallowed there as it is converted to a rt_spin_lock().\n\n[ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0\n...\n[ 4054.290195]  __might_resched+0x13c/0x1f4\n[ 4054.290209]  rt_spin_lock+0x54/0x11c\n[ 4054.290219]  input_event+0x48/0x80\n[ 4054.290230]  gpio_keys_irq_timer+0x4c/0x78\n[ 4054.290243]  __hrtimer_run_queues+0x1a4/0x438\n[ 4054.290257]  hrtimer_interrupt+0xe4/0x240\n[ 4054.290269]  arch_timer_handler_phys+0x2c/0x44\n[ 4054.290283]  handle_percpu_devid_irq+0x8c/0x14c\n[ 4054.290297]  handle_irq_desc+0x40/0x58\n[ 4054.290307]  generic_handle_domain_irq+0x1c/0x28\n[ 4054.290316]  gic_handle_irq+0x44/0xcc\n\nConsidering the gpio_keys_irq_isr() can run in any context, e.g. it can\nbe threaded, it seems there's no point in requesting the timer isr to\nrun in hard irq context.\n\nRelax the hrtimer not to use the hard context.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07224,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/664e5a6f541ff226621487d1280d2ec28e86be28","https://git.kernel.org/stable/c/a7b79db25846459de63ca8974268f0c41c734c4b","https://git.kernel.org/stable/c/a8f01e51109f77229e426b57c5d19251b462c6aa","https://git.kernel.org/stable/c/ec8f5da79b425deef5aebacdd4fe645620cd4f0b","https://git.kernel.org/stable/c/f4a8f561d08e39f7833d4a278ebfb12a41eef15f","https://git.kernel.org/stable/c/fa53beab4740c4e5fe969f218a379f9558be33dc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38336","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330\n\nThe controller has a hardware bug that can hard hang the system when\ndoing ATAPI DMAs without any trace of what happened. Depending on the\ndevice attached, it can also prevent the system from booting.\n\nIn this case, the system hangs when reading the ATIP from optical media\nwith cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an\nOptiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4,\nrunning at UDMA/33.\n\nThe issue can be reproduced by running the same command with a cygwin\nbuild of cdrecord on WinXP, although it requires more attempts to cause\nit. The hang in that case is also resolved by forcing PIO. It doesn't\nappear that VIA has produced any drivers for that OS, thus no known\nworkaround exists.\n\nHDDs attached to the controller do not suffer from any DMA issues.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00031,"ranking_epss":0.08764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d9a48dfa934f43ac839211ae4aeba34f666a9a5","https://git.kernel.org/stable/c/67d66a5e4583fd3bcf13d6f747e571df13cbad51","https://git.kernel.org/stable/c/7fc89c218fc96a296a2840b1e37f4e0975f7a108","https://git.kernel.org/stable/c/8212cd92fe40aae6fe5a073bc70e758c42bb4bfc","https://git.kernel.org/stable/c/8edfed4439b107d62151ff6c075958d169da3e71","https://git.kernel.org/stable/c/947f9304d3c876c6672b947b80c0ef51161c6d2f","https://git.kernel.org/stable/c/bb7212ee4ff086628a2c1c22336d082a87cb893d","https://git.kernel.org/stable/c/d29fc02caad7f94b62d56ee1b01c954f9c961ba7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38337","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()\n\nSince handle->h_transaction may be a NULL pointer, so we should change it\nto call is_handle_aborted(handle) first before dereferencing it.\n\nAnd the following data-race was reported in my fuzzer:\n\n==================================================================\nBUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata\n\nwrite to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:\n jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nread to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:\n jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nvalue changed: 0x00000000 -> 0x00000001\n==================================================================\n\nThis issue is caused by missing data-race annotation for jh->b_modified.\nTherefore, the missing annotation needs to be added.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0004,"ranking_epss":0.12088,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/23361b479f2700c00960d3ae9cdc8ededa762d47","https://git.kernel.org/stable/c/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a","https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e","https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5","https://git.kernel.org/stable/c/a377996d714afb8d4d5f4906336f78510039da29","https://git.kernel.org/stable/c/af98b0157adf6504fade79b3e6cb260c4ff68e37","https://git.kernel.org/stable/c/ec669e5bf409f16e464bfad75f0ba039a45de29a","https://git.kernel.org/stable/c/f78b38af3540b4875147b7b884ee11a27b3dbf4c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38328","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check jffs2_prealloc_raw_node_refs() result in few other places\n\nFuzzing hit another invalid pointer dereference due to the lack of\nchecking whether jffs2_prealloc_raw_node_refs() completed successfully.\nSubsequent logic implies that the node refs have been allocated.\n\nHandle that. The code is ready for propagating the error upwards.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600\nCall Trace:\n jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]\n jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118\n jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253\n jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302\n generic_perform_write+0x2c2/0x500 mm/filemap.c:3347\n __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465\n generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497\n call_write_iter include/linux/fs.h:2039 [inline]\n do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740\n do_iter_write+0x18c/0x710 fs/read_write.c:866\n vfs_writev+0x1db/0x6a0 fs/read_write.c:939\n do_pwritev fs/read_write.c:1036 [inline]\n __do_sys_pwritev fs/read_write.c:1083 [inline]\n __se_sys_pwritev fs/read_write.c:1078 [inline]\n __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05513,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/042fa922c84b5080401bcd8897d4ac4919d15075","https://git.kernel.org/stable/c/2b6d96503255a3ed676cd70f8368870c6d6a25c6","https://git.kernel.org/stable/c/38d767fb4a7766ec2058f97787e4c6e8d10343d6","https://git.kernel.org/stable/c/7e860296d7808de1db175c1eda29f94a2955dcc4","https://git.kernel.org/stable/c/cd42ddddd70abc7127c12b96c8c85dbd080ea56f","https://git.kernel.org/stable/c/d1b81776f337a9b997f797c70ac0a26d838a2168","https://git.kernel.org/stable/c/d96e6451a8d0fe62492d4cc942d695772293c05a","https://git.kernel.org/stable/c/f41c625328777f9ad572901ba0b0065bb9c9c1da","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38331","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: cortina: Use TOE/TSO on all TCP\n\nIt is desireable to push the hardware accelerator to also\nprocess non-segmented TCP frames: we pass the skb->len\nto the \"TOE/TSO\" offloader and it will handle them.\n\nWithout this quirk the driver becomes unstable and lock\nup and and crash.\n\nI do not know exactly why, but it is probably due to the\nTOE (TCP offload engine) feature that is coupled with the\nsegmentation feature - it is not possible to turn one\npart off and not the other, either both TOE and TSO are\nactive, or neither of them.\n\nNot having the TOE part active seems detrimental, as if\nthat hardware feature is not really supposed to be turned\noff.\n\nThe datasheet says:\n\n  \"Based on packet parsing and TCP connection/NAT table\n   lookup results, the NetEngine puts the packets\n   belonging to the same TCP connection to the same queue\n   for the software to process. The NetEngine puts\n   incoming packets to the buffer or series of buffers\n   for a jumbo packet. With this hardware acceleration,\n   IP/TCP header parsing, checksum validation and\n   connection lookup are offloaded from the software\n   processing.\"\n\nAfter numerous tests with the hardware locking up after\nsomething between minutes and hours depending on load\nusing iperf3 I have concluded this is necessary to stabilize\nthe hardware.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b503b790109d19710ec83c589c3ee59e95347ec","https://git.kernel.org/stable/c/2bd434bb0eeb680c2b3dd6c68ca319b30cb8d47f","https://git.kernel.org/stable/c/6a07e3af4973402fa199a80036c10060b922c92c","https://git.kernel.org/stable/c/a37888a435b0737128d2d9c6f67b8d608f83df7a","https://git.kernel.org/stable/c/ebe12e232f1d58ebb4b53b6d9149962b707bed91","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38332","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Use memcpy() for BIOS version\n\nThe strlcat() with FORTIFY support is triggering a panic because it\nthinks the target buffer will overflow although the correct target\nbuffer size is passed in.\n\nAnyway, instead of memset() with 0 followed by a strlcat(), just use\nmemcpy() and ensure that the resulting buffer is NULL terminated.\n\nBIOSVersion is only used for the lpfc_printf_log() which expects a\nproperly terminated string.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/003baa7a1a152576d744bd655820449bbdb0248e","https://git.kernel.org/stable/c/2f63bf0d2b146956a2f2ff3b25cee71019e64561","https://git.kernel.org/stable/c/34c0a670556b24d36c9f8934227edb819ca5609e","https://git.kernel.org/stable/c/75ea8375c5a83f46c47bfb3de6217c7589a8df93","https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d","https://git.kernel.org/stable/c/ae82eaf4aeea060bb736c3e20c0568b67c701d7d","https://git.kernel.org/stable/c/b699bda5db818b684ff62d140defd6394f38f3d6","https://git.kernel.org/stable/c/d34f2384d6df11a6c67039b612c2437f46e587e8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38334","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Prevent attempts to reclaim poisoned pages\n\nTL;DR: SGX page reclaim touches the page to copy its contents to\nsecondary storage. SGX instructions do not gracefully handle machine\nchecks. Despite this, the existing SGX code will try to reclaim pages\nthat it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages.\n\nThe longer story:\n\nPages used by an enclave only get epc_page->poison set in\narch_memory_failure() but they currently stay on sgx_active_page_list until\nsgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched.\n\nepc_page->poison is not checked in the reclaimer logic meaning that, if other\nconditions are met, an attempt will be made to reclaim an EPC page that was\npoisoned.  This is bad because 1. we don't want that page to end up added\nto another enclave and 2. it is likely to cause one core to shut down\nand the kernel to panic.\n\nSpecifically, reclaiming uses microcode operations including \"EWB\" which\naccesses the EPC page contents to encrypt and write them out to non-SGX\nmemory.  Those operations cannot handle MCEs in their accesses other than\nby putting the executing core into a special shutdown state (affecting\nboth threads with HT.)  The kernel will subsequently panic on the\nremaining cores seeing the core didn't enter MCE handler(s) in time.\n\nCall sgx_unmark_page_reclaimable() to remove the affected EPC page from\nsgx_active_page_list on memory error to stop it being considered for\nreclaiming.\n\nTesting epc_page->poison in sgx_reclaim_pages() would also work but I assume\nit's better to add code in the less likely paths.\n\nThe affected EPC page is not added to &node->sgx_poison_page_list until\nlater in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd.\nMembership on other lists doesn't change to avoid changing any of the\nlists' semantics except for sgx_active_page_list.  There's a \"TBD\" comment\nin arch_memory_failure() about pre-emptive actions, the goal here is not\nto address everything that it may imply.\n\nThis also doesn't completely close the time window when a memory error\nnotification will be fatal (for a not previously poisoned EPC page) --\nthe MCE can happen after sgx_reclaim_pages() has selected its candidates\nor even *inside* a microcode operation (actually easy to trigger due to\nthe amount of time spent in them.)\n\nThe spinlock in sgx_unmark_page_reclaimable() is safe because\nmemory_failure() runs in process context and no spinlocks are held,\nexplicitly noted in a mm/memory-failure.c comment.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06118,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00a88e9ea1b170d579c56327c38f7e8cf689df87","https://git.kernel.org/stable/c/31dcbac94bfeabb86bf85b0c36803fdd6536437b","https://git.kernel.org/stable/c/62b62a2a6dc51ed6e8e334861f04220c9cf8106a","https://git.kernel.org/stable/c/dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe","https://git.kernel.org/stable/c/ed16618c380c32c68c06186d0ccbb0d5e0586e59","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38322","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix crash in icl_update_topdown_event()\n\nThe perf_fuzzer found a hard-lockup crash on a RaptorLake machine:\n\n  Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000\n  CPU: 23 UID: 0 PID: 0 Comm: swapper/23\n  Tainted: [W]=WARN\n  Hardware name: Dell Inc. Precision 9660/0VJ762\n  RIP: 0010:native_read_pmc+0x7/0x40\n  Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...\n  RSP: 000:fffb03100273de8 EFLAGS: 00010046\n  ....\n  Call Trace:\n    <TASK>\n    icl_update_topdown_event+0x165/0x190\n    ? ktime_get+0x38/0xd0\n    intel_pmu_read_event+0xf9/0x210\n    __perf_event_read+0xf9/0x210\n\nCPUs 16-23 are E-core CPUs that don't support the perf metrics feature.\nThe icl_update_topdown_event() should not be invoked on these CPUs.\n\nIt's a regression of commit:\n\n  f9bdf1f95339 (\"perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read\")\n\nThe bug introduced by that commit is that the is_topdown_event() function\nis mistakenly used to replace the is_topdown_count() call to check if the\ntopdown functions for the perf metrics feature should be invoked.\n\nFix it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.09841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/702ea6028032d6c1fe96c2d4762a3575e3654819","https://git.kernel.org/stable/c/79e2dd573116d3338507c311460da9669095c94d","https://git.kernel.org/stable/c/a85cc69acdcb05f8cd226b8ea0778b8e2e887e6f","https://git.kernel.org/stable/c/b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed","https://git.kernel.org/stable/c/e97c45c770f5e56c784a46c2a96ab968d26b97d9","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38323","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: add lec_mutex\n\nsyzbot found its way in net/atm/lec.c, and found an error path\nin lecd_attach() could leave a dangling pointer in dev_lec[].\n\nAdd a mutex to protect dev_lecp[] uses from lecd_attach(),\nlec_vcc_attach() and lec_mcast_attach().\n\nFollowing patch will use this mutex for /proc/net/atm/lec.\n\nBUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]\nBUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\nRead of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142\n\nCPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:408 [inline]\n  print_report+0xcd/0x680 mm/kasan/report.c:521\n  kasan_report+0xe0/0x110 mm/kasan/report.c:634\n  lecd_attach net/atm/lec.c:751 [inline]\n  lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nAllocated by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __do_kmalloc_node mm/slub.c:4328 [inline]\n  __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015\n  alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711\n  lecd_attach net/atm/lec.c:737 [inline]\n  lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576\n  poison_slab_object mm/kasan/common.c:247 [inline]\n  __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264\n  kasan_slab_free include/linux/kasan.h:233 [inline]\n  slab_free_hook mm/slub.c:2381 [inline]\n  slab_free mm/slub.c:4643 [inline]\n  kfree+0x2b4/0x4d0 mm/slub.c:4842\n  free_netdev+0x6c5/0x910 net/core/dev.c:11892\n  lecd_attach net/atm/lec.c:744 [inline]\n  lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04741,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8","https://git.kernel.org/stable/c/18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a","https://git.kernel.org/stable/c/64b378db28a967f7b271b055380c2360279aa424","https://git.kernel.org/stable/c/a7a713dfb5f9477345450f27c7c0741864511192","https://git.kernel.org/stable/c/d13a3824bfd2b4774b671a75cf766a16637a0e67","https://git.kernel.org/stable/c/dffd03422ae6a459039c8602f410e6c0f4cbc6c8","https://git.kernel.org/stable/c/e91274cc7ed88ab5bdc62d426067c82b0b118a0b","https://git.kernel.org/stable/c/f4d80b16ecc4229f7e6345158ef34c36be323f0e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38324","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().\n\nAs syzbot reported [0], mpls_route_input_rcu() can be called\nfrom mpls_getroute(), where is under RTNL.\n\nnet->mpls.platform_label is only updated under RTNL.\n\nLet's use rcu_dereference_rtnl() in mpls_route_input_rcu() to\nsilence the splat.\n\n[0]:\nWARNING: suspicious RCU usage\n6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted\n ----------------------------\nnet/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.2.4451/17730:\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865\n mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84\n mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381\n rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964\n netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmmsg+0x200/0x420 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0a2818e969\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969\nRDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268\n </TASK>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2919297b18e5a5fb7e643f9e32c12c0b17cce1be","https://git.kernel.org/stable/c/36af82f25fbdcd719eb947c15ea874bf80bcf229","https://git.kernel.org/stable/c/49b8a9d7d44401a186e20b1aaf591d2e62727aeb","https://git.kernel.org/stable/c/517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73","https://git.kernel.org/stable/c/6dbb0d97c5096072c78a6abffe393584e57ae945","https://git.kernel.org/stable/c/a060781640012d5d5105072f4c44ed6ad6830ef9","https://git.kernel.org/stable/c/d8cd847fb8626872631cc22d44be5127b4ebfb74","https://git.kernel.org/stable/c/f19cbd84e645e39bc3228e1191bb151ef0ffac8c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38326","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\naoe: clean device rq_list in aoedev_downdev()\n\nAn aoe device's rq_list contains accepted block requests that are\nwaiting to be transmitted to the aoe target. This queue was added as\npart of the conversion to blk_mq. However, the queue was not cleaned out\nwhen an aoe device is downed which caused blk_mq_freeze_queue() to sleep\nindefinitely waiting for those requests to complete, causing a hang. This\nfix cleans out the queue before calling blk_mq_freeze_queue().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00be74e1470af292c37a438b8e69dee47dcbf481","https://git.kernel.org/stable/c/531aef4a1accb13b21a3b82ec29955f4733367d5","https://git.kernel.org/stable/c/64fc0bad62ed38874131dd0337d844a43bd1017e","https://git.kernel.org/stable/c/7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca","https://git.kernel.org/stable/c/8662ac79a63488e279b91c12a72b02bc0dc49f7b","https://git.kernel.org/stable/c/ed52e9652ba41d362e9ec923077f6da23336f269","https://git.kernel.org/stable/c/ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca","https://git.kernel.org/stable/c/fa2a79f0da92614c5dc45c8b3d2638681c7734ee","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38320","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()\n\nKASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().\n\nCall Trace:\n[   97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550\n[   97.285732]\n[   97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11\n[   97.287032] Hardware name: linux,dummy-virt (DT)\n[   97.287815] Call trace:\n[   97.288279]  dump_backtrace+0xa0/0x128\n[   97.288946]  show_stack+0x20/0x38\n[   97.289551]  dump_stack_lvl+0x78/0xc8\n[   97.290203]  print_address_description.constprop.0+0x84/0x3c8\n[   97.291159]  print_report+0xb0/0x280\n[   97.291792]  kasan_report+0x84/0xd0\n[   97.292421]  __asan_load8+0x9c/0xc0\n[   97.293042]  regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.293835]  process_fetch_insn+0x770/0xa30\n[   97.294562]  kprobe_trace_func+0x254/0x3b0\n[   97.295271]  kprobe_dispatcher+0x98/0xe0\n[   97.295955]  kprobe_breakpoint_handler+0x1b0/0x210\n[   97.296774]  call_break_hook+0xc4/0x100\n[   97.297451]  brk_handler+0x24/0x78\n[   97.298073]  do_debug_exception+0xac/0x178\n[   97.298785]  el1_dbg+0x70/0x90\n[   97.299344]  el1h_64_sync_handler+0xcc/0xe8\n[   97.300066]  el1h_64_sync+0x78/0x80\n[   97.300699]  kernel_clone+0x0/0x500\n[   97.301331]  __arm64_sys_clone+0x70/0x90\n[   97.302084]  invoke_syscall+0x68/0x198\n[   97.302746]  el0_svc_common.constprop.0+0x11c/0x150\n[   97.303569]  do_el0_svc+0x38/0x50\n[   97.304164]  el0_svc+0x44/0x1d8\n[   97.304749]  el0t_64_sync_handler+0x100/0x130\n[   97.305500]  el0t_64_sync+0x188/0x190\n[   97.306151]\n[   97.306475] The buggy address belongs to stack of task 1.sh/2550\n[   97.307461]  and is located at offset 0 in frame:\n[   97.308257]  __se_sys_clone+0x0/0x138\n[   97.308910]\n[   97.309241] This frame has 1 object:\n[   97.309873]  [48, 184) 'args'\n[   97.309876]\n[   97.310749] The buggy address belongs to the virtual mapping at\n[   97.310749]  [ffff800089270000, ffff800089279000) created by:\n[   97.310749]  dup_task_struct+0xc0/0x2e8\n[   97.313347]\n[   97.313674] The buggy address belongs to the physical page:\n[   97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a\n[   97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)\n[   97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000\n[   97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[   97.319445] page dumped because: kasan: bad access detected\n[   97.320371]\n[   97.320694] Memory state around the buggy address:\n[   97.321511]  ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.322681]  ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00\n[   97.325023]                          ^\n[   97.325683]  ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3\n[   97.326856]  ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\nThis issue seems to be related to the behavior of some gcc compilers and\nwas also fixed on the s390 architecture before:\n\n commit d93a855c31b7 (\"s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()\")\n\nAs described in that commit, regs_get_kernel_stack_nth() has confirmed that\n`addr` is on the stack, so reading the value at `*addr` should be allowed.\nUse READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.\n\n[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00023,"ranking_epss":0.06012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f91d415a8375d85e0c7d3615cd4a168308bb7c","https://git.kernel.org/stable/c/21da6d3561f373898349ca7167c9811c020da695","https://git.kernel.org/stable/c/22f935bc86bdfbde04009f05eee191d220cd8c89","https://git.kernel.org/stable/c/39dfc971e42d886e7df01371cd1bef505076d84c","https://git.kernel.org/stable/c/422e565b7889ebfd9c8705a3fc786642afe61fca","https://git.kernel.org/stable/c/64773b3ea09235168a549a195cba43bb867c4a17","https://git.kernel.org/stable/c/67abac27d806e8f9d4226ec1528540cf73af673a","https://git.kernel.org/stable/c/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T09:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38312","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()\n\nIn fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,\ncvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's\nthen passed to fb_cvt_hperiod(), where it's used as a divider -- division\nby 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to\navoid such overflow...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00031,"ranking_epss":0.08764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d63433e8eaa3c91b2948190e395bc67009db0d9","https://git.kernel.org/stable/c/3f6dae09fc8c306eb70fdfef70726e1f154e173a","https://git.kernel.org/stable/c/53784073cbad18f75583fd3da9ffdfc4d1f05405","https://git.kernel.org/stable/c/54947530663edcbaaee1314c01fdd8c72861b124","https://git.kernel.org/stable/c/610f247f2772e4f92b63442125a1b7ade79898d8","https://git.kernel.org/stable/c/9027ce4c037b566b658b8939a76326b7125e3627","https://git.kernel.org/stable/c/ab91647acdf43b984824776559a452212eaeb21a","https://git.kernel.org/stable/c/b235393b9f43ff86a38ca2bde6372312ea215dc5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38313","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix double-free on mc_dev\n\nThe blamed commit tried to simplify how the deallocations are done but,\nin the process, introduced a double-free on the mc_dev variable.\n\nIn case the MC device is a DPRC, a new mc_bus is allocated and the\nmc_dev variable is just a reference to one of its fields. In this\ncircumstance, on the error path only the mc_bus should be freed.\n\nThis commit introduces back the following checkpatch warning which is a\nfalse-positive.\n\nWARNING: kfree(NULL) is safe and this check is probably not required\n+       if (mc_bus)\n+               kfree(mc_bus);","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12e4431e5078847791936820bd39df9e1ee26d2e","https://git.kernel.org/stable/c/1d5baab39e5b09a76870b345cdee7933871b881f","https://git.kernel.org/stable/c/3135e03a92f6b5259d0a7f25f728e9e7866ede3f","https://git.kernel.org/stable/c/4b23c46eb2d88924b93aca647bde9a4b9cf62cf9","https://git.kernel.org/stable/c/7002b954c4a8b9965ba0f139812ee4a6f71beac8","https://git.kernel.org/stable/c/873d47114fd5e5a1cad2018843671537cc71ac84","https://git.kernel.org/stable/c/b2057374f326303c86d8423415ab58656eebc695","https://git.kernel.org/stable/c/d694bf8a9acdbd061596f3e7549bc8cb70750a60","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38319","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table\n\nThe function atomctrl_initialize_mc_reg_table() and\natomctrl_initialize_mc_reg_table_v2_2() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table()\nfails to retrieve vram_info, it returns NULL which is later\ndereferenced.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/64f3acc8c7e6809631457b75638601b36dea3129","https://git.kernel.org/stable/c/7080c20a9139842033ed4af604dc1fa4028593ad","https://git.kernel.org/stable/c/820116a39f96bdc7d426c33a804b52f53700a919","https://git.kernel.org/stable/c/85cdcb834fb490731ff2d123f87ca799c57dacf2","https://git.kernel.org/stable/c/a4ff7391c8b75b1541900bd9d0c238e558c11fb3","https://git.kernel.org/stable/c/cdf7e1ff99ab06ef15d0b5d1aca5258a4fb62b85","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38304","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix NULL pointer deference on eir_get_service_data\n\nThe len parameter is considered optional so it can be NULL so it cannot\nbe used for skipping to next entry of EIR_SERVICE_DATA.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb","https://git.kernel.org/stable/c/497c9d2d7d3983826bb02c10fb4a5818be6550fb","https://git.kernel.org/stable/c/4bf29910570666e668a60d953f8da78e95bb7fa2","https://git.kernel.org/stable/c/7d99cc0f8e6fa0f35570887899f178122a61d44e","https://git.kernel.org/stable/c/842f7c3154d5b25ca11753c02ee8cf6ee64c0142","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38305","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()\n\nThere is no disagreement that we should check both ptp->is_virtual_clock\nand ptp->n_vclocks to check if the ptp virtual clock is in use.\n\nHowever, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in\nptp_vclock_in_use(), we observe a recursive lock in the call trace\nstarting from n_vclocks_store().\n\n============================================\nWARNING: possible recursive locking detected\n6.15.0-rc6 #1 Not tainted\n--------------------------------------------\nsyz.0.1540/13807 is trying to acquire lock:\nffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]\nffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415\n\nbut task is already holding lock:\nffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(&ptp->n_vclocks_mux);\n  lock(&ptp->n_vclocks_mux);\n\n *** DEADLOCK ***\n....\n============================================\n\nThe best way to solve this is to remove the logic that checks\nptp->n_vclocks in ptp_vclock_in_use().\n\nThe reason why this is appropriate is that any path that uses\nptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater\nthan 0 before unregistering vclocks, and all functions are already\nwritten this way. And in the function that uses ptp->n_vclocks, we\nalready get ptp->n_vclocks_mux before unregistering vclocks.\n\nTherefore, we need to remove the redundant check for ptp->n_vclocks in\nptp_vclock_in_use() to prevent recursive locking.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00028,"ranking_epss":0.07866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1","https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4","https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2","https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663","https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3","https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38310","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: Fix validation of nexthop addresses\n\nThe kernel currently validates that the length of the provided nexthop\naddress does not exceed the specified length. This can lead to the\nkernel reading uninitialized memory if user space provided a shorter\nlength than the specified one.\n\nFix by validating that the provided length exactly matches the specified\none.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/668923c474608dd9ebce0fbcc41bd8a27aa73dd6","https://git.kernel.org/stable/c/7632fedb266d93ed0ed9f487133e6c6314a9b2d1","https://git.kernel.org/stable/c/cd4cd09810211fa23609c5c1018352e9e1cd8e5a","https://git.kernel.org/stable/c/cef33a86bcb04ecf4dc10c56f6c42ee9d1c54bac","https://git.kernel.org/stable/c/d2507aeea45b3c5aa24d5daae0cf3db76895c0b7","https://git.kernel.org/stable/c/d5d9fd13bc19a3f9f2a951c5b6e934d84205789e","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38298","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/skx_common: Fix general protection fault\n\nAfter loading i10nm_edac (which automatically loads skx_edac_common), if\nunload only i10nm_edac, then reload it and perform error injection testing,\na general protection fault may occur:\n\n  mce: [Hardware Error]: Machine check events logged\n  Oops: general protection fault ...\n  ...\n  Workqueue: events mce_gen_pool_process\n  RIP: 0010:string+0x53/0xe0\n  ...\n  Call Trace:\n  <TASK>\n  ? die_addr+0x37/0x90\n  ? exc_general_protection+0x1e7/0x3f0\n  ? asm_exc_general_protection+0x26/0x30\n  ? string+0x53/0xe0\n  vsnprintf+0x23e/0x4c0\n  snprintf+0x4d/0x70\n  skx_adxl_decode+0x16a/0x330 [skx_edac_common]\n  skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]\n  skx_mce_check_error+0x17/0x20 [skx_edac_common]\n  ...\n\nThe issue arose was because the variable 'adxl_component_count' (inside\nskx_edac_common), which counts the ADXL components, was not reset. During\nthe reloading of i10nm_edac, the count was incremented by the actual number\nof ADXL components again, resulting in a count that was double the real\nnumber of ADXL components. This led to an out-of-bounds reference to the\nADXL component array, causing the general protection fault above.\n\nFix this issue by resetting the 'adxl_component_count' in adxl_put(),\nwhich is called during the unloading of {skx,i10nm}_edac.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00027,"ranking_epss":0.07684,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20d2d476b3ae18041be423671a8637ed5ffd6958","https://git.kernel.org/stable/c/31ef6f7c9aee3be78d63789653e92350f2537f93","https://git.kernel.org/stable/c/3f5d0659000923735350da60ad710f8c804544fe","https://git.kernel.org/stable/c/80bf28fd623d97dd4f4825fbbe9d736cec2afba3","https://git.kernel.org/stable/c/a13e8343ffcff27af1ff79597ff7ba241e6d9471","https://git.kernel.org/stable/c/a6ed3a6edff09c1187cc6ade7f5967bca2376a13","https://git.kernel.org/stable/c/bf6a8502a5f4ff6e4d135d795945cdade49ec8b0","https://git.kernel.org/stable/c/e8530ed3c0769a4d8f79c212715ec1cf277787f8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38300","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()\n\nFix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():\n\n1] If dma_map_sg() fails for areq->dst, the device driver would try to free\n   DMA memory it has not allocated in the first place. To fix this, on the\n   \"theend_sgs\" error path, call dma unmap only if the corresponding dma\n   map was successful.\n\n2] If the dma_map_single() call for the IV fails, the device driver would\n   try to free an invalid DMA memory address on the \"theend_iv\" path:\n   ------------[ cut here ]------------\n   DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address\n   WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90\n   Modules linked in: skcipher_example(O+)\n   CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G           O        6.15.0-rc3+ #24 PREEMPT\n   Tainted: [O]=OOT_MODULE\n   Hardware name: OrangePi Zero2 (DT)\n   pc : check_unmap+0x123c/0x1b90\n   lr : check_unmap+0x123c/0x1b90\n   ...\n   Call trace:\n    check_unmap+0x123c/0x1b90 (P)\n    debug_dma_unmap_page+0xac/0xc0\n    dma_unmap_page_attrs+0x1f4/0x5fc\n    sun8i_ce_cipher_do_one+0x1bd4/0x1f40\n    crypto_pump_work+0x334/0x6e0\n    kthread_worker_fn+0x21c/0x438\n    kthread+0x374/0x664\n    ret_from_fork+0x10/0x20\n   ---[ end trace 0000000000000000 ]---\n\nTo fix this, check for !dma_mapping_error() before calling\ndma_unmap_single() on the \"theend_iv\" path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19d267d9fad00d94ad8477899e38ed7c11f33fb6","https://git.kernel.org/stable/c/4051250e5db489f8ad65fc337e2677b9b568ac72","https://git.kernel.org/stable/c/a0ac3f85b2e3ef529e852f252a70311f9029d5e6","https://git.kernel.org/stable/c/c62b79c1c51303dbcb6edfa4de0ee176f4934c52","https://git.kernel.org/stable/c/f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38286","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91: Fix possible out-of-boundary access\n\nat91_gpio_probe() doesn't check that given OF alias is not available or\nsomething went wrong when trying to get it. This might have consequences\nwhen accessing gpio_chips array with that value as an index. Note, that\nBUG() can be compiled out and hence won't actually perform the required\nchecks.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00024,"ranking_epss":0.06546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/264a5cf0c422e65c94447a1ebebfac7c92690670","https://git.kernel.org/stable/c/288c39286f759314ee8fb3a80a858179b4f306da","https://git.kernel.org/stable/c/2ecafe59668d2506a68459a9d169ebe41a147a41","https://git.kernel.org/stable/c/762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1","https://git.kernel.org/stable/c/db5665cbfd766db7d8cd0e5fd6e3c0b412916774","https://git.kernel.org/stable/c/e02e12d6a7ab76c83849a4122785650dc7edef65","https://git.kernel.org/stable/c/eb435bc4c74acbb286cec773deac13d117d3ef39","https://git.kernel.org/stable/c/f1c1fdc41fbf7e308ced9c86f3f66345a3f6f478","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38293","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix node corruption in ar->arvifs list\n\nIn current WLAN recovery code flow, ath11k_core_halt() only\nreinitializes the \"arvifs\" list head. This will cause the\nlist node immediately following the list head to become an\ninvalid list node. Because the prev of that node still points\nto the list head \"arvifs\", but the next of the list head \"arvifs\"\nno longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif\nremoval, and it happens before the spin_lock_bh(&ar->data_lock)\nin ath11k_mac_op_remove_interface(), list_del() will detect the\npreviously mentioned situation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the\nlist head \"arvifs\" during WLAN halt. The reinitialization is to make\nthe list nodes valid, ensuring that the list_del() in\nath11k_mac_op_remove_interface() can execute normally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xb8/0xd0\nath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]\ndrv_remove_interface+0x48/0x194 [mac80211]\nieee80211_do_stop+0x6e0/0x844 [mac80211]\nieee80211_stop+0x44/0x17c [mac80211]\n__dev_close_many+0xac/0x150\n__dev_change_flags+0x194/0x234\ndev_change_flags+0x24/0x6c\ndevinet_ioctl+0x3a0/0x670\ninet_ioctl+0x200/0x248\nsock_do_ioctl+0x60/0x118\nsock_ioctl+0x274/0x35c\n__arm64_sys_ioctl+0xac/0xf0\ninvoke_syscall+0x48/0x114\n...\n\nTested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00037,"ranking_epss":0.11056,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31e98e277ae47f56632e4d663b1d4fd12ba33ea8","https://git.kernel.org/stable/c/6c139015b597e570dd5962934e9f9a2f4cc8ef48","https://git.kernel.org/stable/c/6d6cb27fe146061f2512e904618f5e005bb7bb6a","https://git.kernel.org/stable/c/b0974ed82e6ad5ff246fd90a5b14f3e7be4f2924","https://git.kernel.org/stable/c/f50ba7e7b607f2d00618799312e7fdb76a1ff48e","https://git.kernel.org/stable/c/f5d77d0d41ea7a204d47288d0cf0404a52b5890e","https://git.kernel.org/stable/c/f9507cf2dd0e1ed5028c0e8240da6fe5fd3110d3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38277","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: nand: ecc-mxic: Fix use of uninitialized variable ret\n\nIf ctx->steps is zero, the loop processing ECC steps is skipped,\nand the variable ret remains uninitialized. It is later checked\nand returned, which leads to undefined behavior and may cause\nunpredictable results in user space or kernel crashes.\n\nThis scenario can be triggered in edge cases such as misconfigured\ngeometry, ECC engine misuse, or if ctx->steps is not validated\nafter initialization.\n\nInitialize ret to zero before the loop to ensure correct and safe\nbehavior regardless of the ctx->steps value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/49482f4a39620f6afedcd3f6aa9e0d558b6a460b","https://git.kernel.org/stable/c/4d9d6e4be09472aa72953caca3dbefdc27846170","https://git.kernel.org/stable/c/7a23cc510ecaabab4f6df7e9d910d16e279b72ad","https://git.kernel.org/stable/c/a0d9d9b5a4634e146ae41cb25667322e5c7d74d2","https://git.kernel.org/stable/c/d95846350aac72303036a70c4cdc69ae314aa26d","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38280","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid __bpf_prog_ret0_warn when jit fails\n\nsyzkaller reported an issue:\n\nWARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357\nModules linked in:\nCPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39\nRIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357\nCall Trace:\n <TASK>\n bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]\n __bpf_prog_run include/linux/filter.h:718 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105\n ...\n\nWhen creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.\nThis issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set\nand bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,\nbut jit failed due to FAULT_INJECTION. As a result, incorrectly\ntreats the program as valid, when the program runs it calls\n`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b9bb52796b239de6792d0d68cdc6eb505ebff96","https://git.kernel.org/stable/c/2bc6dffb4b72d53d6a6ada510269bf548c3f7ae0","https://git.kernel.org/stable/c/6f639c25bfad17d9fd7379ab91ff9678ea9aac85","https://git.kernel.org/stable/c/86bc9c742426a16b52a10ef61f5b721aecca2344","https://git.kernel.org/stable/c/e7fb4ebee6e900899d2b2e5852c3e2eafcbcad66","https://git.kernel.org/stable/c/ef92b96530d1731d9ac167bc7c193c683cd78fff","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38282","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Relax constraint in draining guard\n\nThe active reference lifecycle provides the break/unbreak mechanism but\nthe active reference is not truly active after unbreak -- callers don't\nuse it afterwards but it's important for proper pairing of kn->active\ncounting. Assuming this mechanism is in place, the WARN check in\nkernfs_should_drain_open_files() is too sensitive -- it may transiently\ncatch those (rightful) callers between\nkernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen\nRidong:\n\n\tkernfs_remove_by_name_ns\tkernfs_get_active // active=1\n\t__kernfs_remove\t\t\t\t\t  // active=0x80000002\n\tkernfs_drain\t\t\t...\n\twait_event\n\t//waiting (active == 0x80000001)\n\t\t\t\t\tkernfs_break_active_protection\n\t\t\t\t\t// active = 0x80000001\n\t// continue\n\t\t\t\t\tkernfs_unbreak_active_protection\n\t\t\t\t\t// active = 0x80000002\n\t...\n\tkernfs_should_drain_open_files\n\t// warning occurs\n\t\t\t\t\tkernfs_put_active\n\nTo avoid the false positives (mind panic_on_warn) remove the check altogether.\n(This is meant as quick fix, I think active reference break/unbreak may be\nsimplified with larger rework.)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/071d8e4c2a3b0999a9b822e2eb8854784a350f8a","https://git.kernel.org/stable/c/2d6a67c2b3b87808a347dc1047b520a9dd177a4f","https://git.kernel.org/stable/c/6bfb154f95d5f0ab7ed056f23aba8c1a94cb3927","https://git.kernel.org/stable/c/6c81f1c7812c61f187bed1b938f1d2e391d503ab","https://git.kernel.org/stable/c/72275c888f8962b406ee9c6885c79bf68cca5a63","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38285","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix WARN() in get_bpf_raw_tp_regs\n\nsyzkaller reported an issue:\n\nWARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nModules linked in:\nCPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nRSP: 0018:ffffc90003636fa8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c\nRDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005\nRBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003\nR10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004\nR13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900\nFS:  0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]\n bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]\n __bpf_prog_run include/linux/filter.h:718 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]\n bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405\n __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47\n __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47\n __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35\n __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]\n mmap_read_trylock include/linux/mmap_lock.h:204 [inline]\n stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157\n __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483\n ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]\n bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496\n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]\n bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n\nTracepoint like trace_mmap_lock_acquire_returned may cause nested call\nas the corner case show above, which will be resolved with more general\nmethod in the future. As a result, WARN_ON_ONCE will be triggered. As\nAlexei suggested, remove the WARN_ON_ONCE first.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.09937,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/147ea936fc6fa8fe0c93f0df918803a5375ca535","https://git.kernel.org/stable/c/18e8cbbae79cb35bdce8a01c889827b9799c762e","https://git.kernel.org/stable/c/3880cdbed1c4607e378f58fa924c5d6df900d1d3","https://git.kernel.org/stable/c/44ebe361abb322d2afd77930fa767a99f271c4d1","https://git.kernel.org/stable/c/6d8f39875a10a194051c3eaefebc7ac06a34aaf3","https://git.kernel.org/stable/c/c98cdf6795a36bca163ebb40411fef1687b9eb13","https://git.kernel.org/stable/c/e167414beabb1e941fe563a96becc98627d5bdf6","https://git.kernel.org/stable/c/ee90be48edb3dac612e0b7f5332482a9e8be2696","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38273","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tipc: fix refcount warning in tipc_aead_encrypt\n\nsyzbot reported a refcount warning [1] caused by calling get_net() on\na network namespace that is being destroyed (refcount=0). This happens\nwhen a TIPC discovery timer fires during network namespace cleanup.\n\nThe recently added get_net() call in commit e279024617134 (\"net/tipc:\nfix slab-use-after-free Read in tipc_aead_encrypt_done\") attempts to\nhold a reference to the network namespace. However, if the namespace\nis already being destroyed, its refcount might be zero, leading to the\nuse-after-free warning.\n\nReplace get_net() with maybe_get_net(), which safely checks if the\nrefcount is non-zero before incrementing it. If the namespace is being\ndestroyed, return -ENODEV early, after releasing the bearer reference.\n\n[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0004,"ranking_epss":0.12088,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f","https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d","https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f","https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9","https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6","https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029","https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38275","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug\n\nThe qmp_usb_iomap() helper function currently returns the raw result of\ndevm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return\na NULL pointer and the caller only checks error pointers with IS_ERR(),\nNULL could bypass the check and lead to an invalid dereference.\n\nFix the issue by checking if devm_ioremap() returns NULL. When it does,\nqmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),\nensuring safe and consistent error handling.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b979a409e40457ca1b5cb48755d1f34eee58805","https://git.kernel.org/stable/c/0c33117f00c8c5363c22676931b22ae5041f7603","https://git.kernel.org/stable/c/127dfb4f1c5a2b622039c5d203f321380ea36665","https://git.kernel.org/stable/c/5072c1749197fc28b27d7efc0d80320d7cac9572","https://git.kernel.org/stable/c/d14402a38c2d868cacb1facaf9be908ca6558e59","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-10T08:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38259","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd9335: Fix missing free of regulator supplies\n\nDriver gets and enables all regulator supplies in probe path\n(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup\nin final error paths and in unbind (missing remove() callback).  This\nleads to leaked memory and unbalanced regulator enable count during\nprobe errors or unbind.\n\nFix this by converting entire code into devm_regulator_bulk_get_enable()\nwhich also greatly simplifies the code.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9079db287fc3e38e040b0edeb0a25770bb679c8e","https://git.kernel.org/stable/c/9830ef1803a5bc50b4a984a06cf23142cd46229d","https://git.kernel.org/stable/c/a8795f3cd289cd958f6396a1b43ba46fa8e22a2e","https://git.kernel.org/stable/c/b86280aaa23c1c0f31bcaa600d35ddc45bc38b7a","https://git.kernel.org/stable/c/edadaf4239c14dc8a19ea7f60b97d5524d93c29b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38260","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process 'repro' launched './file2' with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G           OE       6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n  <TASK>\n  btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n  btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n  submit_one_bio+0xde/0x160 [btrfs]\n  btrfs_readahead+0x498/0x6a0 [btrfs]\n  read_pages+0x1c3/0xb20\n  page_cache_ra_order+0x4b5/0xc20\n  filemap_get_pages+0x2d3/0x19e0\n  filemap_read+0x314/0xde0\n  __kernel_read+0x35b/0x900\n  bprm_execve+0x62e/0x1140\n  do_execveat_common.isra.0+0x3fc/0x520\n  __x64_sys_execveat+0xdc/0x130\n  do_syscall_64+0x54/0x1d0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00028,"ranking_epss":0.07866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3f5c4a996f8f4fecd24a3eb344a307c50af895c2","https://git.kernel.org/stable/c/547e836661554dcfa15c212a3821664e85b4191a","https://git.kernel.org/stable/c/bbe9231fe611a54a447962494472f604419bad59","https://git.kernel.org/stable/c/f8ce11903211542a61f05c02caedd2edfb4256b8","https://git.kernel.org/stable/c/fc97a116dc4929905538bc0bd3af7faa51192957","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38262","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: uartlite: register uart driver in init\n\nWhen two instances of uart devices are probing, a concurrency race can\noccur. If one thread calls uart_register_driver function, which first\nallocates and assigns memory to 'uart_state' member of uart_driver\nstructure, the other instance can bypass uart driver registration and\ncall ulite_assign. This calls uart_add_one_port, which expects the uart\ndriver to be fully initialized. This leads to a kernel panic due to a\nnull pointer dereference:\n\n[    8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8\n[    8.156982] #PF: supervisor write access in kernel mode\n[    8.156984] #PF: error_code(0x0002) - not-present page\n[    8.156986] PGD 0 P4D 0\n...\n[    8.180668] RIP: 0010:mutex_lock+0x19/0x30\n[    8.188624] Call Trace:\n[    8.188629]  ? __die_body.cold+0x1a/0x1f\n[    8.195260]  ? page_fault_oops+0x15c/0x290\n[    8.209183]  ? __irq_resolve_mapping+0x47/0x80\n[    8.209187]  ? exc_page_fault+0x64/0x140\n[    8.209190]  ? asm_exc_page_fault+0x22/0x30\n[    8.209196]  ? mutex_lock+0x19/0x30\n[    8.223116]  uart_add_one_port+0x60/0x440\n[    8.223122]  ? proc_tty_register_driver+0x43/0x50\n[    8.223126]  ? tty_register_driver+0x1ca/0x1e0\n[    8.246250]  ulite_probe+0x357/0x4b0 [uartlite]\n\nTo prevent it, move uart driver registration in to init function. This\nwill ensure that uart_driver is always registered when probe function\nis called.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00018,"ranking_epss":0.04638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5015eed450005bab6e5cb6810f7a62eab0434fc4","https://git.kernel.org/stable/c/685d29f2c5057b32c7b1b46f2a7d303b926c8f72","https://git.kernel.org/stable/c/6bd697b5fc39fd24e2aa418c7b7d14469f550a93","https://git.kernel.org/stable/c/6db06aaea07bb7c8e33a425cf7b98bf29ee6056e","https://git.kernel.org/stable/c/8e958d10dd0ce5ae674cce460db5c9ca3f25243b","https://git.kernel.org/stable/c/9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87","https://git.kernel.org/stable/c/f5e4229d94792b40e750f30c92bcf7a3107c72ef","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38263","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n   bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n   register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860         if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861             mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||\n 1862             mempool_init_kmalloc_pool(&c->bio_meta, 2,\n 1863                                 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864                                 bucket_pages(c)) ||\n 1865             mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||\n 1866             bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),\n 1867                         BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868             !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869             !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870                                                 WQ_MEM_RECLAIM, 0)) ||\n 1871             bch_journal_alloc(c) ||\n 1872             bch_btree_cache_alloc(c) ||\n 1873             bch_open_buckets_alloc(c) ||\n 1874             bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))\n 1875                 goto err;\n                      ^^^^^^^^\n 1876\n ...\n 1883         return c;\n 1884 err:\n 1885         bch_cache_set_unregister(c);\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886         return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098         c = bch_cache_set_alloc(&ca->sb);\n 2099         if (!c)\n 2100                 return err;\n                      ^^^^^^^^^^\n ...\n 2128         ca->set = c;\n 2129         ca->set->cache[ca->sb.nr_this_dev] = ca;\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138         return NULL;\n 2139 err:\n 2140         bch_cache_set_unregister(c);\n 2141         return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and\n    call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n    value to c->cache[], it means that c->cache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---> bch_cache_set_stop()\n     ---> closure_queue()\n          -.-> cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654         for_each_cache(ca, c, i)\n 1655                 if (ca->alloc_thread)\n                          ^^\n 1656                         kthread_stop(ca->alloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n    kernel crash occurred as below:\n[  846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[  846.713242] bcache: register_bcache() error : failed to register device\n[  846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[  846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[  846.714790] PGD 0 P4D 0\n[  846.715129] Oops: 0000 [#1] SMP PTI\n[  846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[  846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[  846.716451] Workqueue: events cache_set_flush [bcache]\n[  846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[  846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e","https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b","https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8","https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb","https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333","https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd","https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38249","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()\n\nIn snd_usb_get_audioformat_uac3(), the length value returned from\nsnd_usb_ctl_msg() is used directly for memory allocation without\nvalidation. This length is controlled by the USB device.\n\nThe allocated buffer is cast to a uac3_cluster_header_descriptor\nand its fields are accessed without verifying that the buffer\nis large enough. If the device returns a smaller than expected\nlength, this leads to an out-of-bounds read.\n\nAdd a length check to ensure the buffer is large enough for\nuac3_cluster_header_descriptor.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00023,"ranking_epss":0.06012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ee87c2814deb5e42921281116ac3abcb326880b","https://git.kernel.org/stable/c/11e740dc1a2c8590eb7074b5c4ab921bb6224c36","https://git.kernel.org/stable/c/24ff7d465c4284529bbfa207757bffb6f44b6403","https://git.kernel.org/stable/c/2dc1c3edf67abd30c757f8054a5da61927cdda21","https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d7da35c374c7b401","https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9ed96cd916ba0d5d8","https://git.kernel.org/stable/c/c3fb926abe90d86f5e3055e0035f04d9892a118b","https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38251","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: prevent NULL deref in clip_push()\n\nBlamed commit missed that vcc_destroy_socket() calls\nclip_push() with a NULL skb.\n\nIf clip_devs is NULL, clip_push() then crashes when reading\nskb->truesize.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3c709dce16999bf6a1d2ce377deb5dd6fdd8cb08","https://git.kernel.org/stable/c/41f6420ee845006354c004839fed07da71e34aee","https://git.kernel.org/stable/c/88c88f91f4b3563956bb52e7a71a3640f7ece157","https://git.kernel.org/stable/c/9199e8cb75f13a1650adcb3c6cad42789c43884e","https://git.kernel.org/stable/c/a07005a77b18ae59b8471e7e4d991fa9f642b3c2","https://git.kernel.org/stable/c/b993ea46b3b601915ceaaf3c802adf11e7d6bac6","https://git.kernel.org/stable/c/ede31ad949ae0d03cb4c5edd79991586ad7c8bb8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38257","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Prevent overflow in size calculation for memdup_user()\n\nNumber of apqn target list entries contained in 'nr_apqns' variable is\ndetermined by userspace via an ioctl call so the result of the product in\ncalculation of size passed to memdup_user() may overflow.\n\nIn this case the actual size of the allocated area and the value\ndescribing it won't be in sync leading to various types of unpredictable\nbehaviour later.\n\nUse a proper memdup_array_user() helper which returns an error if an\noverflow is detected. Note that it is different from when nr_apqns is\ninitially zero - that case is considered valid and should be handled in\nsubsequent pkey_handler implementations.\n\nFound by Linux Verification Center (linuxtesting.org).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/73483ca7e07a5e39bdf612eec9d3d293e8bef649","https://git.kernel.org/stable/c/7360ee47599af91a1d5f4e74d635d9408a54e489","https://git.kernel.org/stable/c/88f3869649edbc4a13f6c2877091f81cd5a50f05","https://git.kernel.org/stable/c/ad1bdd24a02d5a8d119af8e4cd50933780a6d29f","https://git.kernel.org/stable/c/f855b119e62b004a5044ed565f2a2b368c4d3f16","https://git.kernel.org/stable/c/faa1ab4a23c42e34dc000ef4977b751d94d5148c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38245","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n\nsyzbot reported a warning below during atm_dev_register(). [0]\n\nBefore creating a new device and procfs/sysfs for it, atm_dev_register()\nlooks up a duplicated device by __atm_dev_lookup().  These operations are\ndone under atm_dev_mutex.\n\nHowever, when removing a device in atm_dev_deregister(), it releases the\nmutex just after removing the device from the list that __atm_dev_lookup()\niterates over.\n\nSo, there will be a small race window where the device does not exist on\nthe device list but procfs/sysfs are still not removed, triggering the\nsplat.\n\nLet's hold the mutex until procfs/sysfs are removed in\natm_dev_deregister().\n\n[0]:\nproc_dir_entry 'atm/atmtcp:0' already registered\nWARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377\nModules linked in:\nCPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nRIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377\nCode: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48\nRSP: 0018:ffffc9000466fa30 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248\nRDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001\nRBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140\nR13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444\nFS:  00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n proc_create_data+0xbe/0x110 fs/proc/generic.c:585\n atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361\n atm_dev_register+0x46d/0x890 net/atm/resources.c:113\n atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369\n atmtcp_attach drivers/atm/atmtcp.c:403 [inline]\n atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x115/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f38b3b74459\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459\nRDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005\nRBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac\nR13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b\n </TASK>","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04338,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26248d5d68c865b888d632162abbf8130645622c","https://git.kernel.org/stable/c/2a8dcee649d12f69713f2589171a1caf6d4fa439","https://git.kernel.org/stable/c/4bb1bb438134d9ee6b97cc07289dd7c569092eec","https://git.kernel.org/stable/c/6922f1a048c090f10704bbef4a3a1e81932d2e0a","https://git.kernel.org/stable/c/a433791aeaea6e84df709e0b9584b9bbe040cd1c","https://git.kernel.org/stable/c/ae539d963a17443ec54cba8a767e4ffa318264f4","https://git.kernel.org/stable/c/b2e40fcfe1575faaa548f87614006d3fe44c779e","https://git.kernel.org/stable/c/cabed6ba92a9a8c09da02a3f20e32ecd80989896","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38239","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix invalid node index\n\nOn a system with DRAM interleave enabled, out-of-bound access is\ndetected:\n\nmegaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask *[1024]'\ndump_stack_lvl+0x5d/0x80\nubsan_epilogue+0x5/0x2b\n__ubsan_handle_out_of_bounds.cold+0x46/0x4b\nmegasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas]\nmegasas_probe_one.cold+0xa4d/0x189c [megaraid_sas]\nlocal_pci_probe+0x42/0x90\npci_device_probe+0xdc/0x290\nreally_probe+0xdb/0x340\n__driver_probe_device+0x78/0x110\ndriver_probe_device+0x1f/0xa0\n__driver_attach+0xba/0x1c0\nbus_for_each_dev+0x8b/0xe0\nbus_add_driver+0x142/0x220\ndriver_register+0x72/0xd0\nmegasas_init+0xdf/0xff0 [megaraid_sas]\ndo_one_initcall+0x57/0x310\ndo_init_module+0x90/0x250\ninit_module_from_file+0x85/0xc0\nidempotent_init_module+0x114/0x310\n__x64_sys_finit_module+0x65/0xc0\ndo_syscall_64+0x82/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it accordingly.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06344,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/074efb35552556a4b3b25eedab076d5dc24a8199","https://git.kernel.org/stable/c/19a47c966deb36624843b7301f0373a3dc541a05","https://git.kernel.org/stable/c/752eb816b55adb0673727ba0ed96609a17895654","https://git.kernel.org/stable/c/bf2c1643abc3b2507d56bb6c22bf9897272f8a35","https://git.kernel.org/stable/c/f1064b3532192e987ab17be7281d5fee36fd25e1","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-09T11:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-48384","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"epss":0.00472,"ranking_epss":0.64639,"kev":true,"propose_action":"Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.","ransomware_campaign":"Unknown","references":["https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9","http://seclists.org/fulldisclosure/2025/Sep/60","http://www.openwall.com/lists/oss-security/2025/07/08/4","https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"],"published_time":"2025-07-08T19:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38237","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode()\n\nIn fimc_is_hw_change_mode(), the function changes camera modes without\nwaiting for hardware completion, risking corrupted data or system hangs\nif subsequent operations proceed before the hardware is ready.\n\nAdd fimc_is_hw_wait_intmsr0_intmsd0() after mode configuration, ensuring\nhardware state synchronization and stable interrupt handling.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06213,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14acbb5af101b7bb58c0952949bba4c5fdf0ee7e","https://git.kernel.org/stable/c/b0d92b94278561f43057003a73a17ce13b7c1a1a","https://git.kernel.org/stable/c/bb97dfab7615fea97322b8a6131546e80f878a69","https://git.kernel.org/stable/c/bd9f6ce7d512fa21249415c16af801a4ed5d97b6","https://git.kernel.org/stable/c/e4077a10a25560ec0bd0b42322e4ea027d6f76e2","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-08T08:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38236","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don't leave consecutive consumed OOB skbs.\n\nJann Horn reported a use-after-free in unix_stream_read_generic().\n\nThe following sequences reproduce the issue:\n\n  $ python3\n  from socket import *\n  s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)\n  s1.send(b'x', MSG_OOB)\n  s2.recv(1, MSG_OOB)     # leave a consumed OOB skb\n  s1.send(b'y', MSG_OOB)\n  s2.recv(1, MSG_OOB)     # leave a consumed OOB skb\n  s1.send(b'z', MSG_OOB)\n  s2.recv(1)              # recv 'z' illegally\n  s2.recv(1, MSG_OOB)     # access 'z' skb (use-after-free)\n\nEven though a user reads OOB data, the skb holding the data stays on\nthe recv queue to mark the OOB boundary and break the next recv().\n\nAfter the last send() in the scenario above, the sk2's recv queue has\n2 leading consumed OOB skbs and 1 real OOB skb.\n\nThen, the following happens during the next recv() without MSG_OOB\n\n  1. unix_stream_read_generic() peeks the first consumed OOB skb\n  2. manage_oob() returns the next consumed OOB skb\n  3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb\n  4. unix_stream_read_generic() reads and frees the OOB skb\n\n, and the last recv(MSG_OOB) triggers KASAN splat.\n\nThe 3. above occurs because of the SO_PEEK_OFF code, which does not\nexpect unix_skb_len(skb) to be 0, but this is true for such consumed\nOOB skbs.\n\n  while (skip >= unix_skb_len(skb)) {\n    skip -= unix_skb_len(skb);\n    skb = skb_peek_next(skb, &sk->sk_receive_queue);\n    ...\n  }\n\nIn addition to this use-after-free, there is another issue that\nioctl(SIOCATMARK) does not function properly with consecutive consumed\nOOB skbs.\n\nSo, nothing good comes out of such a situation.\n\nInstead of complicating manage_oob(), ioctl() handling, and the next\nECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,\nlet's not leave such consecutive OOB unnecessarily.\n\nNow, while receiving an OOB skb in unix_stream_recv_urg(), if its\nprevious skb is a consumed OOB skb, it is freed.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)\nRead of size 4 at addr ffff888106ef2904 by task python3/315\n\nCPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:636)\n unix_stream_read_actor (net/unix/af_unix.c:3027)\n unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)\n unix_stream_recvmsg (net/unix/af_unix.c:3048)\n sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))\n __sys_recvfrom (net/socket.c:2278)\n __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f8911fcea06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06\nRDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006\nRBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20\nR13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n\nAllocated by task 315:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:348)\n kmem_cache_alloc_\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00011,"ranking_epss":0.0132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/32ca245464e1479bfea8592b9db227fdc1641705","https://git.kernel.org/stable/c/523edfed4f68b7794d85b9ac828c5f8f4442e4c5","https://git.kernel.org/stable/c/61a9ad7b69ce688697e5f63332f03e17725353bc","https://git.kernel.org/stable/c/8db4d2d026e6e3649832bfe23b96c4acff0756db","https://git.kernel.org/stable/c/a12237865b48a73183df252029ff5065d73d305e","https://git.kernel.org/stable/c/fad0a2c16062ac7c606b93166a7ce9d265bab976","https://project-zero.issues.chromium.org/issues/423023990","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-08T08:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38227","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of initialization failure\n\nsyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]\n\nAfter PSI initialization fails, the si member is accessed again, resulting\nin this uaf.\n\nAfter si initialization fails, the subsequent process needs to be exited.\n\n[1]\nBUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]\nBUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nRead of size 8 at addr ffff88802fa42acc by task syz.2.37/6059\n\nCPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0xc3/0x670 mm/kasan/report.c:521\nkasan_report+0xd9/0x110 mm/kasan/report.c:634\nvidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78\nvidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nvidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\nvidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\ndmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\ndvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\ndvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\ndvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\ndvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\ndvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n__fput+0x3ff/0xb70 fs/file_table.c:464\ntask_work_run+0x14e/0x250 kernel/task_work.c:227\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xad8/0x2d70 kernel/exit.c:938\ndo_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n__do_sys_exit_group kernel/exit.c:1098 [inline]\n__se_sys_exit_group kernel/exit.c:1096 [inline]\n__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096\nx64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f871d58d169\nCode: Unable to access opcode bytes at 0x7f871d58d13f.\nRSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169\nRDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003\nR13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840\n </TASK>\n\nAllocated by task 6059:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970\n vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423\n vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\n vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\n dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\n dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\n dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\n dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3ff/0xb70 fs/file_tabl\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d5f88f053480326873115092bc116b7d14916ba","https://git.kernel.org/stable/c/685c18bc5a36f823ee725e85aac1303ef5f535ba","https://git.kernel.org/stable/c/72541cae73d0809a6416bfcd2ee6473046a0013a","https://git.kernel.org/stable/c/7e62be1f3b241bc9faee547864bb39332955509b","https://git.kernel.org/stable/c/9824e1732a163e005aa84e12ec439493ebd4f097","https://git.kernel.org/stable/c/e1d72ff111eceea6b28dccb7ca4e8f4900b11729","https://git.kernel.org/stable/c/f8c2483be6e8bb6c2148315b4a924c65bb442b5e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38229","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cxusb: no longer judge rbuf when the write fails\n\nsyzbot reported a uninit-value in cxusb_i2c_xfer. [1]\n\nOnly when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()\nsucceeds and rlen is greater than 0, the read operation of usb_bulk_msg()\nwill be executed to read rlen bytes of data from the dvb device into the\nrbuf.\n\nIn this case, although rlen is 1, the write operation failed which resulted\nin the dvb read operation not being executed, and ultimately variable i was\nnot initialized.\n\n[1]\nBUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\nBUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\n cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1\n i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315\n i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343\n i2c_master_send include/linux/i2c.h:109 [inline]\n i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183\n do_loop_readv_writev fs/read_write.c:848 [inline]\n vfs_writev+0x963/0x14e0 fs/read_write.c:1057\n do_writev+0x247/0x5c0 fs/read_write.c:1101\n __do_sys_writev fs/read_write.c:1169 [inline]\n __se_sys_writev fs/read_write.c:1166 [inline]\n __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166\n x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04354c529c8246a38ae28f713fd6bfdc028113bc","https://git.kernel.org/stable/c/390b864e3281802109dfe56e508396683e125653","https://git.kernel.org/stable/c/41807a5f67420464ac8ee7741504f6b5decb3b7c","https://git.kernel.org/stable/c/73fb3b92da84637e3817580fa205d48065924e15","https://git.kernel.org/stable/c/77829a5f5a74026b888b0529628475b29750cef4","https://git.kernel.org/stable/c/84eca597baa346f09b30accdaeca10ced3eeba2d","https://git.kernel.org/stable/c/8b35b50b7e98d8e9a0a27257c8424448afae10de","https://git.kernel.org/stable/c/9bff888c92f5c25effbb876d22a793c2388c1ccc","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38230","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: validate AG parameters in dbMount() to prevent crashes\n\nValidate db_agheight, db_agwidth, and db_agstart in dbMount to catch\ncorrupted metadata early and avoid undefined behavior in dbAllocAG.\nLimits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE:\n\n- agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift\n  (L2LPERCTL - 2*agheight) >= 0.\n- agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight))\n  ensures agperlev >= 1.\n  - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5).\n  - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG;\n    2^(10 - 2*agheight) prevents division to 0.\n- agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within\n  stree (size 1365).\n  - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8).\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9\nshift exponent -335544310 is negative\nCPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400\n dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613\n jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105\n jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.0633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c40fa81f850556e9aa0185fede9ef1112db7b39","https://git.kernel.org/stable/c/37bfb464ddca87f203071b5bd562cd91ddc0b40a","https://git.kernel.org/stable/c/8b69608c6b6779a7ab07ce4467a56df90152cfb9","https://git.kernel.org/stable/c/9242ff6245527a3ebb693ddd175493b38ddca72f","https://git.kernel.org/stable/c/95ae5ee6069d9a5945772625f289422ef659221a","https://git.kernel.org/stable/c/a4259e72363e1ea204a97292001a9fc36c7e52fd","https://git.kernel.org/stable/c/b62a1e59d8716bbd2e73660743fe06acc97ed7d1","https://git.kernel.org/stable/c/c3705c82b7406a15ef38a610d03bf6baa43d6e0c","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38231","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Initialize ssc before laundromat_work to prevent NULL dereference\n\nIn nfs4_state_start_net(), laundromat_work may access nfsd_ssc through\nnfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,\nthis can cause NULL pointer dereference.\n\nNormally the delayed start of laundromat_work allows sufficient time for\nnfsd_ssc initialization to complete. However, when the kernel waits too\nlong for userspace responses (e.g. in nfs4_state_start_net ->\nnfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->\ncld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the\ndelayed work may start before nfsd_ssc initialization finishes.\n\nFix this by moving nfsd_ssc initialization before starting laundromat_work.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0fccf5f01ed28725cc313a66ca1247eef911d55e","https://git.kernel.org/stable/c/5060e1a5fef184bd11d298e3f0ee920d96a23236","https://git.kernel.org/stable/c/83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64","https://git.kernel.org/stable/c/a97668ec6d73dab237cd1c15efe012a10090a4ed","https://git.kernel.org/stable/c/b31da62889e6d610114d81dc7a6edbcaa503fcf8","https://git.kernel.org/stable/c/d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0","https://git.kernel.org/stable/c/deaeb74ae9318252829c59a84a7d2316fc335660","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38225","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Cleanup after an allocation error\n\nWhen allocation failures are not cleaned up by the driver, further\nallocation errors will be false-positives, which will cause buffers to\nremain uninitialized and cause NULL pointer dereferences.\nEnsure proper cleanup of failed allocations to prevent these issues.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ee9469f818a0b4de3c0e7aecd733c103820d181","https://git.kernel.org/stable/c/6d0efe7d35c75394f32ff9d0650a007642d23857","https://git.kernel.org/stable/c/7500bb9cf164edbb2c8117d57620227b1a4a8369","https://git.kernel.org/stable/c/b89ff9cf37ff59399f850d5f7781ef78fc37679f","https://git.kernel.org/stable/c/ec26be7d6355a05552a0d0c1e73031f83aa4dc7f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38226","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064","https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e","https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee","https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39","https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b","https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34","https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135","https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38218","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sit_bitmap_size\n\nw/ below testcase, resize will generate a corrupted image which\ncontains inconsistent metadata, so when mounting such image, it\nwill trigger kernel panic:\n\ntouch img\ntruncate -s $((512*1024*1024*1024)) img\nmkfs.f2fs -f img $((256*1024*1024))\nresize.f2fs -s -i img -t $((1024*1024*1024))\nmount img /mnt/f2fs\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.h:863!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_ra_meta_pages+0x47c/0x490\n\nCall Trace:\n f2fs_build_segment_manager+0x11c3/0x2600\n f2fs_fill_super+0xe97/0x2840\n mount_bdev+0xf4/0x140\n legacy_get_tree+0x2b/0x50\n vfs_get_tree+0x29/0xd0\n path_mount+0x487/0xaf0\n __x64_sys_mount+0x116/0x150\n do_syscall_64+0x82/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdbfde1bcfe\n\nThe reaseon is:\n\nsit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum\nthere are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt\nis 4762, build_sit_entries() -> current_sit_addr() tries to access\nout-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap\nand sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on().\n\nLet's add sanity check in f2fs_sanity_check_ckpt() to avoid panic.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/38ef48a8afef8df646b6f6ae7abb872f18b533c1","https://git.kernel.org/stable/c/3e5ac62a56a24f4d88ce8ffd7bc452428b235868","https://git.kernel.org/stable/c/5db0d252c64e91ba1929c70112352e85dc5751e7","https://git.kernel.org/stable/c/79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c","https://git.kernel.org/stable/c/82f51bff393e4c12cf4de553120ca831cfa4ef19","https://git.kernel.org/stable/c/ad862f71016ba38039df1c96ed55c0a4314cc183","https://git.kernel.org/stable/c/ee1b421c469876544e297ec1090574bd76100247","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38219","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: prevent kernel warning due to negative i_nlink from corrupted image\n\nWARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0\nhome/cc/linux/fs/inode.c:417\nModules linked in:\nCPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted\n6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417\nCode: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff\nf0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90\n&lt;0f&gt; 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6\nff\nRSP: 0018:ffffc900026b7c28 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f\nRDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005\nRBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000\nR13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0\nFS:  000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0\nCall Trace:\n <task>\n f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline]\n f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845\n f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909\n f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581\n vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544\n do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608\n __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline]\n __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline]\n __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652\n do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb3d092324b\nCode: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66\n2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05\n&lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01\n48\nRSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b\nRDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0\nRBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0\nR10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0\nR13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001\n </task>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f6332872374b7f482fc4ad865f9422fedb587fc","https://git.kernel.org/stable/c/42cb74a92adaf88061039601ddf7c874f58b554e","https://git.kernel.org/stable/c/5018d035530b6fbfad33eeb1dd1bc87da419a276","https://git.kernel.org/stable/c/a87cbcc909ccfd394d4936a94663f586453d0961","https://git.kernel.org/stable/c/aaa644e7ffff02e12c89cbce4753bc0b6f23ff87","https://git.kernel.org/stable/c/d14cbed4baccd712447fb3f9c011f008b56b2097","https://git.kernel.org/stable/c/d9a55869d8237e677ddaa18b0f58586364cfbc1c","https://git.kernel.org/stable/c/fbfe8446cd3274b9e367f5708d94574230a44409","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38222","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n        fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n        ftruncate(fd, 30);\n        pwrite(fd, \"a\", 1, (1UL << 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n        BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[   44.545164] ------------[ cut here ]------------\n[   44.545530] kernel BUG at fs/ext4/inline.c:240!\n[   44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[   44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full)  112853fcebfdb93254270a7959841d2c6aa2c8bb\n[   44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[   44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[   44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[   44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[   44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[   44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[   44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[   44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[   44.546523] FS:  00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[   44.546523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[   44.546523] PKRU: 55555554\n[   44.546523] Call Trace:\n[   44.546523]  <TASK>\n[   44.546523]  ext4_write_inline_data_end+0x126/0x2d0\n[   44.546523]  generic_perform_write+0x17e/0x270\n[   44.546523]  ext4_buffered_write_iter+0xc8/0x170\n[   44.546523]  vfs_write+0x2be/0x3e0\n[   44.546523]  __x64_sys_pwrite64+0x6d/0xc0\n[   44.546523]  do_syscall_64+0x6a/0xf0\n[   44.546523]  ? __wake_up+0x89/0xb0\n[   44.546523]  ? xas_find+0x72/0x1c0\n[   44.546523]  ? next_uptodate_folio+0x317/0x330\n[   44.546523]  ? set_pte_range+0x1a6/0x270\n[   44.546523]  ? filemap_map_pages+0x6ee/0x840\n[   44.546523]  ? ext4_setattr+0x2fa/0x750\n[   44.546523]  ? do_pte_missing+0x128/0xf70\n[   44.546523]  ? security_inode_post_setattr+0x3e/0xd0\n[   44.546523]  ? ___pte_offset_map+0x19/0x100\n[   44.546523]  ? handle_mm_fault+0x721/0xa10\n[   44.546523]  ? do_user_addr_fault+0x197/0x730\n[   44.546523]  ? do_syscall_64+0x76/0xf0\n[   44.546523]  ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[   44.546523]  ? irqentry_exit_to_user_mode+0x79/0x90\n[   44.546523]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[   44.546523] RIP: 0033:0x7f42999c6687\n[   44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[   44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[   44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[   44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[   44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[   44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270","https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869","https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458","https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00","https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8","https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934","https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b","https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38211","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id's last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   </TASK>\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06241,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2","https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21","https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac","https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b","https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f","https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1","https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5","https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38212","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough.  If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9","https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c","https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884","https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68","https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d","https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057","https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7","https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38214","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in fb_set_var() fails to allocate memory for\nfb_videomode, later it may lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info->var.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nThe reason is that fb_info->var is being modified in fb_set_var(), and\nthen fb_videomode_to_var() is called. If it fails to add the mode to\nfb_info->modelist, fb_set_var() returns error, but does not restore the\nold value of fb_info->var. Restore fb_info->var on failure the same way\nit is done earlier in the function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05f6e183879d9785a3cdf2f08a498bc31b7a20aa","https://git.kernel.org/stable/c/1a10d91766eb6ddfd5414e4785611e33a4fe0f9b","https://git.kernel.org/stable/c/3ca78032a388a0795201792b36e6fc9b6e6e8eed","https://git.kernel.org/stable/c/8a3a2887794b2c8e78b3e5d6e3de724527c9f41b","https://git.kernel.org/stable/c/b3071bb463ea1e6c686d0dc9638fc940f2f5cf17","https://git.kernel.org/stable/c/ee20216f12d9482cd70e44dae5e7fabb38367c71","https://git.kernel.org/stable/c/fab201d72fde38d081e2c5d4ad25595c535b7b22","https://git.kernel.org/stable/c/ff0e037241173b574b385bff53d67567b9816db5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38215","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in do_register_framebuffer() fails to allocate\nmemory for fb_videomode, it will later lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info->var.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nEven though fbcon_init() checks beforehand if fb_match_mode() in\nvar_to_display() fails, it can not prevent the panic because fbcon_init()\ndoes not return error code. Considering this and the comment in the code\nabout fb_match_mode() returning NULL - \"This should not happen\" - it is\nbetter to prevent registering the fb_info if its mode was not set\nsuccessfully. Also move fb_add_videomode() closer to the beginning of\ndo_register_framebuffer() to avoid having to do the cleanup on fail.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.0833,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0909b2b49c4546a7a08c80f53d93736b63270827","https://git.kernel.org/stable/c/17186f1f90d34fa701e4f14e6818305151637b9e","https://git.kernel.org/stable/c/3f2098f4fba7718eb2501207ca6e99d22427f25a","https://git.kernel.org/stable/c/908c5bb64f9c4319902b8ca1aa3fef8f83302520","https://git.kernel.org/stable/c/d803c4c2a4ac8ce2be6d899d5c7ab0bf7ec355e9","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38202","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()\n\nbpf_map_lookup_percpu_elem() helper is also available for sleepable bpf\nprogram. When BPF JIT is disabled or under 32-bit host,\nbpf_map_lookup_percpu_elem() will not be inlined. Using it in a\nsleepable bpf program will trigger the warning in\nbpf_map_lookup_percpu_elem(), because the bpf program only holds\nrcu_read_lock_trace lock. Therefore, add the missed check.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d834477bbc1e8b8a59ff8b0c081529d6bed7b22","https://git.kernel.org/stable/c/2f8c69a72e8ad87b36b8052f789da3cc2b2e186c","https://git.kernel.org/stable/c/7bf4461f1c97207fda757014690d55a447ce859f","https://git.kernel.org/stable/c/b522d4d334f206284b1a44b0b0b2f99fd443b39b","https://git.kernel.org/stable/c/d4965578267e2e81f67c86e2608481e77e9c8569","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38203","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix null-ptr-deref in jfs_ioc_trim\n\n[ Syzkaller Report ]\n\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000087: 0000 [#1\nKASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]\nCPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted\n6.13.0-rc6-gfbfd64d25c7a-dirty #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nSched_ext: serialise (enabled+all), task: runnable_at=-30ms\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\n? __die_body+0x61/0xb0\n? die_addr+0xb1/0xe0\n? exc_general_protection+0x333/0x510\n? asm_exc_general_protection+0x26/0x30\n? jfs_ioc_trim+0x34b/0x8f0\njfs_ioctl+0x3c8/0x4f0\n? __pfx_jfs_ioctl+0x10/0x10\n? __pfx_jfs_ioctl+0x10/0x10\n__se_sys_ioctl+0x269/0x350\n? __pfx___se_sys_ioctl+0x10/0x10\n? do_syscall_64+0xfb/0x210\ndo_syscall_64+0xee/0x210\n? syscall_exit_to_user_mode+0x1e0/0x330\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe51f4903ad\nCode: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d\nRSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad\nRDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640\nR13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS:  00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nKernel panic - not syncing: Fatal exception\n\n[ Analysis ]\n\nWe believe that we have found a concurrency bug in the `fs/jfs` module\nthat results in a null pointer dereference. There is a closely related\nissue which has been fixed:\n\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234\n\n... but, unfortunately, the accepted patch appears to still be\nsusceptible to a null pointer dereference under some interleavings.\n\nTo trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set\nto NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This\nbug manifests quite rarely under normal circumstances, but is\ntriggereable from a syz-program.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718","https://git.kernel.org/stable/c/4a8cb9908b51500a76f5156423bd295df53bff89","https://git.kernel.org/stable/c/9806ae34d7d661c372247cd36f83bfa0523d60ed","https://git.kernel.org/stable/c/a4685408ff6c3e2af366ad9a7274f45ff3f394ee","https://git.kernel.org/stable/c/a9d41c925069c950e18160e12a7e10e0f58c56fb","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-04T14:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38204","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds read in add_missing_indices\n\nstbl is s8 but it must contain offsets into slot which can go from 0 to\n127.\n\nAdded a bound check for that error and return -EIO if the check fails.\nAlso make jfs_readdir return with error if add_missing_indices returns\nwith an error.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00021,"ranking_epss":0.05492,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/44618bee303bed151ef3a525ff79fbd7689593b5","https://git.kernel.org/stable/c/5dff41a86377563f7a2b968aae00d25b4ceb37c9","https://git.kernel.org/stable/c/81af4b34fd72d390d7f237c6a545cc6d09707956","https://git.kernel.org/stable/c/bfa4655d28f338e68d345aed80d19be7999bbce2","https://git.kernel.org/stable/c/c8399564a58fb6ea2ff21a6fd278417943cb51a5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-04T14:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38206","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n        exfat_create_upcase_table() : return error\n        exfat_free_upcase_table() : free ->vol_utbl\n        exfat_load_default_upcase_table : return error\n     exfat_kill_sb()\n           delayed_free()\n                  exfat_free_upcase_table() <--------- double free\nThis patch set ->vol_util as NULL after freeing it.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07265,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15","https://git.kernel.org/stable/c/1f3d9724e16d62c7d42c67d6613b8512f2887c22","https://git.kernel.org/stable/c/66e84439ec2af776ce749e8540f8fdd257774152","https://git.kernel.org/stable/c/d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-04T14:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38198","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Make sure modelist not set on unregistered console\n\nIt looks like attempting to write to the \"store_modes\" sysfs node will\nrun afoul of unregistered consoles:\n\nUBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28\nindex -1 is out of range for type 'fb_info *[32]'\n...\n fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122\n fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048\n fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673\n store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113\n dev_attr_store+0x55/0x80 drivers/base/core.c:2439\n\nstatic struct fb_info *fbcon_registered_fb[FB_MAX];\n...\nstatic signed char con2fb_map[MAX_NR_CONSOLES];\n...\nstatic struct fb_info *fbcon_info_from_console(int console)\n...\n        return fbcon_registered_fb[con2fb_map[console]];\n\nIf con2fb_map contains a -1 things go wrong here. Instead, return NULL,\nas callers of fbcon_info_from_console() are trying to compare against\nexisting \"info\" pointers, so error handling should kick in correctly.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00021,"ranking_epss":0.05492,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/519ba75728ee8cd561dce25fc52a2ec5c47171dc","https://git.kernel.org/stable/c/54b28f7c567dd659e5f9562f518e4d7f3f6a367b","https://git.kernel.org/stable/c/b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b","https://git.kernel.org/stable/c/cedc1b63394a866bf8663a3e40f4546f1d28c8d8","https://git.kernel.org/stable/c/f28f1f578cd810779d01999c60618cda14c281dd","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38200","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix MMIO write access to an invalid page in i40e_clear_hw\n\nWhen the device sends a specific input, an integer underflow can occur, leading\nto MMIO write access to an invalid page.\n\nPrevent the integer underflow by changing the type of related variables.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/015bac5daca978448f2671478c553ce1f300c21e","https://git.kernel.org/stable/c/2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca","https://git.kernel.org/stable/c/3502dd42f178dae9d54696013386bb52b4f2e655","https://git.kernel.org/stable/c/5e75c9082987479e647c75ec8fdf18fa68263c42","https://git.kernel.org/stable/c/872607632c658d3739e4e7889e4f3c419ae2c193","https://git.kernel.org/stable/c/8cde755f56163281ec2c46b4ae8b61f532758a6f","https://git.kernel.org/stable/c/d88a1e8f024ba26e19350958fecbf771a9960352","https://git.kernel.org/stable/c/fecb2fc3fc10c95724407cc45ea35af4a65cdde2","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38190","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: Revert atm_account_tx() if copy_from_iter_full() fails.\n\nIn vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by\natm_account_tx().\n\nIt is expected to be reverted by atm_pop_raw() later called by\nvcc->dev->ops->send(vcc, skb).\n\nHowever, vcc_sendmsg() misses the same revert when copy_from_iter_full()\nfails, and then we will leak a socket.\n\nLet's factorise the revert part as atm_return_tx() and call it in\nthe failure path.\n\nNote that the corresponding sk_wmem_alloc operation can be found in\nalloc_tx() as of the blamed commit.\n\n  $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2252c539c43f9a1431a7e8b34e3c18e9dd77a96d","https://git.kernel.org/stable/c/287b4f085d2ca3375cf1ee672af27410c64777e8","https://git.kernel.org/stable/c/3902205eadf35db59dbc2186c2a98b9e6182efa5","https://git.kernel.org/stable/c/3d828519bd69bfcaabdd942a872679617ef06739","https://git.kernel.org/stable/c/5e0d00992118e234ebf29d5145c1cc920342777e","https://git.kernel.org/stable/c/7851263998d4269125fd6cb3fdbfc7c6db853859","https://git.kernel.org/stable/c/7d6bc28cfe5c8e3a279b4b4bdeed6698b2702685","https://git.kernel.org/stable/c/c12430edd92fd49a4800b0f3fb395b50cb16bcc1","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38191","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference in destroy_previous_session\n\nIf client set ->PreviousSessionId on kerberos session setup stage,\nNULL pointer dereference error will happen. Since sess->user is not\nset yet, It can pass the user argument as NULL to destroy_previous_session.\nsess->user will be set in ksmbd_krb5_authenticate(). So this patch move\ncalling destroy_previous_session() after ksmbd_krb5_authenticate().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00028,"ranking_epss":0.07995,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/076f1adefb9837977af7ed233883842ddc446644","https://git.kernel.org/stable/c/0902625a24eea7fdc187faa5d97df244d159dd6e","https://git.kernel.org/stable/c/1193486dffb7432a09f57f5d09049b4d4123538b","https://git.kernel.org/stable/c/281afc52e2961cd5dd8326ebc9c5bc40904c0468","https://git.kernel.org/stable/c/7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e","https://www.zerodayinitiative.com/advisories/ZDI-25-610/","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38193","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: reject invalid perturb period\n\nGerrard Tai reported that SFQ perturb_period has no range check yet,\nand this can be used to trigger a race condition fixed in a separate patch.\n\nWe want to make sure ctl->perturb_period * HZ will not overflow\nand is positive.\n\n\ntc qd add dev lo root sfq perturb -10   # negative value : error\nError: sch_sfq: invalid perturb period.\n\ntc qd add dev lo root sfq perturb 1000000000 # too big : error\nError: sch_sfq: invalid perturb period.\n\ntc qd add dev lo root sfq perturb 2000000 # acceptable value\ntc -s -d qd sh dev lo\nqdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec\n Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0357da9149eac621f39e235a135ebf155f01f7c3","https://git.kernel.org/stable/c/2254d038dab9c194fe6a4b1ce31034f42e91a6e5","https://git.kernel.org/stable/c/590b2d7d0beadba2aa576708a05a05f0aae39295","https://git.kernel.org/stable/c/7ca52541c05c832d32b112274f81a985101f9ba8","https://git.kernel.org/stable/c/956b5aebb349449b38d920d444ca1392d43719d1","https://git.kernel.org/stable/c/b11a50544af691b787384089b68f740ae20a441b","https://git.kernel.org/stable/c/e0936ff56be4e08ad5b60ec26971eae0c40af305","https://git.kernel.org/stable/c/f9b97d466e6026ccbdda30bb5b71965b67ccbc82","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38194","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before writing summary\n\nSyzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault\ninjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't\ncheck return value of jffs2_prealloc_raw_node_refs and simply lets any\nerror propagate into jffs2_sum_write_data, which eventually calls\njffs2_link_node_ref in order to link the summary to an expectedly allocated\nnode.\n\nkernel BUG at fs/jffs2/nodelist.c:592!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592\nCall Trace:\n <TASK>\n jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]\n jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874\n jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388\n jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301\n generic_perform_write+0x314/0x5d0 mm/filemap.c:3856\n __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973\n generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005\n call_write_iter include/linux/fs.h:2265 [inline]\n do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10c/0x170 fs/splice.c:950\n splice_direct_to_actor+0x337/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFix this issue by checking return value of jffs2_prealloc_raw_node_refs\nbefore calling jffs2_sum_write_data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/337f80f3d546e131c7aa90b61d8cde051ae858c7","https://git.kernel.org/stable/c/346cfb9d19ea7feb6fb57917b21c4797fb444dab","https://git.kernel.org/stable/c/3f46644a5131a4793fc95c32a7d0a769745b06e7","https://git.kernel.org/stable/c/4adee34098a6ee86a54bf3ec885eab620c126a6b","https://git.kernel.org/stable/c/8ce46dc5b10b0b6f67663202a4921b0e11ad7367","https://git.kernel.org/stable/c/c0edcdb4fc106d69a2d1a0ce4868193511c389f3","https://git.kernel.org/stable/c/da12ef7e19048dc5714032c2db587a215852b200","https://git.kernel.org/stable/c/ec9e6f22bce433b260ea226de127ec68042849b0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38197","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell_rbu: Fix list usage\n\nPass the correct list head to list_for_each_entry*() when looping through\nthe packet list.\n\nWithout this patch, reading the packet data via sysfs will show the data\nincorrectly (because it starts at the wrong packet), and clearing the\npacket list will result in a NULL pointer dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07d7b8e7ef7d1f812a6211ed531947c56d09e95e","https://git.kernel.org/stable/c/32d05e6cc3a7bf6c8f16f7b7ef8fe80eca0c233e","https://git.kernel.org/stable/c/4d71f2c1e5263a9f042faa71d59515709869dc79","https://git.kernel.org/stable/c/5e8c658acd1b7c186aeffa46bf08795e121f401a","https://git.kernel.org/stable/c/61ce04601e0d8265ec6d2ffa6df5a7e1bce64854","https://git.kernel.org/stable/c/a7b477b64ef5e37cb08dd536ae07c46f9f28262e","https://git.kernel.org/stable/c/f3b840fb1508a80cd8a0efb5c886ae1995a88b24","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38183","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()\n\nBefore calling lan743x_ptp_io_event_clock_get(), the 'channel' value\nis checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8).\nThis seems correct and aligns with the PTP interrupt status register\n(PTP_INT_STS) specifications.\n\nHowever, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with\nonly LAN743X_PTP_N_EXTTS(4) elements, using channel as an index:\n\n    lan743x_ptp_io_event_clock_get(..., u8 channel,...)\n    {\n        ...\n        /* Update Local timestamp */\n        extts = &ptp->extts[channel];\n        extts->ts.tv_sec = sec;\n        ...\n    }\n\nTo avoid an out-of-bounds write and utilize all the supported GPIO\ninputs, set LAN743X_PTP_N_EXTTS to 8.\n\nDetected using the static analysis tool - Svace.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/41017bd66c533f7af912c58273c7dfd5de0065d4","https://git.kernel.org/stable/c/4da0d23516857230b8e9b3022e25422ee2e2ba80","https://git.kernel.org/stable/c/66bba1fd5bad548c03f7e42669a59f3f4d8211cc","https://git.kernel.org/stable/c/e353b0854d3a1a31cb061df8d022fbfea53a0f24","https://git.kernel.org/stable/c/e8d48201a132f4aab31351c19a802c5a5ae820fa","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38184","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer\n\nThe reproduction steps:\n1. create a tun interface\n2. enable l2 bearer\n3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun\n\ntipc: Started in network mode\ntipc: Node identity 8af312d38a21, cluster identity 4711\ntipc: Enabled bearer <eth:syz_tun>, priority 1\nOops: general protection fault\nKASAN: null-ptr-deref in range\nCPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT\nHardware name: QEMU Ubuntu 24.04 PC\nRIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0\n\nthe ub was in fact a struct dev.\n\nwhen bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or\nother media when other thread changes it.\n\nfix this by checking media_id.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05d332ba075753d569d66333d62d60fff5f57ad8","https://git.kernel.org/stable/c/0d3d91c3500f0c480e016faa4e2259c588616e59","https://git.kernel.org/stable/c/0f4a72fb266e48dbe928e1d936eab149e4ac3e1b","https://git.kernel.org/stable/c/3998283e4c32c0fe69edd59b0876c193f50abce6","https://git.kernel.org/stable/c/8595350615f952fcf8bc861464a6bf6b1129af50","https://git.kernel.org/stable/c/c2e17984752b9131061d1a2ca1199da2706337fd","https://git.kernel.org/stable/c/d3dfe821dfe091c0045044343c8d86596d66e2cf","https://git.kernel.org/stable/c/f82727adcf2992822e12198792af450a76ebd5ef","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38185","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Free invalid length skb in atmtcp_c_send().\n\nsyzbot reported the splat below. [0]\n\nvcc_sendmsg() copies data passed from userspace to skb and passes\nit to vcc->dev->ops->send().\n\natmtcp_c_send() accesses skb->data as struct atmtcp_hdr after\nchecking if skb->len is 0, but it's not enough.\n\nAlso, when skb->len == 0, skb and sk (vcc) were leaked because\ndev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing\nto revert atm_account_tx() in vcc_sendmsg(), which is expected\nto be done in atm_pop_raw().\n\nLet's properly free skb with an invalid length in atmtcp_c_send().\n\n[0]:\nBUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670\n alloc_skb include/linux/skbuff.h:1336 [inline]\n vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b0ad18704913c92a3ad53748fbc0f219a75b876","https://git.kernel.org/stable/c/2f370ae1fb6317985f3497b1bb80d457508ca2f7","https://git.kernel.org/stable/c/3261c017a7c5d2815c6a388c5a3280d1fba0e8db","https://git.kernel.org/stable/c/a4b0fd8c25a7583f8564af6cc910418fb8954e89","https://git.kernel.org/stable/c/c19c0943424b412a84fdf178e6c71fe5480e4f0f","https://git.kernel.org/stable/c/c9260c837de1d2b454960a4a2e44a81272fbcd22","https://git.kernel.org/stable/c/ca00f0e6d733ecd9150716d1fd0138d26e674706","https://git.kernel.org/stable/c/e996507f59610e5752b8702537f13f551e7a2c96","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38180","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix /proc/net/atm/lec handling\n\n/proc/net/atm/lec must ensure safety against dev_lec[] changes.\n\nIt appears it had dev_put() calls without prior dev_hold(),\nleading to imbalance and UAF.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.0633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5fe1b23a2f87f43aeeac51e08819cbc6fd808cbc","https://git.kernel.org/stable/c/9b9aeb3ada44d8abea1e31e4446113f460848ae4","https://git.kernel.org/stable/c/a5e3a144268899f1a8c445c8a3bfa15873ba85e8","https://git.kernel.org/stable/c/ca3829c18c8d0ceb656605d3bff6bb3dfb078589","https://git.kernel.org/stable/c/d03b79f459c7935cff830d98373474f440bd03ae","https://git.kernel.org/stable/c/e612c4b014f5808fbc6beae21f5ccaca5e76a2f8","https://git.kernel.org/stable/c/f2d1443b18806640abdb530e88009af7be2588e7","https://git.kernel.org/stable/c/fcfccf56f4eba7d00aa2d33c7bb1b33083237742","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38181","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Fix null-ptr-deref in calipso_req_{set,del}attr().\n\nsyzkaller reported a null-ptr-deref in sock_omalloc() while allocating\na CALIPSO option.  [0]\n\nThe NULL is of struct sock, which was fetched by sk_to_full_sk() in\ncalipso_req_setattr().\n\nSince commit a1a5344ddbe8 (\"tcp: avoid two atomic ops for syncookies\"),\nreqsk->rsk_listener could be NULL when SYN Cookie is returned to its\nclient, as hinted by the leading SYN Cookie log.\n\nHere are 3 options to fix the bug:\n\n  1) Return 0 in calipso_req_setattr()\n  2) Return an error in calipso_req_setattr()\n  3) Alaways set rsk_listener\n\n1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie\nfor CALIPSO.  3) is also no go as there have been many efforts to reduce\natomic ops and make TCP robust against DDoS.  See also commit 3b24d854cb35\n(\"tcp/dccp: do not touch listener sk_refcnt under synflood\").\n\nAs of the blamed commit, SYN Cookie already did not need refcounting,\nand no one has stumbled on the bug for 9 years, so no CALIPSO user will\ncare about SYN Cookie.\n\nLet's return an error in calipso_req_setattr() and calipso_req_delattr()\nin the SYN Cookie case.\n\nThis can be reproduced by [1] on Fedora and now connect() of nc times out.\n\n[0]:\nTCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]\nRIP: 0010:sock_net include/net/sock.h:655 [inline]\nRIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806\nCode: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b\nRSP: 0018:ffff88811af89038 EFLAGS: 00010216\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400\nRDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030\nRBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e\nR10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000\nR13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050\nFS:  00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n <IRQ>\n ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288\n calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204\n calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597\n netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249\n selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342\n selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551\n security_inet_conn_request+0x50/0xa0 security/security.c:4945\n tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825\n tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275\n tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328\n tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781\n tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667\n tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904\n ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436\n ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491\n dst_input include/net/dst.h:469 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netf\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/058dd4a370f23a5553a9449f2db53d5bfa88d45e","https://git.kernel.org/stable/c/10876da918fa1aec0227fb4c67647513447f53a9","https://git.kernel.org/stable/c/956f1499412ed0953f6a116df7fdb855e9f1fc66","https://git.kernel.org/stable/c/988edde4d52d5c02ea4dd95d7619372a5e2fb7b7","https://git.kernel.org/stable/c/bde8833eb075ba8e8674de88e32de6b669966451","https://git.kernel.org/stable/c/d092c7fd8e220b23d6c47e03d7d0cc79e731f379","https://git.kernel.org/stable/c/dc724bd34d56f5589f7587a091a8cda2386826c4","https://git.kernel.org/stable/c/f4ae0f61dd9a63329ecb49b1e6356139d43240b8","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T14:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38177","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: make hfsc_qlen_notify() idempotent\n\nhfsc_qlen_notify() is not idempotent either and not friendly\nto its callers, like fq_codel_dequeue(). Let's make it idempotent\nto ease qdisc_tree_reduce_backlog() callers' life:\n\n1. update_vf() decreases cl->cl_nactive, so we can check whether it is\nnon-zero before calling it.\n\n2. eltree_remove() always removes RB node cl->el_node, but we can use\n   RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0475c85426b18eccdcb7f9fb58d8f8e9c6c58c87","https://git.kernel.org/stable/c/51eb3b65544c9efd6a1026889ee5fb5aa62da3bb","https://git.kernel.org/stable/c/72c61ffbeeb8c50f6d4d70c65d3283aa1bac57a7","https://git.kernel.org/stable/c/9030a91235ae4845ec71902c3e0cecfc9ed1f2df","https://git.kernel.org/stable/c/9a5fd5c2f4d4afdd5e405083ee53e0789ce76956","https://git.kernel.org/stable/c/a5efc95a33bd4fcb879250852828cc58c7862970","https://git.kernel.org/stable/c/c1175c4ad01dbc9c979d099861fa90a754f72059","https://git.kernel.org/stable/c/d06476714d2819b550e0cc39222347e2c8941c9d","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-04T13:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38174","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Do not double dequeue a configuration request\n\nSome of our devices crash in tb_cfg_request_dequeue():\n\n general protection fault, probably for non-canonical address 0xdead000000000122\n\n CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65\n RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0\n Call Trace:\n <TASK>\n ? tb_cfg_request_dequeue+0x2d/0xa0\n tb_cfg_request_work+0x33/0x80\n worker_thread+0x386/0x8f0\n kthread+0xed/0x110\n ret_from_fork+0x38/0x50\n ret_from_fork_asm+0x1b/0x30\n\nThe circumstances are unclear, however, the theory is that\ntb_cfg_request_work() can be scheduled twice for a request:\nfirst time via frame.callback from ring_work() and second\ntime from tb_cfg_request().  Both times kworkers will execute\ntb_cfg_request_dequeue(), which results in double list_del()\nfrom the ctl->request_queue (the list poison deference hints\nat it: 0xdead000000000122).\n\nDo not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE\nbit set.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00042,"ranking_epss":0.12968,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0771bcbe2f6e5d5f263cf466efe571d2754a46da","https://git.kernel.org/stable/c/0a3011d47dbc92a33621861c423cb64833d7fe57","https://git.kernel.org/stable/c/0f73628e9da1ee39daf5f188190cdbaee5e0c98c","https://git.kernel.org/stable/c/2f62eda4d974c26bc595425eafd429067541f2c9","https://git.kernel.org/stable/c/5a057f261539720165d03d85024da2b52e67f63d","https://git.kernel.org/stable/c/85286e634ebbaf9c0fb1cdf580add2f33fc7628c","https://git.kernel.org/stable/c/cdb4feab2f39e75a66239e3a112beced279612a8","https://git.kernel.org/stable/c/e49e994cd83705f7ca30eda1e304abddfd96a37a","https://git.kernel.org/stable/c/eb2d5e794fb966b3ef8bde99eb8561446a53509f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-04T11:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38173","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9","https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45","https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13","https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965","https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7","https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024","https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc","https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38166","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix ktls panic with sockmap\n\n[ 2172.936997] ------------[ cut here ]------------\n[ 2172.936999] kernel BUG at lib/iov_iter.c:629!\n......\n[ 2172.944996] PKRU: 55555554\n[ 2172.945155] Call Trace:\n[ 2172.945299]  <TASK>\n[ 2172.945428]  ? die+0x36/0x90\n[ 2172.945601]  ? do_trap+0xdd/0x100\n[ 2172.945795]  ? iov_iter_revert+0x178/0x180\n[ 2172.946031]  ? iov_iter_revert+0x178/0x180\n[ 2172.946267]  ? do_error_trap+0x7d/0x110\n[ 2172.946499]  ? iov_iter_revert+0x178/0x180\n[ 2172.946736]  ? exc_invalid_op+0x50/0x70\n[ 2172.946961]  ? iov_iter_revert+0x178/0x180\n[ 2172.947197]  ? asm_exc_invalid_op+0x1a/0x20\n[ 2172.947446]  ? iov_iter_revert+0x178/0x180\n[ 2172.947683]  ? iov_iter_revert+0x5c/0x180\n[ 2172.947913]  tls_sw_sendmsg_locked.isra.0+0x794/0x840\n[ 2172.948206]  tls_sw_sendmsg+0x52/0x80\n[ 2172.948420]  ? inet_sendmsg+0x1f/0x70\n[ 2172.948634]  __sys_sendto+0x1cd/0x200\n[ 2172.948848]  ? find_held_lock+0x2b/0x80\n[ 2172.949072]  ? syscall_trace_enter+0x140/0x270\n[ 2172.949330]  ? __lock_release.isra.0+0x5e/0x170\n[ 2172.949595]  ? find_held_lock+0x2b/0x80\n[ 2172.949817]  ? syscall_trace_enter+0x140/0x270\n[ 2172.950211]  ? lockdep_hardirqs_on_prepare+0xda/0x190\n[ 2172.950632]  ? ktime_get_coarse_real_ts64+0xc2/0xd0\n[ 2172.951036]  __x64_sys_sendto+0x24/0x30\n[ 2172.951382]  do_syscall_64+0x90/0x170\n......\n\nAfter calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,\ne.g., when the BPF program executes bpf_msg_push_data().\n\nIf the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,\nit will return -ENOSPC and attempt to roll back to the non-zero copy\nlogic. However, during rollback, msg->msg_iter is reset, but since\nmsg_pl->sg.size has been increased, subsequent executions will exceed the\nactual size of msg_iter.\n'''\niov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);\n'''\n\nThe changes in this commit are based on the following considerations:\n\n1. When cork_bytes is set, rolling back to non-zero copy logic is\npointless and can directly go to zero-copy logic.\n\n2. We can not calculate the correct number of bytes to revert msg_iter.\n\nAssume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes\nby the BPF program, it becomes 11-byte data: \"abc?de?fgh?\".\nThen, we set cork_bytes to 6, which means the first 6 bytes have been\nprocessed, and the remaining 5 bytes \"?fgh?\" will be cached until the\nlength meets the cork_bytes requirement.\n\nHowever, some data in \"?fgh?\" is not within 'sg->msg_iter'\n(but in msg_pl instead), especially the data \"?\" we pushed.\n\nSo it doesn't seem as simple as just reverting through an offset of\nmsg_iter.\n\n3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs,\nthe user-space send() doesn't return an error, and the returned length is\nthe same as the input length parameter, even if some data is cached.\n\nAdditionally, I saw that the current non-zero-copy logic for handling\ncorking is written as:\n'''\nline 1177\nelse if (ret != -EAGAIN) {\n\tif (ret == -ENOSPC)\n\t\tret = 0;\n\tgoto send_end;\n'''\n\nSo it's ok to just return 'copied' without error when a \"cork\" situation\noccurs.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00051,"ranking_epss":0.15952,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e36a81d388ec9c3f78b6223f7eda2088cd40adb","https://git.kernel.org/stable/c/328cac3f9f8ae394748485e769a527518a9137c8","https://git.kernel.org/stable/c/54a3ecaeeeae8176da8badbd7d72af1017032c39","https://git.kernel.org/stable/c/57fbbe29e86042bbaa31c1a30d2afa16c427e3f7","https://git.kernel.org/stable/c/603943f022a7fe5cc83ca7005faf34798fb7853f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38167","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle hdr_first_de() return value\n\nThe hdr_first_de() function returns a pointer to a struct NTFS_DE. This\npointer may be NULL. To handle the NULL error effectively, it is important\nto implement an error handler. This will help manage potential errors\nconsistently.\n\nAdditionally, error handling for the return value already exists at other\npoints where this function is called.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d5879f64554181b89f44d4817b9ea86e8e913e1","https://git.kernel.org/stable/c/4ecd0cde89feee26525ccdf1af0c1ae156ca010b","https://git.kernel.org/stable/c/5390b3d4c6d41d05bb9149d094d504cbc9ea85bf","https://git.kernel.org/stable/c/701340a25b1ad210e6b8192195be21fd3fcc22c7","https://git.kernel.org/stable/c/83cd0aa74793384dbdffc140500b200e9776a302","https://git.kernel.org/stable/c/af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38170","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n|        /* With TIF_SME userspace shouldn't generate any traps */\n|        if (test_and_set_thread_flag(TIF_SME))\n|                WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n  751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n|         // task->fpsimd_cpu is 0.\n|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         /* With TIF_SME userspace shouldn't generate any traps */\n|         if (test_and_set_thread_flag(TIF_SME))\n|                 WARN_ON(1);\n|\n|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                 unsigned long vq_minus_one =\n|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n|                 sme_set_vq(vq_minus_one);\n|\n|                 fpsimd_bind_task_to_cpu();\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task->fpsimd_cpu is still 0\n|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SME traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00037,"ranking_epss":0.11106,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6","https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693","https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3","https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb","https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38159","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since 'para' array is passed to\n'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n    ...\n    SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n    SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n    ...\n    SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d","https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd","https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647","https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d","https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788","https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38160","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00059,"ranking_epss":0.18638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a2712cd24ecfeb520af60f6f859b442c7ab01ff","https://git.kernel.org/stable/c/1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f","https://git.kernel.org/stable/c/3c1adc2f8c732ea09e8c4bce5941fec019c6205d","https://git.kernel.org/stable/c/52562161df3567cdaedada46834a7a8d8c4ab737","https://git.kernel.org/stable/c/54ce9bcdaee59d4ef0703f390d55708557818f9e","https://git.kernel.org/stable/c/73c46d9a93d071ca69858dea3f569111b03e549e","https://git.kernel.org/stable/c/938f625bd3364cfdc93916739add3b637ff90368","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38161","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error flow upon firmware failure for RQ destruction\n\nUpon RQ destruction if the firmware command fails which is the\nlast resource to be destroyed some SW resources were already cleaned\nregardless of the failure.\n\nNow properly rollback the object to its original state upon such failure.\n\nIn order to avoid a use-after free in case someone tries to destroy the\nobject again, which results in the following kernel trace:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)\nCPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G           OE     -------  ---  6.12.0-54.el10.aarch64 #1\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : refcount_warn_saturate+0xf4/0x148\nlr : refcount_warn_saturate+0xf4/0x148\nsp : ffff80008b81b7e0\nx29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001\nx26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00\nx23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000\nx20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006\nx17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f\nx14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78\nx11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90\nx8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff\nx5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600\nCall trace:\n refcount_warn_saturate+0xf4/0x148\n mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]\n mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]\n mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]\n ib_destroy_wq_user+0x30/0xc0 [ib_core]\n uverbs_free_wq+0x28/0x58 [ib_uverbs]\n destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]\n uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]\n __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]\n ib_uverbs_close+0x2c/0x100 [ib_uverbs]\n __fput+0xd8/0x2f0\n __fput_sync+0x50/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall.constprop.0+0x74/0xd0\n do_el0_svc+0x48/0xe8\n el0_svc+0x44/0x1d0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x1a4/0x1a8","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3","https://git.kernel.org/stable/c/26d2f662d3a6655a82fd8a287e8b1ce471567f36","https://git.kernel.org/stable/c/50ac361ff8914133e3cf6ef184bac90c22cb8d79","https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6","https://git.kernel.org/stable/c/7c4c84cdcc19e89d42f6bf117238e5471173423e","https://git.kernel.org/stable/c/cf32affe6f3801cfb72a65e69c4bc7a8ee9be100","https://git.kernel.org/stable/c/f9784da76ad7be66230e829e743bdf68a2c49e56","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38163","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sbi->total_valid_block_count\n\nsyzbot reported a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/f2fs.h:2521!\nRIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521\nCall Trace:\n f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695\n truncate_dnode+0x417/0x740 fs/f2fs/node.c:973\n truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014\n f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197\n f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888\n f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112\n notify_change+0xbca/0xe90 fs/attr.c:552\n do_truncate+0x222/0x310 fs/open.c:65\n handle_truncate fs/namei.c:3466 [inline]\n do_open fs/namei.c:3849 [inline]\n path_openat+0x2e4f/0x35d0 fs/namei.c:4004\n do_filp_open+0x284/0x4e0 fs/namei.c:4031\n do_sys_openat2+0x12b/0x1d0 fs/open.c:1429\n do_sys_open fs/open.c:1444 [inline]\n __do_sys_creat fs/open.c:1522 [inline]\n __se_sys_creat fs/open.c:1516 [inline]\n __x64_sys_creat+0x124/0x170 fs/open.c:1516\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94\n\nThe reason is: in fuzzed image, sbi->total_valid_block_count is\ninconsistent w/ mapped blocks indexed by inode, so, we should\nnot trigger panic for such case, instead, let's print log and\nset fsck flag.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05872a167c2cab80ef186ef23cc34a6776a1a30c","https://git.kernel.org/stable/c/25f3776b58c1c45ad2e50ab4b263505b4d2378ca","https://git.kernel.org/stable/c/49bc7bf38e42cfa642787e947f5721696ea73ac3","https://git.kernel.org/stable/c/65b3f76592aed5a43c4d79375ac097acf975972b","https://git.kernel.org/stable/c/6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d","https://git.kernel.org/stable/c/a39cc43efc1bca74ed9d6cf9e60b995071f7d178","https://git.kernel.org/stable/c/ccc28c0397f75a3ec9539cceed9db014d7b73869","https://git.kernel.org/stable/c/f1b743c1955151bd392539b739a3ad155296be13","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38165","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n'''\n[  657.460555] kernel BUG at net/core/skbuff.c:2178!\n[  657.462680] Tainted: [W]=WARN\n[  657.463287] Workqueue: events sk_psock_backlog\n...\n[  657.469610]  <TASK>\n[  657.469738]  ? die+0x36/0x90\n[  657.469916]  ? do_trap+0x1d0/0x270\n[  657.470118]  ? pskb_expand_head+0x612/0xf40\n[  657.470376]  ? pskb_expand_head+0x612/0xf40\n[  657.470620]  ? do_error_trap+0xa3/0x170\n[  657.470846]  ? pskb_expand_head+0x612/0xf40\n[  657.471092]  ? handle_invalid_op+0x2c/0x40\n[  657.471335]  ? pskb_expand_head+0x612/0xf40\n[  657.471579]  ? exc_invalid_op+0x2d/0x40\n[  657.471805]  ? asm_exc_invalid_op+0x1a/0x20\n[  657.472052]  ? pskb_expand_head+0xd1/0xf40\n[  657.472292]  ? pskb_expand_head+0x612/0xf40\n[  657.472540]  ? lock_acquire+0x18f/0x4e0\n[  657.472766]  ? find_held_lock+0x2d/0x110\n[  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10\n[  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470\n[  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10\n[  657.473826]  __pskb_pull_tail+0xfd/0x1d20\n[  657.474062]  ? __kasan_slab_alloc+0x4e/0x90\n[  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[  657.475392]  ? __kasan_kmalloc+0xaa/0xb0\n[  657.476010]  sk_psock_backlog+0x5cf/0xd70\n[  657.476637]  process_one_work+0x858/0x1a20\n'''\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n'''\nsk_psock_backlog:\n    sk_psock_handle_skb\n       skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'\n       sk_psock_skb_ingress____________\n                                       ↓\n                                       |\n                                       | → sk_psock_skb_ingress_self\n                                       |      sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________↑          skb_linearize\n'''\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add 'take_ref' param to control it's behavior.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00037,"ranking_epss":0.11106,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc","https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7","https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e","https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402","https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b","https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38151","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix hang when cma_netevent_callback fails to queue_work\n\nThe cited commit fixed a crash when cma_netevent_callback was called for\na cma_id while work on that id from a previous call had not yet started.\nThe work item was re-initialized in the second call, which corrupted the\nwork item currently in the work queue.\n\nHowever, it left a problem when queue_work fails (because the item is\nstill pending in the work queue from a previous call). In this case,\ncma_id_put (which is called in the work handler) is therefore not\ncalled. This results in a userspace process hang (zombie process).\n\nFix this by calling cma_id_put() if queue_work fails.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02e45168e0fd6fdc6f8f7c42c4b500857aa5efb0","https://git.kernel.org/stable/c/1ac40736c8c4255d8417b937c9715b193f4a87b3","https://git.kernel.org/stable/c/8b05aa3692e45b8249379dc52b14acc6a104d2e5","https://git.kernel.org/stable/c/92a251c3df8ea1991cd9fe00f1ab0cfce18d7711","https://git.kernel.org/stable/c/ac7897c0124066b9705ffca252a3662d54fc0c9b","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38153","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: fix error handling of usbnet read calls\n\nSyzkaller, courtesy of syzbot, identified an error (see report [1]) in\naqc111 driver, caused by incomplete sanitation of usb read calls'\nresults. This problem is quite similar to the one fixed in commit\n920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\").\n\nFor instance, usbnet_read_cmd() may read fewer than 'size' bytes,\neven if the caller expected the full amount, and aqc111_read_cmd()\nwill not check its result properly. As [1] shows, this may lead\nto MAC address in aqc111_bind() being only partly initialized,\ntriggering KMSAN warnings.\n\nFix the issue by verifying that the number of bytes read is\nas expected and not less.\n\n[1] Partial syzbot report:\nBUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\nBUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\n usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n really_probe+0x4d1/0xd90 drivers/base/dd.c:658\n __driver_probe_device+0x268/0x380 drivers/base/dd.c:800\n...\n\nUninit was stored to memory at:\n dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582\n __dev_addr_set include/linux/netdevice.h:4874 [inline]\n eth_hw_addr_set include/linux/etherdevice.h:325 [inline]\n aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n...\n\nUninit was stored to memory at:\n ether_addr_copy include/linux/etherdevice.h:305 [inline]\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]\n aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n...\n\nLocal variable buf.i created at:\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]\n aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11273279012c922f37cfb4dd95d142803fc07b98","https://git.kernel.org/stable/c/30a9e834c74e260533b8d0885e3c89f6f32f7993","https://git.kernel.org/stable/c/405b0d610745fb5e84fc2961d9b960abb9f3d107","https://git.kernel.org/stable/c/60790d287c1a1ced3554d4a87c2f27bf299a932a","https://git.kernel.org/stable/c/7c01863b1c47f040d9674171e77789a423b9b128","https://git.kernel.org/stable/c/8c97655275482ef5384ce0501640630a0fc0f6f4","https://git.kernel.org/stable/c/acb47a40b5e38be03ef659b7bacdddc592ed73b7","https://git.kernel.org/stable/c/f398d2dfe450ce2c031d10b585448862d74a0501","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38154","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n'''\nCPU0                               CPU1\n\nbacklog::skb_send_sock\n  sendmsg_unlocked\n    sock_sendmsg\n      sock_sendmsg_nosec\n                                   close(fd):\n                                     ...\n                                     ops->release() -> sock_map_close()\n                                     sk_socket->ops = NULL\n                                     free(socket)\n      sock->ops->sendmsg\n            ^\n            panic here\n'''\n\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n    ...\n    if (likely(psock)) {\n    ...\n    // !! here we remove psock and the ref of psock become 0\n    sock_map_remove_links(sk, psock)\n    psock = sk_psock_get(sk);\n    if (unlikely(!psock))\n        goto no_psock; <=== Control jumps here via goto\n        ...\n        cancel_delayed_work_sync(&psock->work); <=== not executed\n        sk_psock_put(sk, psock);\n        ...\n}\n'''\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n <TASK>\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n'''","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90","https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7","https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546","https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987","https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291","https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38157","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Abort software beacon handling if disabled\n\nA malicious USB device can send a WMI_SWBA_EVENTID event from an\nath9k_htc-managed device before beaconing has been enabled. This causes\na device-by-zero error in the driver, leading to either a crash or an\nout of bounds read.\n\nPrevent this by aborting the handling in ath9k_htc_swba() if beacons are\nnot enabled.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0281c19074976ec48f0078d50530b406ddae75bc","https://git.kernel.org/stable/c/40471b23147c86ea3ed97faee79937c618250bd0","https://git.kernel.org/stable/c/5482ef9875eaa43f0435e14570e1193823de857e","https://git.kernel.org/stable/c/5a85c21f812e02cb00ca07007d88acdd42d08c46","https://git.kernel.org/stable/c/7ee3fb6258da8c890a51b514f60d7570dc703605","https://git.kernel.org/stable/c/ac4e317a95a1092b5da5b9918b7118759342641c","https://git.kernel.org/stable/c/e5ce9df1d68094d37360dbd9b09289d42fa21e54","https://git.kernel.org/stable/c/ee5ee646385f5846dcbc881389f3c44a197c402a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38158","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: fix XQE dma address error\n\nThe dma addresses of EQE and AEQE are wrong after migration and\nresults in guest kernel-mode encryption services  failure.\nComparing the definition of hardware registers, we found that\nthere was an error when the data read from the register was\ncombined into an address. Therefore, the address combination\nsequence needs to be corrected.\n\nEven after fixing the above problem, we still have an issue\nwhere the Guest from an old kernel can get migrated to\nnew kernel and may result in wrong data.\n\nIn order to ensure that the address is correct after migration,\nif an old magic number is detected, the dma address needs to be\nupdated.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06281,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f","https://git.kernel.org/stable/c/809a9c10274e1bcf6d05f1c0341459a425a4f05f","https://git.kernel.org/stable/c/884a76e813178778d271fea59783763d32bb7e72","https://git.kernel.org/stable/c/8bb7170c5a055ea17c6857c256ee73c10ff872eb","https://git.kernel.org/stable/c/f0423873e7aeb69cb68f4e8fa3827832e7b037ba","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38143","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: pm8941: Add NULL check in wled_configure()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nwled_configure() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00059,"ranking_epss":0.18638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1be2000b703b02e149f8f2061054489f6c18c972","https://git.kernel.org/stable/c/21528806560510458378ea52c37e35b0773afaea","https://git.kernel.org/stable/c/4a715be3fe80b68fa55cb3569af3d294be101626","https://git.kernel.org/stable/c/6a56446595730a5e3f06a30902e23cb037d28146","https://git.kernel.org/stable/c/9d06ac32c202142da40904180f2669ed4f5073ac","https://git.kernel.org/stable/c/e12d3e1624a02706cdd3628bbf5668827214fa33","https://git.kernel.org/stable/c/fde314445332015273c8f51d2659885c606fe135","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38145","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\naspeed_lpc_enable_snoop() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.\n\n[arj: Fix Fixes: tag to use subject from 3772e5da4454]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00059,"ranking_epss":0.18638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fd889c145722579aa038c31cbc07cfdd4d75166","https://git.kernel.org/stable/c/2beee9cf833374550e673d428ad8b6ab37c175b3","https://git.kernel.org/stable/c/45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7","https://git.kernel.org/stable/c/8312b1f776f71979bf33bda7acc05b348e8792c7","https://git.kernel.org/stable/c/c550999f939b529d28a914d5034cc4290066aea6","https://git.kernel.org/stable/c/d62a589eaaec6385e3e2b25cf5a28b4560ace93f","https://git.kernel.org/stable/c/f1706e0e1a74b095cbc60375b9b1e6205f5f4c98","https://git.kernel.org/stable/c/f697ef117ecbf3a367dfc559a6a3589905956530","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38146","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix the dead loop of MPLS parse\n\nThe unexpected MPLS packet may not end with the bottom label stack.\nWhen there are many stacks, The label count value has wrapped around.\nA dead loop occurs, soft lockup/CPU stuck finally.\n\nstack backtrace:\nUBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26\nindex -1 is out of range for type '__be32 [3]'\nCPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G           OE   5.15.0-121-generic #131-Ubuntu\nHardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021\nCall Trace:\n <IRQ>\n show_stack+0x52/0x5c\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n key_extract_l3l4+0x82a/0x840 [openvswitch]\n ? kfree_skbmem+0x52/0xa0\n key_extract+0x9c/0x2b0 [openvswitch]\n ovs_flow_key_extract+0x124/0x350 [openvswitch]\n ovs_vport_receive+0x61/0xd0 [openvswitch]\n ? kernel_init_free_pages.part.0+0x4a/0x70\n ? get_page_from_freelist+0x353/0x540\n netdev_port_receive+0xc4/0x180 [openvswitch]\n ? netdev_port_receive+0x180/0x180 [openvswitch]\n netdev_frame_hook+0x1f/0x40 [openvswitch]\n __netif_receive_skb_core.constprop.0+0x23a/0xf00\n __netif_receive_skb_list_core+0xfa/0x240\n netif_receive_skb_list_internal+0x18e/0x2a0\n napi_complete_done+0x7a/0x1c0\n bnxt_poll+0x155/0x1c0 [bnxt_en]\n __napi_poll+0x30/0x180\n net_rx_action+0x126/0x280\n ? bnxt_msix+0x67/0x80 [bnxt_en]\n handle_softirqs+0xda/0x2d0\n irq_exit_rcu+0x96/0xc0\n common_interrupt+0x8e/0xa0\n </IRQ>","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0bdc924bfb319fb10d1113cbf091fc26fb7b1f99","https://git.kernel.org/stable/c/3c1906a3d50cb94fd0a10e97a1c0a40c0f033cb7","https://git.kernel.org/stable/c/4b9a086eedc1fddae632310386098c12155e3d0a","https://git.kernel.org/stable/c/69541e58323ec3e3904e1fa87a6213961b1f52f4","https://git.kernel.org/stable/c/8ebcd311b4866ab911d1445ead08690e67f0c488","https://git.kernel.org/stable/c/ad17eb86d042d72a59fd184ad1adf34f5eb36843","https://git.kernel.org/stable/c/f26fe7c3002516dd3c288f1012786df31f4d89e0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38147","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Don't call calipso functions for AF_INET sk.\n\nsyzkaller reported a null-ptr-deref in txopt_get(). [0]\n\nThe offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,\nso struct ipv6_pinfo was NULL there.\n\nHowever, this never happens for IPv6 sockets as inet_sk(sk)->pinet6\nis always set in inet6_create(), meaning the socket was not IPv6 one.\n\nThe root cause is missing validation in netlbl_conn_setattr().\n\nnetlbl_conn_setattr() switches branches based on struct\nsockaddr.sa_family, which is passed from userspace.  However,\nnetlbl_conn_setattr() does not check if the address family matches\nthe socket.\n\nThe syzkaller must have called connect() for an IPv6 address on\nan IPv4 socket.\n\nWe have a proper validation in tcp_v[46]_connect(), but\nsecurity_socket_connect() is called in the earlier stage.\n\nLet's copy the validation to netlbl_conn_setattr().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:txopt_get include/net/ipv6.h:390 [inline]\nRIP: 0010:\nCode: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00\nRSP: 0018:ffff88811b8afc48 EFLAGS: 00010212\nRAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c\nRDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070\nRBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e\nR10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00\nR13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80\nFS:  00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n <TASK>\n calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557\n netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177\n selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569\n selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]\n selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615\n selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931\n security_socket_connect+0x50/0xa0 security/security.c:4598\n __sys_connect_file+0xa4/0x190 net/socket.c:2067\n __sys_connect+0x12c/0x170 net/socket.c:2088\n __do_sys_connect net/socket.c:2098 [inline]\n __se_sys_connect net/socket.c:2095 [inline]\n __x64_sys_connect+0x73/0xb0 net/socket.c:2095\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f901b61a12d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d\nRDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003\nRBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000\n </TASK>\nModules linked in:","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c813dbc851dbf418fdc6dc883fd0592d6c555cd","https://git.kernel.org/stable/c/26ce90f1ce60b0ff587de8d6aec399aa55cab28e","https://git.kernel.org/stable/c/6e9f2df1c550ead7cecb3e450af1105735020c92","https://git.kernel.org/stable/c/946bfdfcb76ac2bac5b8526447035885ff41c598","https://git.kernel.org/stable/c/c32ebe33626335a536dbbdd09571c06dd9bc1729","https://git.kernel.org/stable/c/dd8928897594931d6912ef2f7a43e110b4958d3d","https://git.kernel.org/stable/c/e2ec310c7a50271843c585e27ef14e48c66ce649","https://git.kernel.org/stable/c/fc2da88411470480b8b7e9177e930cedd893cf56","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38148","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: mscc: Fix memory leak when using one step timestamping\n\nFix memory leak when running one-step timestamping. When running\none-step sync timestamping, the HW is configured to insert the TX time\ninto the frame, so there is no reason to keep the skb anymore. As in\nthis case the HW will never generate an interrupt to say that the frame\nwas timestamped, then the frame will never released.\nFix this by freeing the frame in case of one-step timestamping.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b40aeaf83ca04d4c9801e235b7533400c8b5f17","https://git.kernel.org/stable/c/24b24295464f25fb771d36ed558c7cd942119361","https://git.kernel.org/stable/c/66abe22017522dd56b820e41ca3a5b131a637001","https://git.kernel.org/stable/c/846992645b25ec4253167e3f931e4597eb84af56","https://git.kernel.org/stable/c/cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d","https://git.kernel.org/stable/c/db2a12ddd3a31f668137ff6a4befc1343c79cbc4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38136","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Reorder clock handling and power management in probe\n\nReorder the initialization sequence in `usbhs_probe()` to enable runtime\nPM before accessing registers, preventing potential crashes due to\nuninitialized clocks.\n\nCurrently, in the probe path, registers are accessed before enabling the\nclocks, leading to a synchronous external abort on the RZ/V2H SoC.\nThe problematic call flow is as follows:\n\n    usbhs_probe()\n        usbhs_sys_clock_ctrl()\n            usbhs_bset()\n                usbhs_write()\n                    iowrite16()  <-- Register access before enabling clocks\n\nSince `iowrite16()` is performed without ensuring the required clocks are\nenabled, this can lead to access errors. To fix this, enable PM runtime\nearly in the probe function and ensure clocks are acquired before register\naccess, preventing crashes like the following on RZ/V2H:\n\n[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\n[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6\n[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98\n[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)\n[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]\n[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]\n[13.321138] sp : ffff8000827e3850\n[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0\n[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025\n[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010\n[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff\n[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce\n[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000\n[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750\n[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c\n[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000\n[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080\n[13.395574] Call trace:\n[13.398013]  usbhs_bset+0x14/0x4c [renesas_usbhs] (P)\n[13.403076]  platform_probe+0x68/0xdc\n[13.406738]  really_probe+0xbc/0x2c0\n[13.410306]  __driver_probe_device+0x78/0x120\n[13.414653]  driver_probe_device+0x3c/0x154\n[13.418825]  __driver_attach+0x90/0x1a0\n[13.422647]  bus_for_each_dev+0x7c/0xe0\n[13.426470]  driver_attach+0x24/0x30\n[13.430032]  bus_add_driver+0xe4/0x208\n[13.433766]  driver_register+0x68/0x130\n[13.437587]  __platform_driver_register+0x24/0x30\n[13.442273]  renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]\n[13.448450]  do_one_initcall+0x60/0x1d4\n[13.452276]  do_init_module+0x54/0x1f8\n[13.456014]  load_module+0x1754/0x1c98\n[13.459750]  init_module_from_file+0x88/0xcc\n[13.464004]  __arm64_sys_finit_module+0x1c4/0x328\n[13.468689]  invoke_syscall+0x48/0x104\n[13.472426]  el0_svc_common.constprop.0+0xc0/0xe0\n[13.477113]  do_el0_svc+0x1c/0x28\n[13.480415]  el0_svc+0x30/0xcc\n[13.483460]  el0t_64_sync_handler+0x10c/0x138\n[13.487800]  el0t_64_sync+0x198/0x19c\n[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)\n[13.497522] ---[ end trace 0000000000000000 ]---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/095cc0b5888acc228f12344e85b17539b9ce9367","https://git.kernel.org/stable/c/0a1e16a6cbf4452b46f20b862d6141a1e90844ee","https://git.kernel.org/stable/c/155453ada562c450a4ff5fcf4852b9fa5b6b793a","https://git.kernel.org/stable/c/1637623ad6205162b17804d07512e6f4cbd2a050","https://git.kernel.org/stable/c/6bab152e817fd41b9e178fa6b275354795c9703d","https://git.kernel.org/stable/c/d4c368e4a638ddf4a9d6d687b0ff691aa46cce53","https://git.kernel.org/stable/c/db96a4fd8614d47c0def265e0e6c996b0ee52a38","https://git.kernel.org/stable/c/ffb34a60ce86656ba12d46e91f1ccc71dd221251","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38138","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: Add NULL check in udma_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nudma_probe() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00059,"ranking_epss":0.18638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/643db430f4cbd91dd2b63c49d62d0abb6debc13b","https://git.kernel.org/stable/c/9f133e04c62246353b8b1f0a679535c65161ebcf","https://git.kernel.org/stable/c/b79e10050d9d1e200541d25751dd5cb8ec58483c","https://git.kernel.org/stable/c/bc6ddff79835f71310a21645d8fcf08ec473e969","https://git.kernel.org/stable/c/d61d5ba5bd5b0e39e30b34dcd92946e084bca0d0","https://git.kernel.org/stable/c/ec1ea394c40523835bbedd8fc4934b77b461b6fe","https://git.kernel.org/stable/c/fd447415e74bccd7362f760d4ea727f8e1ebfe91","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38142","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) check sensor index in read_string()\n\nPrevent a potential invalid memory access when the requested sensor\nis not found.\n\nfind_ec_sensor_index() may return a negative value (e.g. -ENOENT),\nbut its result was used without checking, which could lead to\nundefined behavior when passed to get_sensor_info().\n\nAdd a proper check to return -EINVAL if sensor_index is negative.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[groeck: Return error code returned from find_ec_sensor_index]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06479,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19bd9cde38dd4ca1771aed7afba623e7f4247c8e","https://git.kernel.org/stable/c/25be318324563c63cbd9cb53186203a08d2f83a1","https://git.kernel.org/stable/c/4e9e45746b861ebd54c03ef301da2cb8fc990536","https://git.kernel.org/stable/c/6bf529ce84dccc0074dbc704e70aee4aa545057e","https://git.kernel.org/stable/c/7eeb3df6f07a886bdfd52757ede127a59a8784dc","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38131","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs' sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0                                          CPU1\n(sysfs enable)                                load module\n                                              cscfg_load_config_sets()\n                                              activate config. // sysfs\n                                              (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev->cscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev->cscfg_csdev_lock)\n\n                                              deactivate config // sysfs\n                                              (sys_activec_cnt == 0)\n                                              cscfg_unload_config_sets()\n                                              unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc's active_cnt as a reference count\n which will be holded when\n    - activate the config.\n    - enable the activated config.\nand put the module reference when config_active_cnt == 0.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22","https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164","https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724","https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223","https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38135","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix potential null-ptr-deref in mlb_usio_probe()\n\ndevm_ioremap() can return NULL on error. Currently, mlb_usio_probe()\ndoes not check for this case, which could result in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19fd9f5a69363d33079097d866eb6082d61bf31d","https://git.kernel.org/stable/c/548b0e81b9a0902a8bc8259430ed965663baadfc","https://git.kernel.org/stable/c/81159a6b064142b993f2f39828b77e199c77872a","https://git.kernel.org/stable/c/86bcae88c9209e334b2f8c252f4cc66beb261886","https://git.kernel.org/stable/c/a05ebe384c7ca75476453f3070c67d9cf1d1a89f","https://git.kernel.org/stable/c/a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea","https://git.kernel.org/stable/c/c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d","https://git.kernel.org/stable/c/e1b144aebe6fb898d96ced8c990d7aa38fda4a7a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38120","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo_avx2: fix initial map fill\n\nIf the first field doesn't cover the entire start map, then we must zero\nout the remainder, else we leak those bits into the next match round map.\n\nThe early fix was incomplete and did only fix up the generic C\nimplementation.\n\nA followup patch adds a test case to nft_concat_range.sh.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00046,"ranking_epss":0.14347,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/251496ce1728c9fd47bd2b20a7b21b20b9a020ca","https://git.kernel.org/stable/c/39bab2d3517b5b50c609b4f8c66129bf619fffa0","https://git.kernel.org/stable/c/8068e1e42b46518ce680dc6470bcd710efc3fa0a","https://git.kernel.org/stable/c/8164d0efaf370c425dc69a1e8216940d09e7de0c","https://git.kernel.org/stable/c/90bc7f5a244aadee4292b28098b7c98aadd4b3aa","https://git.kernel.org/stable/c/b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d","https://git.kernel.org/stable/c/ea77c397bff8b6d59f6d83dae1425b08f465e8b5","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38122","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngve: add missing NULL check for gve_alloc_pending_packet() in TX DQO\n\ngve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()\ndid not check for this case before dereferencing the returned pointer.\n\nAdd a missing NULL check to prevent a potential NULL pointer\ndereference when allocation fails.\n\nThis improves robustness in low-memory scenarios.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12c331b29c7397ac3b03584e12902990693bc248","https://git.kernel.org/stable/c/2e5ead9e4e91fbe7799bd38afd8904543be1cb51","https://git.kernel.org/stable/c/7f6265fce3bd424ded666481b37f106d7915fb6b","https://git.kernel.org/stable/c/a0319c9b1648a67511e947a596ca86888451c0a7","https://git.kernel.org/stable/c/ae98a1787fdcb0096d122bc80d93c3c7d812c04b","https://git.kernel.org/stable/c/c741a7ef68023ac800054e2131c3e22e647fd7e3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38124","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix udp gso skb_segment after pull from frag_list\n\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don't\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\n\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\n\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis  causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\n\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\n\n    skb_segment+0xcd0/0xd14\n    __udp_gso_segment+0x334/0x5f4\n    udp4_ufo_fragment+0x118/0x15c\n    inet_gso_segment+0x164/0x338\n    skb_mac_gso_segment+0xc4/0x13c\n    __skb_gso_segment+0xc4/0x124\n    validate_xmit_skb+0x9c/0x2c0\n    validate_xmit_skb_list+0x4c/0x80\n    sch_direct_xmit+0x70/0x404\n    __dev_queue_xmit+0x64c/0xe5c\n    neigh_resolve_output+0x178/0x1c4\n    ip_finish_output2+0x37c/0x47c\n    __ip_finish_output+0x194/0x240\n    ip_finish_output+0x20/0xf4\n    ip_output+0x100/0x1a0\n    NF_HOOK+0xc4/0x16c\n    ip_forward+0x314/0x32c\n    ip_rcv+0x90/0x118\n    __netif_receive_skb+0x74/0x124\n    process_backlog+0xe8/0x1a4\n    __napi_poll+0x5c/0x1f8\n    net_rx_action+0x154/0x314\n    handle_softirqs+0x154/0x4b8\n\n    [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!\n    [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n    [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n    [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000\n    [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)\n    [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n    [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n    [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e65f38bd1aa14ea86e221b7bb814d38278d86c3","https://git.kernel.org/stable/c/3382a1ed7f778db841063f5d7e317ac55f9e7f72","https://git.kernel.org/stable/c/4399f59a9467a324ed46657555f0e1f209a14acb","https://git.kernel.org/stable/c/85eef1748c024da1a191aed56b30a3a65958c50c","https://git.kernel.org/stable/c/a04302867094bdc6efac1b598370fc47cf3f2388","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38126","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring timestamping\n\nThe stmmac platform drivers that do not open-code the clk_ptp_rate value\nafter having retrieved the default one from the device-tree can end up\nwith 0 in clk_ptp_rate (as clk_get_rate can return 0). It will\neventually propagate up to PTP initialization when bringing up the\ninterface, leading to a divide by 0:\n\n Division by zero in kernel.\n CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22\n Hardware name: STM32 (Device Tree Support)\n Call trace:\n  unwind_backtrace from show_stack+0x18/0x1c\n  show_stack from dump_stack_lvl+0x6c/0x8c\n  dump_stack_lvl from Ldiv0_64+0x8/0x18\n  Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4\n  stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c\n  stmmac_hw_setup from __stmmac_open+0x18c/0x434\n  __stmmac_open from stmmac_open+0x3c/0xbc\n  stmmac_open from __dev_open+0xf4/0x1ac\n  __dev_open from __dev_change_flags+0x1cc/0x224\n  __dev_change_flags from dev_change_flags+0x24/0x60\n  dev_change_flags from ip_auto_config+0x2e8/0x11a0\n  ip_auto_config from do_one_initcall+0x84/0x33c\n  do_one_initcall from kernel_init_freeable+0x1b8/0x214\n  kernel_init_freeable from kernel_init+0x24/0x140\n  kernel_init from ret_from_fork+0x14/0x28\n Exception stack(0xe0815fb0 to 0xe0815ff8)\n\nPrevent this division by 0 by adding an explicit check and error log\nabout the actual issue. While at it, remove the same check from\nstmmac_ptp_register, which then becomes duplicate","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/030ce919e114a111e83b7976ecb3597cefd33f26","https://git.kernel.org/stable/c/32af9c289234990752281c805500dfe03c5b2b8f","https://git.kernel.org/stable/c/379cd990dfe752b38fcf46034698a9a150626c7a","https://git.kernel.org/stable/c/b263088ee8ab14563817a8be3519af8e25225793","https://git.kernel.org/stable/c/bb033c6781ce1b0264c3993b767b4aa9021959c2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38113","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Fix NULL pointer dereference when nosmp is used\n\nWith nosmp in cmdline, other CPUs are not brought up, leaving\ntheir cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu()\ndereferences these NULL pointers, causing panic.\n\nPanic backtrace:\n\n[    0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8\n...\n[    0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4\n...\nKernel panic - not syncing: Attempted to kill init!\n\n[ rjw: New subject ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12","https://git.kernel.org/stable/c/1a677d0ceb4a5d62117b711a8b2e0aee80d33015","https://git.kernel.org/stable/c/32a48db4cf28ea087214c261da8476db218d08bd","https://git.kernel.org/stable/c/356d09c7f5bf525086002a34f8bae40b134d1611","https://git.kernel.org/stable/c/c6dad167aade4bf0bef9130f2f149f4249fc4ad0","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38115","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: fix a potential crash on gso_skb handling\n\nSFQ has an assumption of always being able to queue at least one packet.\n\nHowever, after the blamed commit, sch->q.len can be inflated by packets\nin sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed\nby an immediate drop.\n\nFix sfq_drop() to properly clear q->tail in this situation.\n\n\nip netns add lb\nip link add dev to-lb type veth peer name in-lb netns lb\nethtool -K to-lb tso off                 # force qdisc to requeue gso_skb\nip netns exec lb ethtool -K in-lb gro on # enable NAPI\nip link set dev to-lb up\nip -netns lb link set dev in-lb up\nip addr add dev to-lb 192.168.20.1/24\nip -netns lb addr add dev in-lb 192.168.20.2/24\ntc qdisc replace dev to-lb root sfq limit 100\n\nip netns exec lb netserver\n\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72","https://git.kernel.org/stable/c/82448d4dcd8406dec688632a405fdcf7f170ec69","https://git.kernel.org/stable/c/82ffbe7776d0ac084031f114167712269bf3d832","https://git.kernel.org/stable/c/9c19498bdd7cb9d854bd3c54260f71cf7408495e","https://git.kernel.org/stable/c/b44f791f27b14c9eb6b907fbe51f2ba8bec32085","https://git.kernel.org/stable/c/b4e9bab6011b9559b7c157b16b91ae46d4d8c533","https://git.kernel.org/stable/c/c337efb20d6d9f9bbb4746f6b119917af5c886dc","https://git.kernel.org/stable/c/d1bc80da75c789f2f6830df89d91fb2f7a509943","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38118","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete\n\nThis reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to\navoid crashes like bellow:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\nRead of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341\n\nCPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\n hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n </TASK>\n\nAllocated by task 5987:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252\n mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279\n remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x548/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5989:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2380 [inline]\n slab_free mm/slub.c:4642 [inline]\n kfree+0x18e/0x440 mm/slub.c:4841\n mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242\n mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314\n __sys_bind_socket net/socket.c:1810 [inline]\n __sys_bind+0x2c3/0x3e0 net/socket.c:1841\n __do_sys_bind net/socket.c:1846 [inline]\n __se_sys_bind net/socket.c:1844 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1844\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/32aa2fbe319f33b0318ec6f4fceb63879771a286","https://git.kernel.org/stable/c/3c9aba9cbdf163e2654be9f82d43ff8a04273962","https://git.kernel.org/stable/c/9df3e5e7f7e4653fd9802878cedc36defc5ef42d","https://git.kernel.org/stable/c/9f66b6531c2b4e996bb61720ee94adb4b2e8d1be","https://git.kernel.org/stable/c/e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38119","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: ufs: Fix a hang in the error handler\n\nufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter\nfunction can only succeed if UFSHCD_EH_IN_PROGRESS is not set because\nresuming involves submitting a SCSI command and ufshcd_queuecommand()\nreturns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this\nhang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has\nbeen called instead of before.\n\nBacktrace:\n__switch_to+0x174/0x338\n__schedule+0x600/0x9e4\nschedule+0x7c/0xe8\nschedule_timeout+0xa4/0x1c8\nio_schedule_timeout+0x48/0x70\nwait_for_common_io+0xa8/0x160 //waiting on START_STOP\nwait_for_completion_io_timeout+0x10/0x20\nblk_execute_rq+0xe4/0x1e4\nscsi_execute_cmd+0x108/0x244\nufshcd_set_dev_pwr_mode+0xe8/0x250\n__ufshcd_wl_resume+0x94/0x354\nufshcd_wl_runtime_resume+0x3c/0x174\nscsi_runtime_resume+0x64/0xa4\nrpm_resume+0x15c/0xa1c\n__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing\nufshcd_err_handler+0x1a0/0xd08\nprocess_one_work+0x174/0x808\nworker_thread+0x15c/0x490\nkthread+0xf4/0x1ec\nret_from_fork+0x10/0x20\n\n[ bvanassche: rewrote patch description ]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00046,"ranking_epss":0.14347,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/21f071261f946c5ca1adf378f818082a112b34d2","https://git.kernel.org/stable/c/3464a707d137efc8aea1d4ae234d26a28d82b78c","https://git.kernel.org/stable/c/8a3514d348de87a9d5e2ac00fbac4faae0b97996","https://git.kernel.org/stable/c/bb37f795d01961286b8f768a6d7152f32b589067","https://git.kernel.org/stable/c/ded80255c59a57cd3270d98461f6508730f9767c","https://git.kernel.org/stable/c/f210ea4e7a790c9f5e613e5302175abd539fe9d5","https://git.kernel.org/stable/c/f592eb12b43f21dbc972cbe583a12d256901e569","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38107","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00024,"ranking_epss":0.06315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c","https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3","https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f","https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f","https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb","https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b","https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38108","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: red: fix a race in __red_change()\n\nGerrard Tai reported a race condition in RED, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00024,"ranking_epss":0.06315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98","https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493","https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e","https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb","https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1","https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8","https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414","https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38111","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like 'mdio-tools' to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e","https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f","https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4","https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb","https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262","https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4","https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38112","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix TOCTOU issue in sk_is_readable()\n\nsk->sk_prot->sock_is_readable is a valid function pointer when sk resides\nin a sockmap. After the last sk_psock_put() (which usually happens when\nsocket is removed from sockmap), sk->sk_prot gets restored and\nsk->sk_prot->sock_is_readable becomes NULL.\n\nThis makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded\nafter the initial check. Which in turn may lead to a null pointer\ndereference.\n\nEnsure the function pointer does not turn NULL after the check.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00034,"ranking_epss":0.10012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b367ba2f94251822577daed031d6b9a9e11ba91","https://git.kernel.org/stable/c/1e0de7582ceccbdbb227d4e0ddf65732f92526da","https://git.kernel.org/stable/c/2660a544fdc0940bba15f70508a46cf9a6491230","https://git.kernel.org/stable/c/6fa68d7eab34d448a61aa24ea31e68b3231ed20d","https://git.kernel.org/stable/c/8926a7ef1977a832dd6bf702f1a99303dbf15b15","https://git.kernel.org/stable/c/c2b26638476baee154920bb587fc94ff1bf04336","https://git.kernel.org/stable/c/ff55c85a923e043d59d26b20a673a1b4a219c310","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38097","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: remove encap socket caching to avoid reference leak\n\nThe current scheme for caching the encap socket can lead to reference\nleaks when we try to delete the netns.\n\nThe reference chain is: xfrm_state -> enacp_sk -> netns\n\nSince the encap socket is a userspace socket, it holds a reference on\nthe netns. If we delete the espintcp state (through flush or\nindividual delete) before removing the netns, the reference on the\nsocket is dropped and the netns is correctly deleted. Otherwise, the\nnetns may not be reachable anymore (if all processes within the ns\nhave terminated), so we cannot delete the xfrm state to drop its\nreference on the socket.\n\nThis patch results in a small (~2% in my tests) performance\nregression.\n\nA GC-type mechanism could be added for the socket cache, to clear\nreferences if the state hasn't been used \"recently\", but it's a lot\nmore complex than just not caching the socket.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/028363685bd0b7a19b4a820f82dd905b1dc83999","https://git.kernel.org/stable/c/74fd327767fb784c5875cf7c4ba1217f26020943","https://git.kernel.org/stable/c/9cbca30102028f9ad3d2098f935c4368f581fd07","https://git.kernel.org/stable/c/b58a295d10065960bcb9d60cb8ca6ead9837cd27","https://git.kernel.org/stable/c/e4cde54b46a87231c77256a633be1bef62687d69","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38100","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/iopl: Cure TIF_IO_BITMAP inconsistencies\n\nio_bitmap_exit() is invoked from exit_thread() when a task exists or\nwhen a fork fails. In the latter case the exit_thread() cleans up\nresources which were allocated during fork().\n\nio_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up\nin tss_update_io_bitmap(). tss_update_io_bitmap() operates on the\ncurrent task. If current has TIF_IO_BITMAP set, but no bitmap installed,\ntss_update_io_bitmap() crashes with a NULL pointer dereference.\n\nThere are two issues, which lead to that problem:\n\n  1) io_bitmap_exit() should not invoke task_update_io_bitmap() when\n     the task, which is cleaned up, is not the current task. That's a\n     clear indicator for a cleanup after a failed fork().\n\n  2) A task should not have TIF_IO_BITMAP set and neither a bitmap\n     installed nor IOPL emulation level 3 activated.\n\n     This happens when a kernel thread is created in the context of\n     a user space thread, which has TIF_IO_BITMAP set as the thread\n     flags are copied and the IO bitmap pointer is cleared.\n\n     Other than in the failed fork() case this has no impact because\n     kernel threads including IO workers never return to user space and\n     therefore never invoke tss_update_io_bitmap().\n\nCure this by adding the missing cleanups and checks:\n\n  1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if\n     the to be cleaned up task is not the current task.\n\n  2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user\n     space forks it is set later, when the IO bitmap is inherited in\n     io_bitmap_share().\n\nFor paranoia sake, add a warning into tss_update_io_bitmap() to catch\nthe case, when that code is invoked with inconsistent state.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe","https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08","https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c","https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d","https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220","https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c","https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38102","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n  RIP: 0010:try_grab_folio+0x106/0x130\n  Call Trace:\n   <TASK>\n   follow_huge_pmd+0x240/0x8e0\n   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n   follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n   follow_page_mask+0x1c2/0x1f0\n   __get_user_pages+0x176/0x950\n   __gup_longterm_locked+0x15b/0x1060\n   ? gup_fast+0x120/0x1f0\n   gup_fast_fallback+0x17e/0x230\n   get_user_pages_fast+0x5f/0x80\n   vmci_host_unlocked_ioctl+0x21c/0xf80\n  RIP: 0033:0x54d2cd\n  ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context->notify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd  // update &context->notify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context->notify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00024,"ranking_epss":0.06315,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c","https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4","https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca","https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774","https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4","https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c","https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9","https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38103","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1df80d748f984290c895e843401824215dcfbfb0","https://git.kernel.org/stable/c/41827a2dbdd7880df9881506dee13bc88d4230bb","https://git.kernel.org/stable/c/485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf","https://git.kernel.org/stable/c/4fa7831cf0ac71a0a345369d1a6084f2b096e55e","https://git.kernel.org/stable/c/74388368927e9c52a69524af5bbd6c55eb4690de","https://git.kernel.org/stable/c/7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b","https://git.kernel.org/stable/c/a8f842534807985d3a676006d140541b87044345","https://git.kernel.org/stable/c/fe7f7ac8e0c708446ff017453add769ffc15deed","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-07-03T09:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38095","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: insert memory barrier before updating num_fences\n\nsmp_store_mb() inserts memory barrier after storing operation.\nIt is different with what the comment is originally aiming so Null\npointer dereference can be happened if memory update is reordered.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08680c4dadc6e736c75bc2409d833f03f9003c51","https://git.kernel.org/stable/c/3becc659f9cb76b481ad1fb71f54d5c8d6332d3f","https://git.kernel.org/stable/c/72c7d62583ebce7baeb61acce6057c361f73be4a","https://git.kernel.org/stable/c/90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f","https://git.kernel.org/stable/c/c9d2b9a80d06a58f37e0dc8c827075639b443927","https://git.kernel.org/stable/c/d0b7f11dd68b593bd970e5735be00e8d89bace30","https://git.kernel.org/stable/c/fe1bebd0edb22e3536cbc920ec713331d1367ad4","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-03T08:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38094","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cadence: macb: Fix a possible deadlock in macb_halt_tx.\n\nThere is a situation where after THALT is set high, TGO stays high as\nwell. Because jiffies are never updated, as we are in a context with\ninterrupts disabled, we never exit that loop and have a deadlock.\n\nThat deadlock was noticed on a sama5d4 device that stayed locked for days.\n\nUse retries instead of jiffies so that the timeout really works and we do\nnot have a deadlock anymore.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0003,"ranking_epss":0.08592,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d","https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4","https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48","https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2","https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37","https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7","https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-07-03T08:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-32463","summary":"Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"epss":0.38489,"ranking_epss":0.97218,"kev":true,"propose_action":"Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.","ransomware_campaign":"Unknown","references":["https://access.redhat.com/security/cve/cve-2025-32463","https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463","https://explore.alas.aws.amazon.com/CVE-2025-32463.html","https://security-tracker.debian.org/tracker/CVE-2025-32463","https://ubuntu.com/security/notices/USN-7604-1","https://www.openwall.com/lists/oss-security/2025/06/30/3","https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-know-about-cve-2025-32462-and-cve-2025-32463/","https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot","https://www.sudo.ws/releases/changelog/","https://www.sudo.ws/security/advisories/","https://www.sudo.ws/security/advisories/chroot_bug/","https://www.suse.com/security/cve/CVE-2025-32463.html","https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/","https://www.vicarius.io/vsociety/posts/cve-2025-32463-detect-sudo-vulnerability","https://www.vicarius.io/vsociety/posts/cve-2025-32463-mitigate-sudo-vulnerability","https://iototsecnews.jp/2025/07/01/linux-sudo-chroot-vulnerability-enables-hackers-to-elevate-privileges-to-root/","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32463"],"published_time":"2025-06-30T21:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38088","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap\n\nmemtrace mmap issue has an out of bounds issue. This patch fixes the by\nchecking that the requested mapping region size should stay within the\nallocated region size.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00026,"ranking_epss":0.07192,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/620b77b23c41a6546e5548ffe2ea3ad71880dde4","https://git.kernel.org/stable/c/81260c41b518b6f32c701425f1427562fa92f293","https://git.kernel.org/stable/c/8635e325b85dfb9ddebdfaa6b5605d40d16cd147","https://git.kernel.org/stable/c/9c340b56d60545e4a159e41523dd8b23f81d3261","https://git.kernel.org/stable/c/bbd5a9ddb0f9750783a48a871c9e12c0b68c5f39","https://git.kernel.org/stable/c/cd097df4596f3a1e9d75eb8520162de1eb8485b2","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-30T08:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38090","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/rapidio/rio_cm.c: prevent possible heap overwrite\n\nIn\n\nriocm_cdev_ioctl(RIO_CM_CHAN_SEND)\n   -> cm_chan_msg_send()\n      -> riocm_ch_send()\n\ncm_chan_msg_send() checks that userspace didn't send too much data but\nriocm_ch_send() failed to check that userspace sent sufficient data.  The\nresult is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr\nwhich were outside the bounds of the space which cm_chan_msg_send()\nallocated.\n\nAddress this by teaching riocm_ch_send() to check that the entire\nrio_ch_chan_hdr was copied in from userspace.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1921781ec4a8824bd0c520bf9363e28a880d14ec","https://git.kernel.org/stable/c/1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53","https://git.kernel.org/stable/c/50695153d7ddde3b1696dbf0085be0033bf3ddb3","https://git.kernel.org/stable/c/58f664614f8c3d6142ab81ae551e466dc6e092e8","https://git.kernel.org/stable/c/6d5c6711a55c35ce09b90705546050408d9d4b61","https://git.kernel.org/stable/c/a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6","https://git.kernel.org/stable/c/c03ddc183249f03fc7e057e02cae6f89144d0123","https://git.kernel.org/stable/c/ecf5ee280b702270afb02f61b299d3dfe3ec7730","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-30T08:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38085","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process.  While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00032,"ranking_epss":0.09031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f","https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d","https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec","https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185","https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9","https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b","https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8","https://project-zero.issues.chromium.org/issues/420715744","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-28T08:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38086","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n        if (err == size) {\n                memcpy(data, buf, size);\n        }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n        return (buff[0] | buff[1] << 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00041,"ranking_epss":0.1257,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b","https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2","https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd","https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c","https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9","https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21","https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f","https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-28T08:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38084","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops->may_split().  This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens.  At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n    - mmap lock (exclusively)\n    - VMA lock\n    - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n   call us with only the mmap lock held (in shared mode), but currently\n   only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10018,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0","https://git.kernel.org/stable/c/2511ac64bc1617ca716d3ba8464e481a647c1902","https://git.kernel.org/stable/c/366298f2b04d2bf1f2f2b7078405bdf9df9bd5d0","https://git.kernel.org/stable/c/8a21d5584826f4880f45bbf8f72375f4e6c0ff2a","https://git.kernel.org/stable/c/9cf5b2a3b72c23fb7b84736d5d19ee6ea718762b","https://git.kernel.org/stable/c/af6cfcd0efb7f051af221c418ec8b37a10211947","https://git.kernel.org/stable/c/e8847d18cd9fff1edbb45e963d9141273c3b539c","https://project-zero.issues.chromium.org/issues/420715744","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-28T08:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2014-7210","summary":"pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends\nare not affected.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00108,"ranking_epss":0.29186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2016/05/msg00046.html","https://salsa.debian.org/debian/pdns/-/commit/f0de6b3583039bb63344fbd5eb246939264d7b05"],"published_time":"2025-06-26T21:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38083","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: prio: fix a race in prio_tune()\n\nGerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00034,"ranking_epss":0.10012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f","https://git.kernel.org/stable/c/3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4","https://git.kernel.org/stable/c/4483d8b9127591c60c4eb789d6cab953bc4522a9","https://git.kernel.org/stable/c/46c15c9d0f65c9ba857d63f53264f4b17e8a715f","https://git.kernel.org/stable/c/53d11560e957d53ee87a0653d258038ce12361b7","https://git.kernel.org/stable/c/93f9eeb678d4c9c1abf720b3615fa8299a490845","https://git.kernel.org/stable/c/d35acc1be3480505b5931f17e4ea9b7617fea4d3","https://git.kernel.org/stable/c/e3f6745006dc9423d2b065b90f191cfa11b1b584","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-20T12:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38077","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()\n\nIf the 'buf' array received from the user contains an empty string, the\n'length' variable will be zero. Accessing the 'buf' array element with\nindex 'length - 1' will result in a buffer overflow.\n\nAdd a check for an empty string.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.0614,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4e89a4077490f52cde652d17e32519b666abf3a6","https://git.kernel.org/stable/c/60bd13f8c4b3de2c910ae1cdbef85b9bbc9685f5","https://git.kernel.org/stable/c/8594a123cfa23d708582dc6fb36da34479ef8a5b","https://git.kernel.org/stable/c/97066373ffd55bd9af0b512ff3dd1f647620a3dc","https://git.kernel.org/stable/c/f86465626917df3b8bdd2756ec0cc9d179c5af0f","https://git.kernel.org/stable/c/fb7cde625872709b8cedad9b241e0ec3d82fa7d3","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38078","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix race of buffer access at PCM OSS layer\n\nThe PCM OSS layer tries to clear the buffer with the silence data at\ninitialization (or reconfiguration) of a stream with the explicit call\nof snd_pcm_format_set_silence() with runtime->dma_area.  But this may\nlead to a UAF because the accessed runtime->dma_area might be freed\nconcurrently, as it's performed outside the PCM ops.\n\nFor avoiding it, move the code into the PCM core and perform it inside\nthe buffer access lock, so that it won't be changed during the\noperation.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00023,"ranking_epss":0.06244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10217da9644ae75cea7330f902c35fc5ba78bbbf","https://git.kernel.org/stable/c/74d90875f3d43f3eff0e9861c4701418795d3455","https://git.kernel.org/stable/c/8170d8ec4efd0be352c14cb61f374e30fb0c2a25","https://git.kernel.org/stable/c/93a81ca0657758b607c3f4ba889ae806be9beb73","https://git.kernel.org/stable/c/afa56c960fcb4db37f2e3399f28e9402e4e1f470","https://git.kernel.org/stable/c/bf85e49aaf3a3c5775ea87369ea5f159c2148db4","https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f","https://git.kernel.org/stable/c/f3e14d706ec18faf19f5a6e75060e140fea05d4a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38079","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0346f4b742345d1c733c977f3a7aef5a6419a967","https://git.kernel.org/stable/c/134daaba93193df9e988524b5cd2f52d15eb1993","https://git.kernel.org/stable/c/2f45a8d64fb4ed4830a4b3273834ecd6ca504896","https://git.kernel.org/stable/c/5bff312b59b3f2a54ff504e4f4e47272b64f3633","https://git.kernel.org/stable/c/b2df03ed4052e97126267e8c13ad4204ea6ba9b6","https://git.kernel.org/stable/c/bf7bba75b91539e93615f560893a599c1e1c98bf","https://git.kernel.org/stable/c/c3059d58f79fdfb2201249c2741514e34562b547","https://git.kernel.org/stable/c/f0f3d09f53534ea385d55ced408f2b67059b16e4","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38071","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Check return value from memblock_phys_alloc_range()\n\nAt least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of\ncontiguous free memory available at this point, the kernel will crash\nand burn because memblock_phys_alloc_range() returns 0 on failure,\nwhich leads memblock_phys_free() to throw the first 4 MiB of physical\nmemory to the wolves.\n\nAt a minimum it should fail gracefully with a meaningful diagnostic,\nbut in fact everything seems to work fine without the weird reserve\nallocation.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.0833,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/631ca8909fd5c62b9fda9edda93924311a78a9c4","https://git.kernel.org/stable/c/8c18c904d301ffeb33b071eadc55cd6131e1e9be","https://git.kernel.org/stable/c/bffd5f2815c5234d609725cd0dc2f4bc5de2fc67","https://git.kernel.org/stable/c/c6f2694c580c27dca0cf7546ee9b4bfa6b940e38","https://git.kernel.org/stable/c/dde4800d2b0f68b945fd81d4fc2d4a10ae25f743","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38072","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibnvdimm/labels: Fix divide error in nd_label_data_init()\n\nIf a faulty CXL memory device returns a broken zero LSA size in its\nmemory device information (Identify Memory Device (Opcode 4000h), CXL\nspec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm\ndriver:\n\n Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]\n\nCode and flow:\n\n1) CXL Command 4000h returns LSA size = 0\n2) config_size is assigned to zero LSA size (CXL pmem driver):\n\ndrivers/cxl/pmem.c:             .config_size = mds->lsa_size,\n\n3) max_xfer is set to zero (nvdimm driver):\n\ndrivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size);\n\n4) A subsequent DIV_ROUND_UP() causes a division by zero:\n\ndrivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */\ndrivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer,\ndrivers/nvdimm/label.c-                 config_size);\n\nFix this by checking the config size parameter by extending an\nexisting check.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d1e1efad1cf049e888bf175a5c6be85d792620c","https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca","https://git.kernel.org/stable/c/396c46d3f59a18ebcc500640e749f16e197d472b","https://git.kernel.org/stable/c/db1aef51b8e66a77f76b1250b914589c31a0a0ed","https://git.kernel.org/stable/c/e14347f647ca6d76fe1509b6703e340f2d5e2716","https://git.kernel.org/stable/c/ea3d95e05e97ea20fd6513f647393add16fce3b2","https://git.kernel.org/stable/c/ef1d3455bbc1922f94a91ed58d3d7db440652959","https://git.kernel.org/stable/c/f49c337037df029440a8390380dd35d2cf5924d3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38074","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq->log_used with vq->mutex\n\nThe vhost-scsi completion path may access vq->log_base when vq->log_used is\nalready set to false.\n\n    vhost-thread                       QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-> vhost_add_used()\n   -> vhost_add_used_n()\n      if (unlikely(vq->log_used))\n                                      QEMU disables vq->log_used\n                                      via VHOST_SET_VRING_ADDR.\n                                      mutex_lock(&vq->mutex);\n                                      vq->log_used = false now!\n                                      mutex_unlock(&vq->mutex);\n\n\t\t\t\t      QEMU gfree(vq->log_base)\n        log_used()\n        -> log_write(vq->log_base)\n\nAssuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117","https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f","https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd","https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427","https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834","https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c","https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38075","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix timeout on deleted connection\n\nNOPIN response timer may expire on a deleted connection and crash with\nsuch logs:\n\nDid not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d\n\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nNIP  strlcpy+0x8/0xb0\nLR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]\nCall Trace:\n iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]\n call_timer_fn+0x58/0x1f0\n run_timer_softirq+0x740/0x860\n __do_softirq+0x16c/0x420\n irq_exit+0x188/0x1c0\n timer_interrupt+0x184/0x410\n\nThat is because nopin response timer may be re-started on nopin timer\nexpiration.\n\nStop nopin timer before stopping the nopin response timer to be sure\nthat no one of them will be re-started.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/019ca2804f3fb49a7f8e56ea6aeaa1ff32724c27","https://git.kernel.org/stable/c/2c5081439c7ab8da08427befe427f0d732ebc9f9","https://git.kernel.org/stable/c/3e6429e3707943078240a2c0c0b3ee99ea9b0d9c","https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35","https://git.kernel.org/stable/c/6815846e0c3a62116a7da9740e3a7c10edc5c7e9","https://git.kernel.org/stable/c/7f533cc5ee4c4436cee51dc58e81dfd9c3384418","https://git.kernel.org/stable/c/87389bff743c55b6b85282de91109391f43e0814","https://git.kernel.org/stable/c/fe8421e853ef289e1324fcda004751c89dd9c18a","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38062","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie\n\nThe IOMMU translation for MSI message addresses has been a 2-step process,\nseparated in time:\n\n 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address\n    is stored in the MSI descriptor when an MSI interrupt is allocated.\n\n 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a\n    translated message address.\n\nThis has an inherent lifetime problem for the pointer stored in the cookie\nthat must remain valid between the two steps. However, there is no locking\nat the irq layer that helps protect the lifetime. Today, this works under\nthe assumption that the iommu domain is not changed while MSI interrupts\nbeing programmed. This is true for normal DMA API users within the kernel,\nas the iommu domain is attached before the driver is probed and cannot be\nchanged while a driver is attached.\n\nClassic VFIO type1 also prevented changing the iommu domain while VFIO was\nrunning as it does not support changing the \"container\" after starting up.\n\nHowever, iommufd has improved this so that the iommu domain can be changed\nduring VFIO operation. This potentially allows userspace to directly race\nVFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and\nVFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).\n\nThis potentially causes both the cookie pointer and the unlocked call to\niommu_get_domain_for_dev() on the MSI translation path to become UAFs.\n\nFix the MSI cookie UAF by removing the cookie pointer. The translated IOVA\naddress is already known during iommu_dma_prepare_msi() and cannot change.\nThus, it can simply be stored as an integer in the MSI descriptor.\n\nThe other UAF related to iommu_get_domain_for_dev() will be addressed in\npatch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by\nusing the IOMMU group mutex.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746","https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524","https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384","https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330","https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38063","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix unconditional IO throttle caused by REQ_PREFLUSH\n\nWhen a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush()\ngenerates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC,\nwhich causes the flush_bio to be throttled by wbt_wait().\n\nAn example from v5.4, similar problem also exists in upstream:\n\n    crash> bt 2091206\n    PID: 2091206  TASK: ffff2050df92a300  CPU: 109  COMMAND: \"kworker/u260:0\"\n     #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8\n     #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4\n     #2 [ffff800084a2f880] schedule at ffff800040bfa4b4\n     #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4\n     #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc\n     #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0\n     #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254\n     #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38\n     #8 [ffff800084a2fa60] generic_make_request at ffff800040570138\n     #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4\n    #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs]\n    #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs]\n    #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs]\n    #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs]\n    #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs]\n    #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs]\n    #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08\n    #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc\n    #18 [ffff800084a2fe70] kthread at ffff800040118de4\n\nAfter commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"),\nthe metadata submitted by xlog_write_iclog() should not be throttled.\nBut due to the existence of the dm layer, throttling flush_bio indirectly\ncauses the metadata bio to be throttled.\n\nFix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes\nwbt_should_throttle() return false to avoid wbt_wait().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.0833,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2858cda9a8d95e6deee7e3b0a26adde696a9a4f5","https://git.kernel.org/stable/c/52aa28f7b1708d76e315d78b5ed397932a1a97c3","https://git.kernel.org/stable/c/88f7f56d16f568f19e1a695af34a7f4a6ce537a6","https://git.kernel.org/stable/c/95d08924335f3b6f4ea0b92ebfe4fe0731c502d9","https://git.kernel.org/stable/c/b55a97d1bd4083729a60d19beffe85d4c96680de","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38065","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Do not truncate file size\n\n'len' is used to store the result of i_size_read(), so making 'len'\na size_t results in truncation to 4GiB on 32-bit systems.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/062e8093592fb866b8e016641a8b27feb6ac509d","https://git.kernel.org/stable/c/121f0335d91e46369bf55b5da4167d82b099a166","https://git.kernel.org/stable/c/15602508ad2f923e228b9521960b4addcd27d9c4","https://git.kernel.org/stable/c/2323b806221e6268a4e17711bc72e2fc87c191a3","https://git.kernel.org/stable/c/341e3a5984cf5761f3dab16029d7e9fb1641d5ff","https://git.kernel.org/stable/c/5111227d7f1f57f6804666b3abf780a23f44fc1d","https://git.kernel.org/stable/c/cd918ec24168fe08c6aafc077dd3b6d88364c5cf","https://git.kernel.org/stable/c/ceaf195ed285b77791e29016ee6344b3ded609b3","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38066","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n   with some mappings stored in the first array block of the mapping\n   array. Here we use cache_restore v1.0 to build the metadata.\n\ncat <<EOF >> cmeta.xml\n<superblock uuid=\"\" block_size=\"128\" nr_cache_blocks=\"512\" \\\npolicy=\"smq\" hint_width=\"4\">\n  <mappings>\n    <mapping cache_block=\"0\" origin_block=\"0\" dirty=\"false\"/>\n  </mappings>\n</superblock>\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n   data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n   due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n   while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.08381,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36","https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79","https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f","https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea","https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568","https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14","https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0","https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38067","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrseq: Fix segfault on registration when rseq_cs is non-zero\n\nThe rseq_cs field is documented as being set to 0 by user-space prior to\nregistration, however this is not currently enforced by the kernel. This\ncan result in a segfault on return to user-space if the value stored in\nthe rseq_cs field doesn't point to a valid struct rseq_cs.\n\nThe correct solution to this would be to fail the rseq registration when\nthe rseq_cs field is non-zero. However, some older versions of glibc\nwill reuse the rseq area of previous threads without clearing the\nrseq_cs field and will also terminate the process if the rseq\nregistration fails in a secondary thread. This wasn't caught in testing\nbecause in this case the leftover rseq_cs does point to a valid struct\nrseq_cs.\n\nWhat we can do is clear the rseq_cs field on registration when it's\nnon-zero which will prevent segfaults on registration and won't break\nthe glibc versions that reuse rseq areas on thread creation.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db","https://git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218","https://git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86","https://git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16ba","https://git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2eb","https://git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876","https://git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38068","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns.  It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write.  Use the safe interface in crypto/lzo.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0002,"ranking_epss":0.0541,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a","https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c","https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111","https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd","https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13","https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38058","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\n__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock\n\n... or we risk stealing final mntput from sync umount - raising mnt_count\nafter umount(2) has verified that victim is not busy, but before it\nhas set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see\nthat it's safe to quietly undo mnt_count increment and leaves dropping\nthe reference to caller, where it'll be a full-blown mntput().\n\nCheck under mount_lock is needed; leaving the current one done before\ntaking that makes no sense - it's nowhere near common enough to bother\nwith.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00027,"ranking_epss":0.07376,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/250cf3693060a5f803c5f1ddc082bb06b16112a9","https://git.kernel.org/stable/c/628fb00195ce21a90cf9e4e3d105cd9e58f77b40","https://git.kernel.org/stable/c/8cafd7266fa02e0863bacbf872fe635c0b9725eb","https://git.kernel.org/stable/c/9b0915e72b3cf52474dcee0b24a2f99d93e604a3","https://git.kernel.org/stable/c/b55996939c71a3e1a38f3cdc6a8859797efc9083","https://git.kernel.org/stable/c/b89eb56a378b7b2c1176787fc228d0a57172bdd5","https://git.kernel.org/stable/c/d8ece4ced3b051e656c77180df2e69e19e24edc1","https://git.kernel.org/stable/c/f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38061","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pktgen: fix access outside of user given buffer in pktgen_thread_write()\n\nHonour the user given buffer size for the strn_len() calls (otherwise\nstrn_len() will access memory outside of the user given buffer).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0003,"ranking_epss":0.08608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/128cdb617a87767c29be43e4431129942fce41df","https://git.kernel.org/stable/c/425e64440ad0a2f03bdaf04be0ae53dededbaa77","https://git.kernel.org/stable/c/5bfa81539e22af4c40ae5d43d7212253462383a6","https://git.kernel.org/stable/c/6b1d3e9db82d01a88de1795b879df67c2116b4f4","https://git.kernel.org/stable/c/8fef258b555c75a467a6b4b7e3a3cbc46d5f4102","https://git.kernel.org/stable/c/a3d89f1cfe1e6d4bb164db2595511fd33db21900","https://git.kernel.org/stable/c/c81c2ee1c3b050ed5c4e92876590cc7a259183f6","https://git.kernel.org/stable/c/ef1158a6a650ecee72ab40851b1d52e04d3f9cb5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38048","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\n\nsyzbot reports a data-race when accessing the event_triggered, here is the\nsimplified stack when the issue occurred:\n\n==================================================================\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\n\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3800 [inline]\n\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\n\nvalue changed: 0x01 -> 0x00\n==================================================================\n\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\nas false due to the race condition. Since event_triggered is an unreliable\nhint used for optimization, this should only cause the driver temporarily\nsuggest that the device not send an interrupt notification when the event\nindex is used.\n\nFix this KCSAN reported data-race issue by explicitly tagging the access as\ndata_racy.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.0002,"ranking_epss":0.0535,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2","https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef","https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17","https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da","https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8","https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38051","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x53/0x70\n  print_report+0xce/0x640\n  kasan_report+0xb8/0xf0\n  cifs_fill_dirent+0xb03/0xb60 [cifs]\n  cifs_readdir+0x12cb/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n  </TASK>\n\n Allocated by task 408:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  __kasan_slab_alloc+0x6e/0x70\n  kmem_cache_alloc_noprof+0x117/0x3d0\n  mempool_alloc_noprof+0xf2/0x2c0\n  cifs_buf_get+0x36/0x80 [cifs]\n  allocate_buffers+0x1d2/0x330 [cifs]\n  cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n  kthread+0x394/0x720\n  ret_from_fork+0x34/0x70\n  ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x37/0x50\n  kmem_cache_free+0x2b8/0x500\n  cifs_buf_release+0x3c/0x70 [cifs]\n  cifs_readdir+0x1c97/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents64+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n  which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                             ^\n  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1                       Process 2\n-----------------------------------\n---truncated---","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338","https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b","https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9","https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f","https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e","https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0","https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f","https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38052","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n  Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25\n\n  Call Trace:\n   kasan_report+0xd9/0x110 mm/kasan/report.c:601\n   tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n   crypto_request_complete include/crypto/algapi.h:266\n   aead_request_complete include/crypto/internal/aead.h:85\n   cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772\n   crypto_request_complete include/crypto/algapi.h:266\n   cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181\n   process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\n  Allocated by task 8355:\n   kzalloc_noprof include/linux/slab.h:778\n   tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466\n   tipc_init_net+0x2dd/0x430 net/tipc/core.c:72\n   ops_init+0xb9/0x650 net/core/net_namespace.c:139\n   setup_net+0x435/0xb40 net/core/net_namespace.c:343\n   copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n   create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n   unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228\n   ksys_unshare+0x419/0x970 kernel/fork.c:3323\n   __do_sys_unshare kernel/fork.c:3394\n\n  Freed by task 63:\n   kfree+0x12a/0x3b0 mm/slub.c:4557\n   tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539\n   tipc_exit_net+0x8c/0x110 net/tipc/core.c:119\n   ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173\n   cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n   process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\nAfter freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done\nmay still visit it in cryptd_queue_worker workqueue.\n\nI reproduce this issue by:\n  ip netns add ns1\n  ip link add veth1 type veth peer name veth2\n  ip link set veth1 netns ns1\n  ip netns exec ns1 tipc bearer enable media eth dev veth1\n  ip netns exec ns1 tipc node set key this_is_a_master_key master\n  ip netns exec ns1 tipc bearer disable media eth dev veth1\n  ip netns del ns1\n\nThe key of reproduction is that, simd_aead_encrypt is interrupted, leading\nto crypto_simd_usable() return false. Thus, the cryptd_queue_worker is\ntriggered, and the tipc_crypto tx will be visited.\n\n  tipc_disc_timeout\n    tipc_bearer_xmit_skb\n      tipc_crypto_xmit\n        tipc_aead_encrypt\n          crypto_aead_encrypt\n            // encrypt()\n            simd_aead_encrypt\n              // crypto_simd_usable() is false\n              child = &ctx->cryptd_tfm->base;\n\n  simd_aead_encrypt\n    crypto_aead_encrypt\n      // encrypt()\n      cryptd_aead_encrypt_enqueue\n        cryptd_aead_enqueue\n          cryptd_enqueue_request\n            // trigger cryptd_queue_worker\n            queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)\n\nFix this by holding net reference count before encrypt.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4a0fddc2c0d5c28aec8c262ad4603be0bef1938c","https://git.kernel.org/stable/c/689a205cd968a1572ab561b0c4c2d50a10e9d3b0","https://git.kernel.org/stable/c/b19fc1d0be3c3397e5968fe2627f22e7f84673b1","https://git.kernel.org/stable/c/b8fcae6d2e93c54cacb8f579a77d827c1c643eb5","https://git.kernel.org/stable/c/d42ed4de6aba232d946d20653a70f79158a6535b","https://git.kernel.org/stable/c/e279024617134c94fd3e37470156534d5f2b3472","https://git.kernel.org/stable/c/f5c2c4eaaa5a8e7e0685ec031d480e588e263e59","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38037","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Annotate FDB data races\n\nThe 'used' and 'updated' fields in the FDB entry structure can be\naccessed concurrently by multiple threads, leading to reports such as\n[1]. Can be reproduced using [2].\n\nSuppress these reports by annotating these accesses using\nREAD_ONCE() / WRITE_ONCE().\n\n[1]\nBUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit\n\nwrite to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0:\n vxlan_xmit+0xb29/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2:\n vxlan_xmit+0xadf/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000fffbac6e -> 0x00000000fffbac6f\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n\n[2]\n #!/bin/bash\n\n set +H\n echo whitelist > /sys/kernel/debug/kcsan\n echo !vxlan_xmit > /sys/kernel/debug/kcsan\n\n ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1\n taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &\n taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02a33b1035a307453a1da6ce0a1bf3676be287d7","https://git.kernel.org/stable/c/13cba3f837903f7184d6e9b6137d5165ffe82a8f","https://git.kernel.org/stable/c/4eceb7eae6ea7c950384c34e6dbbe872c981935f","https://git.kernel.org/stable/c/784b78295a3a58bf052339dd669e6e03710220d3","https://git.kernel.org/stable/c/87d076987a9ba106c83412fcd113656f71af05a1","https://git.kernel.org/stable/c/a6644aeb8ddf196dec5f8e782293c36f065df4d7","https://git.kernel.org/stable/c/e033da39fc6abbddab6c29624acef80757f273fa","https://git.kernel.org/stable/c/f6205f8215f12a96518ac9469ff76294ae7bd612","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38040","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mctrl_gpio: split disable_ms into sync and no_sync APIs\n\nThe following splat has been observed on a SAMA5D27 platform using\natmel_serial:\n\nBUG: sleeping function called from invalid context at kernel/irq/manage.c:738\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last  enabled at (0): [<00000000>] 0x0\nhardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec\nsoftirqs last  enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec\nsoftirqs last disabled at (0): [<00000000>] 0x0\nCPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74\nHardware name: Atmel SAMA5\nWorkqueue: hci0 hci_power_on [bluetooth]\nCall trace:\n  unwind_backtrace from show_stack+0x18/0x1c\n  show_stack from dump_stack_lvl+0x44/0x70\n  dump_stack_lvl from __might_resched+0x38c/0x598\n  __might_resched from disable_irq+0x1c/0x48\n  disable_irq from mctrl_gpio_disable_ms+0x74/0xc0\n  mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4\n  atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8\n  atmel_set_termios from uart_change_line_settings+0x15c/0x994\n  uart_change_line_settings from uart_set_termios+0x2b0/0x668\n  uart_set_termios from tty_set_termios+0x600/0x8ec\n  tty_set_termios from ttyport_set_flow_control+0x188/0x1e0\n  ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc]\n  wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth]\n  hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth]\n  hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth]\n  hci_power_on [bluetooth] from process_one_work+0x998/0x1a38\n  process_one_work from worker_thread+0x6e0/0xfb4\n  worker_thread from kthread+0x3d4/0x484\n  kthread from ret_from_fork+0x14/0x28\n\nThis warning is emitted when trying to toggle, at the highest level,\nsome flow control (with serdev_device_set_flow_control) in a device\ndriver. At the lowest level, the atmel_serial driver is using\nserial_mctrl_gpio lib to enable/disable the corresponding IRQs\naccordingly.  The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to\ndisable_irq (called in mctrl_gpio_disable_ms) being possibly called in\nsome atomic context (some tty drivers perform modem lines configuration\nin regions protected by port lock).\n\nSplit mctrl_gpio_disable_ms into two differents APIs, a non-blocking one\nand a blocking one. Replace mctrl_gpio_disable_ms calls with the\nrelevant version depending on whether the call is protected by some port\nlock.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00029,"ranking_epss":0.0833,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bd2aad57da95f7f2d2bb52f7ad15c0f4993a685","https://git.kernel.org/stable/c/68435c1fa3db696db4f480385db9e50e26691d0d","https://git.kernel.org/stable/c/7187ec6b0b9ff22ebac2c3bb4178b7dbbdc0a55a","https://git.kernel.org/stable/c/c504c11b94d6e4ad818ca5578dffa8ff29ad0f20","https://git.kernel.org/stable/c/e6a46719a2369eb5186d4f7e6c0478720ca1ec3d","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38043","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Set dma_mask for ffa devices\n\nSet dma_mask for FFA devices, otherwise DMA allocation using the device pointer\nlead to following warning:\n\nWARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e62c803feec1ef5847d8fa47dd0de039abfa378","https://git.kernel.org/stable/c/3a3efeef64364c2a028cf0d03d68c831813a97fd","https://git.kernel.org/stable/c/97bab02f0b64ba6bcdf6a8fae561db07f509aee9","https://git.kernel.org/stable/c/c6aa1d6bd6ccff4ecdf064d288817657ec8532f0","https://git.kernel.org/stable/c/cc0aac7ca17e0ea3ca84b552fc79f3e86fd07f53","https://git.kernel.org/stable/c/e2de76c34a8a925efe80fccae4810427bc144ed0","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38044","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx231xx: set device_caps for 417\n\nThe video_device for the MPEG encoder did not set device_caps.\n\nAdd this, otherwise the video device can't be registered (you get a\nWARN_ON instead).\n\nNot seen before since currently 417 support is disabled, but I found\nthis while experimenting with it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0003,"ranking_epss":0.08608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0884dd3abbe80307a2d4cbdbe5e312be164f8adb","https://git.kernel.org/stable/c/2ad41beb7df3bd63b209842d16765ec59dafe6e4","https://git.kernel.org/stable/c/4731d5328f507ae8fd8a57abbca9119ec7a8d665","https://git.kernel.org/stable/c/5c9eca180a4235abd56cc7f7308ca72128d93dce","https://git.kernel.org/stable/c/9d1a5be86dbe074bd8dd6bdd63a99d6bb66d5930","https://git.kernel.org/stable/c/a79efc44b51432490538a55b9753a721f7d3ea42","https://git.kernel.org/stable/c/c91447e35b9bea60bda4408c48e7891d14351021","https://git.kernel.org/stable/c/e43fd82bb2110bf9d13d800cdc49cceddfd0ede5","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38031","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938","https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb","https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e","https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516","https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1","https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c","https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38034","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref\n\nbtrfs_prelim_ref() calls the old and new reference variables in the\nincorrect order. This causes a NULL pointer dereference because oldref\nis passed as NULL to trace_btrfs_prelim_ref_insert().\n\nNote, trace_btrfs_prelim_ref_insert() is being called with newref as\noldref (and oldref as NULL) on purpose in order to print out\nthe values of newref.\n\nTo reproduce:\necho 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable\n\nPerform some writeback operations.\n\nBacktrace:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary)  7ca2cef72d5e9c600f0c7718adb6462de8149622\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130\n Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88\n RSP: 0018:ffffce44820077a0 EFLAGS: 00010286\n RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b\n RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010\n RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010\n R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000\n R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540\n FS:  00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  prelim_ref_insert+0x1c1/0x270\n  find_parent_nodes+0x12a6/0x1ee0\n  ? __entry_text_end+0x101f06/0x101f09\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  btrfs_is_data_extent_shared+0x167/0x640\n  ? fiemap_process_hole+0xd0/0x2c0\n  extent_fiemap+0xa5c/0xbc0\n  ? __entry_text_end+0x101f05/0x101f09\n  btrfs_fiemap+0x7e/0xd0\n  do_vfs_ioctl+0x425/0x9d0\n  __x64_sys_ioctl+0x75/0xc0","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00034,"ranking_epss":0.10036,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0528bba48dce7820d2da72e1a114e1c4552367eb","https://git.kernel.org/stable/c/137bfa08c6441f324d00692d1e9d22cfd773329b","https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a","https://git.kernel.org/stable/c/7a97f961a568a8f72472dc804af02a0f73152c5f","https://git.kernel.org/stable/c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9","https://git.kernel.org/stable/c/a641154cedf9d69730f8af5d0a901fe86e6486bd","https://git.kernel.org/stable/c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79","https://git.kernel.org/stable/c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38035","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: don't restore null sk_state_change\n\nqueue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if\nthe TCP connection isn't established when nvmet_tcp_set_queue_sock() is\ncalled then queue->state_change isn't set and sock->sk->sk_state_change\nisn't replaced.\n\nAs such we don't need to restore sock->sk->sk_state_change if\nqueue->state_change is NULL.\n\nThis avoids NULL pointer dereferences such as this:\n\n[  286.462026][    C0] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  286.462814][    C0] #PF: supervisor instruction fetch in kernel mode\n[  286.463796][    C0] #PF: error_code(0x0010) - not-present page\n[  286.464392][    C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0\n[  286.465086][    C0] Oops: Oops: 0010 [#1] SMP KASAN PTI\n[  286.465559][    C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary)\n[  286.466393][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[  286.467147][    C0] RIP: 0010:0x0\n[  286.467420][    C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[  286.467977][    C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246\n[  286.468425][    C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43\n[  286.469019][    C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100\n[  286.469545][    C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c\n[  286.470072][    C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3\n[  286.470585][    C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268\n[  286.471070][    C0] FS:  00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000\n[  286.471644][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  286.472543][    C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0\n[  286.473500][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  286.474467][    C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400\n[  286.475453][    C0] Call Trace:\n[  286.476102][    C0]  <IRQ>\n[  286.476719][    C0]  tcp_fin+0x2bb/0x440\n[  286.477429][    C0]  tcp_data_queue+0x190f/0x4e60\n[  286.478174][    C0]  ? __build_skb_around+0x234/0x330\n[  286.478940][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.479659][    C0]  ? __pfx_tcp_data_queue+0x10/0x10\n[  286.480431][    C0]  ? tcp_try_undo_loss+0x640/0x6c0\n[  286.481196][    C0]  ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[  286.482046][    C0]  ? kvm_clock_get_cycles+0x14/0x30\n[  286.482769][    C0]  ? ktime_get+0x66/0x150\n[  286.483433][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.484146][    C0]  tcp_rcv_established+0x6e4/0x2050\n[  286.484857][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.485523][    C0]  ? ipv4_dst_check+0x160/0x2b0\n[  286.486203][    C0]  ? __pfx_tcp_rcv_established+0x10/0x10\n[  286.486917][    C0]  ? lock_release+0x217/0x2c0\n[  286.487595][    C0]  tcp_v4_do_rcv+0x4d6/0x9b0\n[  286.488279][    C0]  tcp_v4_rcv+0x2af8/0x3e30\n[  286.488904][    C0]  ? raw_local_deliver+0x51b/0xad0\n[  286.489551][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.490198][    C0]  ? __pfx_tcp_v4_rcv+0x10/0x10\n[  286.490813][    C0]  ? __pfx_raw_local_deliver+0x10/0x10\n[  286.491487][    C0]  ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack]\n[  286.492275][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.492900][    C0]  ip_protocol_deliver_rcu+0x8f/0x370\n[  286.493579][    C0]  ip_local_deliver_finish+0x297/0x420\n[  286.494268][    C0]  ip_local_deliver+0x168/0x430\n[  286.494867][    C0]  ? __pfx_ip_local_deliver+0x10/0x10\n[  286.495498][    C0]  ? __pfx_ip_local_deliver_finish+0x10/0x10\n[  286.496204][    C0]  ? ip_rcv_finish_core+0x19a/0x1f20\n[  286.496806][    C0]  ? lock_release+0x217/0x2c0\n[  286.497414][    C0]  ip_rcv+0x455/0x6e0\n[  286.497945][    C0]  ? __pfx_ip_rcv+0x10/0x10\n[ \n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00044,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17e58be5b49f58bf17799a504f55c2d05ab2ecdc","https://git.kernel.org/stable/c/3a982ada411b8c52695f1784c3f4784771f30209","https://git.kernel.org/stable/c/46d22b47df2741996af277a2838b95f130436c13","https://git.kernel.org/stable/c/6265538446e2426f4bf3b57e91d7680b2047ddd9","https://git.kernel.org/stable/c/a21cb31642ffc84ca4ce55028212a96f72f54d30","https://git.kernel.org/stable/c/c240375587ddcc80e1022f52ee32b946bbc3a639","https://git.kernel.org/stable/c/ec462449f4cf616b0aa2ed119f5f44b5fdfcefab","https://git.kernel.org/stable/c/fc01b547c3f8bfa6e1d23cd5a2c63c736e8c3e4e","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-18T10:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38023","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: handle failure of nfs_get_lock_context in unlock path\n\nWhen memory is insufficient, the allocation of nfs_lock_context in\nnfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat\nan nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)\nas valid and proceed to execute rpc_run_task(), this will trigger a NULL\npointer dereference in nfs4_locku_prepare. For example:\n\nBUG: kernel NULL pointer dereference, address: 000000000000000c\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40\nWorkqueue: rpciod rpc_async_schedule\nRIP: 0010:nfs4_locku_prepare+0x35/0xc2\nCode: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3\nRSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246\nRAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40\nRBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38\nR10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030\nR13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30\nFS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0\nCall Trace:\n <TASK>\n __rpc_execute+0xbc/0x480\n rpc_async_schedule+0x2f/0x40\n process_one_work+0x232/0x5d0\n worker_thread+0x1da/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x240\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\nModules linked in:\nCR2: 000000000000000c\n---[ end trace 0000000000000000 ]---\n\nFree the allocated nfs4_unlockdata when nfs_get_lock_context() fails and\nreturn NULL to terminate subsequent rpc_run_task, preventing NULL pointer\ndereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4c189fd40a09a03f9a900bedb2d9064f1734d72a","https://git.kernel.org/stable/c/72f552e00c50f265896d3c19edc6696aa2910081","https://git.kernel.org/stable/c/85fb7f8ca5f8c138579fdfc9b97b3083e6077d40","https://git.kernel.org/stable/c/a6879a076b98c99c9fe747816fe1c29543442441","https://git.kernel.org/stable/c/c457dc1ec770a22636b473ce5d35614adfe97636","https://git.kernel.org/stable/c/da824f1271633bcb515ca8084cda3eda4b3ace51","https://git.kernel.org/stable/c/db6f5ee1fc8f54d079d0751292c2fc2d78e3aad1","https://git.kernel.org/stable/c/f601960af04d2ecb007c928ba153d34051acd9c1","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-06-18T10:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38024","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug\n\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcf/0x610 mm/kasan/report.c:489\n kasan_report+0xb5/0xe0 mm/kasan/report.c:602\n rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195\n rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132\n __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232\n rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109\n create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052\n ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095\n ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679\n vfs_write fs/read_write.c:677 [inline]\n vfs_write+0x26a/0xcc0 fs/read_write.c:659\n ksys_write+0x1b8/0x200 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIn the function rxe_create_cq, when rxe_cq_from_init fails, the function\nrxe_cleanup will be called to handle the allocated resources. In fact,\nsome memory resources have already been freed in the function\nrxe_cq_from_init. Thus, this problem will occur.\n\nThe solution is to let rxe_cleanup do all the work.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16c45ced0b3839d3eee72a86bb172bef6cf58980","https://git.kernel.org/stable/c/336edd6b0f5b7fbffc3e065285610624f59e88df","https://git.kernel.org/stable/c/3a3b73e135e3bd18423d0baa72571319c7feb759","https://git.kernel.org/stable/c/52daccfc3fa68ee1902d52124921453d7a335591","https://git.kernel.org/stable/c/7c7c80c32e00665234e373ab03fe82f5c5c2c230","https://git.kernel.org/stable/c/ee4c5a2a38596d548566560c0c022ab797e6f71a","https://git.kernel.org/stable/c/f81b33582f9339d2dc17c69b92040d3650bb4bae","https://git.kernel.org/stable/c/f8f470e3a757425a8f98fb9a5991e3cf62fc7134","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-06-18T10:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38027","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: max20086: fix invalid memory access\n\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\narray of struct of_regulator_match allocated on the stack for the\nmatches argument.\n\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\nbe de-allocated using devm_of_regulator_put_matches().\n\nstruct devm_of_regulator_matches is populated with the stack allocated\nmatches array.\n\nIf the device fails to probe, devm_of_regulator_put_matches() will be\ncalled and will try to call of_node_put() on that stack pointer,\ngenerating the following dmesg entries:\n\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\nkobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet\nkobject_put() is being called.\n\nFollowed by a stack trace matching the call flow described above.\n\nSwitch to allocating the matches array using devm_kcalloc() to\navoid accessing the stack pointer long after it's out of scope.\n\nThis also has the advantage of allowing multiple max20086 to probe\nwithout overriding the data stored inside the global of_regulator_match.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00015,"ranking_epss":0.02979,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8","https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772","https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660","https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8","https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-06-18T10:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38015","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix memory leak in error handling path of idxd_alloc\n\nMemory allocated for idxd is not freed if an error occurs during\nidxd_alloc(). To fix it, free the allocated memory in the reverse order\nof allocation before exiting the function in case of an error.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/46a5cca76c76c86063000a12936f8e7875295838","https://git.kernel.org/stable/c/4f005eb68890698e5abc6a3af04dab76f175c50c","https://git.kernel.org/stable/c/64afd9a1f644b27661420257dcc007d5009c99dd","https://git.kernel.org/stable/c/6e94a2c3e4c166cd2736ac225fba5889fb1e8ac0","https://git.kernel.org/stable/c/868dbce755ec92855362d213f47e045a8388361a","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-06-18T10:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38018","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix kernel panic when alloc_page failed\n\nWe cannot set frag_list to NULL pointer when alloc_page failed.\nIt will be used in tls_strp_check_queue_ok when the next time\ntls_strp_read_sock is called.\n\nThis is because we don't reset full_len in tls_strp_flush_anchor_copy()\nso the recv path will try to continue handling the partial record\non the next call but we dettached the rcvq from the frag list.\nAlternative fix would be to reset full_len.\n\nUnable to handle kernel NULL pointer dereference\nat virtual address 0000000000000028\n Call trace:\n tls_strp_check_rcv+0x128/0x27c\n tls_strp_data_ready+0x34/0x44\n tls_data_ready+0x3c/0x1f0\n tcp_data_ready+0x9c/0xe4\n tcp_data_queue+0xf6c/0x12d0\n tcp_rcv_established+0x52c/0x798","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00033,"ranking_epss":0.09606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4","https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f","https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6","https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4","https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-06-18T10:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38020","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Disable MACsec offload for uplink representor profile\n\nMACsec offload is not supported in switchdev mode for uplink\nrepresentors. When switching to the uplink representor profile, the\nMACsec offload feature must be cleared from the netdevice's features.\n\nIf left enabled, attempts to add offloads result in a null pointer\ndereference, as the uplink representor does not support MACsec offload\neven though the feature bit remains set.\n\nClear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().\n\nKernel log:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__mutex_lock+0x128/0x1dd0\nCode: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff\nRSP: 0018:ffff888147a4f160 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001\nRDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078\nRBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000\nFS:  00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? __mutex_lock+0x128/0x1dd0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mutex_lock_io_nested+0x1ae0/0x1ae0\n ? lock_acquire+0x1c2/0x530\n ? macsec_upd_offload+0x145/0x380\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? kasan_save_stack+0x30/0x40\n ? kasan_save_stack+0x20/0x40\n ? kasan_save_track+0x10/0x30\n ? __kasan_kmalloc+0x77/0x90\n ? __kmalloc_noprof+0x249/0x6b0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]\n macsec_update_offload+0x26c/0x820\n ? macsec_set_mac_address+0x4b0/0x4b0\n ? lockdep_hardirqs_on_prepare+0x284/0x400\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n macsec_upd_offload+0x2c8/0x380\n ? macsec_update_offload+0x820/0x820\n ? __nla_parse+0x22/0x30\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240\n genl_family_rcv_msg_doit+0x1cc/0x2a0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240\n ? cap_capable+0xd4/0x330\n genl_rcv_msg+0x3ea/0x670\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? macsec_update_offload+0x820/0x820\n netlink_rcv_skb+0x12b/0x390\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? netlink_ack+0xd80/0xd80\n ? rwsem_down_read_slowpath+0xf90/0xf90\n ? netlink_deliver_tap+0xcd/0xac0\n ? netlink_deliver_tap+0x155/0xac0\n ? _copy_from_iter+0x1bb/0x12c0\n genl_rcv+0x24/0x40\n netlink_unicast+0x440/0x700\n ? netlink_attachskb+0x760/0x760\n ? lock_acquire+0x1c2/0x530\n ? __might_fault+0xbb/0x170\n netlink_sendmsg+0x749/0xc10\n ? netlink_unicast+0x700/0x700\n ? __might_fault+0xbb/0x170\n ? netlink_unicast+0x700/0x700\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x53f/0x760\n ? import_iovec+0x7/0x10\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x3c0/0x3c0\n ? filter_irq_stacks+0x90/0x90\n ? stack_depot_save_flags+0x28/0xa30\n ___sys_sen\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00033,"ranking_epss":0.09606,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a69d53922c1221351739f17837d38e317234e5d","https://git.kernel.org/stable/c/1e577aeb51e9deba4f2c10edfcb07cb3cb406598","https://git.kernel.org/stable/c/1f80e6ff026041721d8089da8c269b1963628325","https://git.kernel.org/stable/c/588431474eb7572e57a927fa8558c9ba2f8af143","https://git.kernel.org/stable/c/b48a47e137cedfd79655accaeeea6b296ad0b9e1","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-06-18T10:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38009","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: disable napi on driver removal\n\nA warning on driver removal started occurring after commit 9dd05df8403b\n(\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before\ndeleting it in mt76_dma_cleanup().\n\n WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100\n CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy)\n Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024\n RIP: 0010:__netif_napi_del_locked+0xf0/0x100\n Call Trace:\n <TASK>\n mt76_dma_cleanup+0x54/0x2f0 [mt76]\n mt7921_pci_remove+0xd5/0x190 [mt7921e]\n pci_device_remove+0x47/0xc0\n device_release_driver_internal+0x19e/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x6d/0xf0\n pci_unregister_driver+0x2e/0xb0\n __do_sys_delete_module.isra.0+0x197/0x2e0\n do_syscall_64+0x7b/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTested with mt7921e but the same pattern can be actually applied to other\nmt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled\nin their *_dma_init() functions and only toggled off and on again inside\ntheir suspend/resume/reset paths. So it should be okay to disable tx\nnapi in such a generic way.\n\nFound by Linux Verification Center (linuxtesting.org).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b81e76db3667d1f7f2ad44e9835cdaf8dea95a8","https://git.kernel.org/stable/c/5e700b06b970fc19e3a1ecb244e14785f3fbb8e3","https://git.kernel.org/stable/c/78ab4be549533432d97ea8989d2f00b508fa68d8","https://git.kernel.org/stable/c/b892e830d1ea8c5475254b98827771f7366f1039","https://git.kernel.org/stable/c/ca5b213bf4b4224335a8131a26805d16503fca5f","https://git.kernel.org/stable/c/e7bfbda5fddd27f3158e723d641c0fcdfb0552a7","https://git.kernel.org/stable/c/ff0f820fa5b99035b3c654dd531226d8d83aec5f","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-06-18T10:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38005","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Add missing locking\n\nRecent kernels complain about a missing lock in k3-udma.c when the lock\nvalidator is enabled:\n\n[    4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238\n[    4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28\n[    4.144867] Hardware name: pp-v12 (DT)\n[    4.148648] Workqueue: events udma_check_tx_completion\n[    4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    4.160834] pc : udma_start.isra.0+0x34/0x238\n[    4.165227] lr : udma_start.isra.0+0x30/0x238\n[    4.169618] sp : ffffffc083cabcf0\n[    4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005\n[    4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000\n[    4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670\n[    4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030\n[    4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048\n[    4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001\n[    4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68\n[    4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8\n[    4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000\n[    4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000\n[    4.244986] Call trace:\n[    4.247463]  udma_start.isra.0+0x34/0x238\n[    4.251509]  udma_check_tx_completion+0xd0/0xdc\n[    4.256076]  process_one_work+0x244/0x3fc\n[    4.260129]  process_scheduled_works+0x6c/0x74\n[    4.264610]  worker_thread+0x150/0x1dc\n[    4.268398]  kthread+0xd8/0xe8\n[    4.271492]  ret_from_fork+0x10/0x20\n[    4.275107] irq event stamp: 220\n[    4.278363] hardirqs last  enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50\n[    4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50\n[    4.294879] softirqs last  enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc\n[    4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28\n[    4.311559] ---[ end trace 0000000000000000 ]---\n\nThis commit adds the missing locking.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00039,"ranking_epss":0.11805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ea0433f822ed0549715f7044c9cd1cf132ff7fa","https://git.kernel.org/stable/c/26e63b2fe30c61bd25981c6084f67a8af79945d0","https://git.kernel.org/stable/c/27e71fa08711e09d81e06a54007b362a5426fd22","https://git.kernel.org/stable/c/99df1edf17493cb49a8c01f6bde55c3abb6a2a6c","https://git.kernel.org/stable/c/d87f1cddc592387359fde157cc4296556f6403c2","https://git.kernel.org/stable/c/df5987e76a4ae4cbd705d81ab4b15ed232250a4a","https://git.kernel.org/stable/c/fca280992af8c2fbd511bc43f65abb4a17363f2f","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-06-18T10:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38007","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Add NULL check in uclogic_input_configured()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nuclogic_input_configured() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00077,"ranking_epss":0.23041,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00d52b2fa6083dd0f5c44f3604cd1bad1f9177dc","https://git.kernel.org/stable/c/01b76cc8ca243fc3376b035aa326bbc4f03d384b","https://git.kernel.org/stable/c/94e7272b636a0677082e0604609e4c471e0a2caf","https://git.kernel.org/stable/c/a9f58479a1a2c6f72907679c4df2f4ed92b05b39","https://git.kernel.org/stable/c/ad6caaf29bc26a48b1241ce82561fcbcf0a75aa9","https://git.kernel.org/stable/c/b616453d719ee1b8bf2ea6f6cc6c6258a572a590","https://git.kernel.org/stable/c/bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-06-18T10:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38004","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add locking for bcm_op runtime updates\n\nThe CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via\nhrtimer. The content and also the length of the sequence can be changed\nresp reduced at runtime where the 'currframe' counter is then set to zero.\n\nAlthough this appeared to be a safe operation the updates of 'currframe'\ncan be triggered from user space and hrtimer context in bcm_can_tx().\nAnderson Nascimento created a proof of concept that triggered a KASAN\nslab-out-of-bounds read access which can be prevented with a spin_lock_bh.\n\nAt the rework of bcm_can_tx() the 'count' variable has been moved into\nthe protected section as this variable can be modified from both contexts\ntoo.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00033,"ranking_epss":0.09566,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a437b86ac5a9893c902f30ef66815bf13587bf6","https://git.kernel.org/stable/c/7595de7bc56e0e52b74e56c90f7e247bf626d628","https://git.kernel.org/stable/c/76c84c3728178b2d38d5604e399dfe8b0752645e","https://git.kernel.org/stable/c/8f1c022541bf5a923c8d6fa483112c15250f30a4","https://git.kernel.org/stable/c/c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7","https://git.kernel.org/stable/c/c4e8a172501e677ebd8ea9d9161d97dc4df56fbd","https://git.kernel.org/stable/c/cc55dd28c20a6611e30596019b3b2f636819a4c0","https://git.kernel.org/stable/c/fbd8fdc2b218e979cfe422b139b8f74c12419d1f","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-08T11:15:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38003","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add missing rcu read protection for procfs content\n\nWhen the procfs content is generated for a bcm_op which is in the process\nto be removed the procfs output might show unreliable data (UAF).\n\nAs the removal of bcm_op's is already implemented with rcu handling this\npatch adds the missing rcu_read_lock() and makes sure the list entries\nare properly removed under rcu protection.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00048,"ranking_epss":0.14855,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0622846db728a5332b917c797c733e202c4620ae","https://git.kernel.org/stable/c/19f553a1ddf260da6570ed8f8d91a8c87f49b63a","https://git.kernel.org/stable/c/1f912f8484e9c4396378c39460bbea0af681f319","https://git.kernel.org/stable/c/63567ecd99a24495208dc860d50fb17440043006","https://git.kernel.org/stable/c/659701c0b954ccdb4a916a4ad59bbc16e726d42c","https://git.kernel.org/stable/c/6d7d458c41b98a5c1670cbd36f2923c37de51cf5","https://git.kernel.org/stable/c/7c9db92d5f0eadca30884af75c53d601edc512ee","https://git.kernel.org/stable/c/dac5e6249159ac255dad9781793dbe5908ac9ddb","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-08T11:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38001","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\n\nSavino says:\n    \"We are writing to report that this recent patch\n    (141d34391abbb315d68556b7c67ad97885407547) [1]\n    can be bypassed, and a UAF can still occur when HFSC is utilized with\n    NETEM.\n\n    The patch only checks the cl->cl_nactive field to determine whether\n    it is the first insertion or not [2], but this field is only\n    incremented by init_vf [3].\n\n    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\n    check and insert the class twice in the eltree.\n    Under normal conditions, this would lead to an infinite loop in\n    hfsc_dequeue for the reasons we already explained in this report [5].\n\n    However, if TBF is added as root qdisc and it is configured with a\n    very low rate,\n    it can be utilized to prevent packets from being dequeued.\n    This behavior can be exploited to perform subsequent insertions in the\n    HFSC eltree and cause a UAF.\"\n\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00028,"ranking_epss":0.07832,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/295f7c579b07b5b7cf2dffe485f71cc2f27647cb","https://git.kernel.org/stable/c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28","https://git.kernel.org/stable/c/2f2190ce4ca972051cac6a8d7937448f8cb9673c","https://git.kernel.org/stable/c/39ed887b1dd2d6b720f87e86692ac3006cc111c8","https://git.kernel.org/stable/c/4e38eaaabfb7fffbb371a51150203e19eee5d70e","https://git.kernel.org/stable/c/6672e6c00810056acaac019fe26cdc26fee8a66c","https://git.kernel.org/stable/c/a0ec22fa20b252edbe070a9de8501eef63c17ef5","https://git.kernel.org/stable/c/ac9fe7dd8e730a103ae4481147395cc73492d786","https://git.kernel.org/stable/c/e5bee633cc276410337d54b99f77fbc1ad8801e5","https://syst3mfailure.io/rbtree-family-drama/","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","https://syst3mfailure.io/rbtree-family-drama/"],"published_time":"2025-06-06T14:15:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38000","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc's peek() operation before incrementing sch->q.qlen and\nsch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch->q.qlen and\nsch->qstats.backlog before the call to the child qdisc's peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00082,"ranking_epss":0.24195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a","https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335","https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d","https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf","https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653","https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02","https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4","https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-06-06T13:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-48432","summary":"An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"epss":0.00411,"ranking_epss":0.61378,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2025/jun/04/security-releases/","https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/","http://www.openwall.com/lists/oss-security/2025/06/04/5","http://www.openwall.com/lists/oss-security/2025/06/10/2","http://www.openwall.com/lists/oss-security/2025/06/10/3","http://www.openwall.com/lists/oss-security/2025/06/10/4"],"published_time":"2025-06-05T03:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52035","summary":"An integer overflow vulnerability exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95. A specially crafted malformed file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"epss":0.0017,"ranking_epss":0.38364,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2024-2131","https://lists.debian.org/debian-lts-announce/2025/06/msg00032.html","https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2131"],"published_time":"2025-06-02T15:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-54028","summary":"An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0.95. A specially crafted malformed file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"epss":0.0017,"ranking_epss":0.38364,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2024-2132","https://lists.debian.org/debian-lts-announce/2025/06/msg00032.html","https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2132"],"published_time":"2025-06-02T15:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-49113","summary":"Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"epss":0.91574,"ranking_epss":0.9967,"kev":true,"propose_action":"RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.","ransomware_campaign":"Unknown","references":["https://fearsoff.org/research/roundcube","https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d","https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695","https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e","https://github.com/roundcube/roundcubemail/pull/9865","https://github.com/roundcube/roundcubemail/releases/tag/1.5.10","https://github.com/roundcube/roundcubemail/releases/tag/1.6.11","https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10","https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script","https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection","http://www.openwall.com/lists/oss-security/2025/06/02/3","https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"],"published_time":"2025-06-02T05:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-4598","summary":"A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.\n\nA SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.001,"ranking_epss":0.27749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2025:22660","https://access.redhat.com/errata/RHSA-2025:22868","https://access.redhat.com/errata/RHSA-2025:23227","https://access.redhat.com/errata/RHSA-2025:23234","https://access.redhat.com/errata/RHSA-2026:0414","https://access.redhat.com/errata/RHSA-2026:1652","https://access.redhat.com/security/cve/CVE-2025-4598","https://bugzilla.redhat.com/show_bug.cgi?id=2369242","https://www.openwall.com/lists/oss-security/2025/05/29/3","http://seclists.org/fulldisclosure/2025/Jun/9","http://www.openwall.com/lists/oss-security/2025/06/05/1","http://www.openwall.com/lists/oss-security/2025/06/05/3","http://www.openwall.com/lists/oss-security/2025/08/18/3","https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598","https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/","https://lists.debian.org/debian-lts-announce/2025/07/msg00022.html","https://www.openwall.com/lists/oss-security/2025/08/18/3"],"published_time":"2025-05-30T14:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37995","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: ensure that kobject_put() is safe for module type kobjects\n\nIn 'lookup_or_create_module_kobject()', an internal kobject is created\nusing 'module_ktype'. So call to 'kobject_put()' on error handling\npath causes an attempt to use an uninitialized completion pointer in\n'module_kobject_release()'. In this scenario, we just want to release\nkobject without an extra synchronization required for a regular module\nunloading process, so adding an extra check whether 'complete()' is\nactually required makes 'kobject_put()' safe.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31d8df3f303c3ae9115230820977ef8c35c88808","https://git.kernel.org/stable/c/93799fb988757cdacf19acba57807746c00378e6","https://git.kernel.org/stable/c/9e7b49ce4f9d0cb5b6e87db9e07a2fb9e754b0dd","https://git.kernel.org/stable/c/a63d99873547d8b39eb2f6db79dd235761e7098a","https://git.kernel.org/stable/c/a6aeb739974ec73e5217c75a7c008a688d3d5cf1","https://git.kernel.org/stable/c/d63851049f412cdfadaeef7a7eaef5031d11c1e9","https://git.kernel.org/stable/c/f1c71b4bd721a4ea21da408806964b10468623f2","https://git.kernel.org/stable/c/faa9059631d3491d699c69ecf512de9e1a3d6649","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-29T14:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37997","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix region locking in hash types\n\nRegion locking introduced in v5.6-rc4 contained three macros to handle\nthe region locks: ahash_bucket_start(), ahash_bucket_end() which gave\nback the start and end hash bucket values belonging to a given region\nlock and ahash_region() which should give back the region lock belonging\nto a given hash bucket. The latter was incorrect which can lead to a\nrace condition between the garbage collector and adding new elements\nwhen a hash type of set is defined with timeouts.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00081,"ranking_epss":0.24009,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00cfc5fad1491796942a948808afb968a0a3f35b","https://git.kernel.org/stable/c/226ce0ec38316d9e3739e73a64b6b8304646c658","https://git.kernel.org/stable/c/6e002ecc1c8cfdfc866b9104ab7888da54613e59","https://git.kernel.org/stable/c/82c1eb32693bc48251d92532975e19160987e5b9","https://git.kernel.org/stable/c/8478a729c0462273188263136880480729e9efca","https://git.kernel.org/stable/c/a3dfec485401943e315c394c29afe2db8f9481d6","https://git.kernel.org/stable/c/aa77294b0f73bb8265987591460cd25b8722c3df","https://git.kernel.org/stable/c/e2ab67672b2288521a6146034a971f9a82ffc5c5","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-29T14:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37998","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: Fix unsafe attribute parsing in output_userspace()\n\nThis patch replaces the manual Netlink attribute iteration in\noutput_userspace() with nla_for_each_nested(), which ensures that only\nwell-formed attributes are processed.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00115,"ranking_epss":0.30234,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0236742bd959332181c1fcc41a05b7b709180501","https://git.kernel.org/stable/c/06b4f110c79716c181a8c5da007c259807840232","https://git.kernel.org/stable/c/47f7f00cf2fa3137d5c0416ef1a71bdf77901395","https://git.kernel.org/stable/c/4fa672cbce9c86c3efb8621df1ae580d47813430","https://git.kernel.org/stable/c/6712dc21506738f5f22b4f68b7c0d9e0df819dbd","https://git.kernel.org/stable/c/6beb6835c1fbb3f676aebb51a5fee6b77fed9308","https://git.kernel.org/stable/c/bca8df998cce1fead8cbc69144862eadc2e34c87","https://git.kernel.org/stable/c/ec334aaab74705cc515205e1da3cb369fdfd93cd","https://www.zerodayinitiative.com/advisories/ZDI-25-307/","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-29T14:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37994","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix NULL pointer access\n\nThis patch ensures that the UCSI driver waits for all pending tasks in the\nucsi_displayport_work workqueue to finish executing before proceeding with\nthe partner removal.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/076ab0631ed4928905736f1701e25f1e722bc086","https://git.kernel.org/stable/c/14f298c52188c34acde9760bf5abc669c5c36fdb","https://git.kernel.org/stable/c/312d79669e71283d05c05cc49a1a31e59e3d9e0e","https://git.kernel.org/stable/c/5ad298d6d4aebe1229adba6427e417e89a5208d8","https://git.kernel.org/stable/c/7804c4d63edfdd5105926cc291e806e8f4ce01b5","https://git.kernel.org/stable/c/9dda1e2a666a8a32ce0f153b5dee05c7351f1020","https://git.kernel.org/stable/c/a9931f1b52b2d0bf3952e003fd5901ea7eb851ed","https://git.kernel.org/stable/c/e9b63faf5c97deb43fc39a52edbc39d626cc14bf","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-29T14:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37992","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during ->change()\n\nPreviously, when reducing a qdisc's limit via the ->change() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch->limit against sch->q.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their ->change() routines.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8","https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd","https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861","https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c","https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c","https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542","https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-26T15:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-3887","summary":"GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the parsing of H265 slice headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26596.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.01617,"ranking_epss":0.81747,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-25-267/","https://lists.debian.org/debian-lts-announce/2025/06/msg00017.html"],"published_time":"2025-05-22T01:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37983","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix _another_ leak\n\nfailure to allocate inode => leaked dentry...\n\nthis one had been there since the initial merge; to be fair,\nif we are that far OOM, the odds of failing at that particular\nallocation are low...","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00051,"ranking_epss":0.16238,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24faa6ea274a2b96d0a78a0996c3137c2b2a65f0","https://git.kernel.org/stable/c/3c2fde33e3e505dfd1a895d1f24bad650c655e14","https://git.kernel.org/stable/c/47ab2caba495c1d6a899d284e541a8df656dcfe9","https://git.kernel.org/stable/c/545defa656568c74590317cd30068f85134a8216","https://git.kernel.org/stable/c/5d53e88d8370b9ab14dd830abb410d9a2671edb6","https://git.kernel.org/stable/c/5e280cce3a29b7fe7b828c6ccd5aa5ba87ceb6b6","https://git.kernel.org/stable/c/5fe708c5e3c8b2152c6caaa67243e431a5d6cca3","https://git.kernel.org/stable/c/bdb43af4fdb39f844ede401bdb1258f67a580a27","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37985","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: wdm: close race between wdm_open and wdm_wwan_port_stop\n\nClearing WDM_WWAN_IN_USE must be the last action or\nwe can open a chardev whose URBs are still poisoned","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00054,"ranking_epss":0.1709,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/217fe1fc7d112595a793e02b306710e702eac492","https://git.kernel.org/stable/c/52ae15c665b5fe5876655aaccc3ef70560b0e314","https://git.kernel.org/stable/c/54f7f8978af19f899dec80bcc71c8d4855dfbd72","https://git.kernel.org/stable/c/b02a3fef3e8c8fe5a0a266f7a14f38cc608fb167","https://git.kernel.org/stable/c/c1846ed4eb527bdfe6b3b7dd2c78e2af4bf98f4f","https://git.kernel.org/stable/c/e3c9adc69357fcbe6253a2bc2588ee4bbaaedbe9","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37989","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: leds: fix memory leak\n\nA network restart test on a router led to an out-of-memory condition,\nwhich was traced to a memory leak in the PHY LED trigger code.\n\nThe root cause is misuse of the devm API. The registration function\n(phy_led_triggers_register) is called from phy_attach_direct, not\nphy_probe, and the unregister function (phy_led_triggers_unregister)\nis called from phy_detach, not phy_remove. This means the register and\nunregister functions can be called multiple times for the same PHY\ndevice, but devm-allocated memory is not freed until the driver is\nunbound.\n\nThis also prevents kmemleak from detecting the leak, as the devm API\ninternally stores the allocated pointer.\n\nFix this by replacing devm_kzalloc/devm_kcalloc with standard\nkzalloc/kcalloc, and add the corresponding kfree calls in the unregister\npath.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/41143e71052a00d654c15dc924fda50c1e7357d0","https://git.kernel.org/stable/c/618541a6cc1511064dfa58c89b3445e21844092f","https://git.kernel.org/stable/c/663c3da86e807c6c07ed48f911c7526fad6fe1ff","https://git.kernel.org/stable/c/7f3d5880800f962c347777c4f8358f29f5fc403c","https://git.kernel.org/stable/c/95bed65cc0eb2a610550abf849a8b94374da80a7","https://git.kernel.org/stable/c/966d6494e2ed9be9052fcd9815afba830896aaf8","https://git.kernel.org/stable/c/b7f0ee992adf601aa00c252418266177eb7ac2bc","https://git.kernel.org/stable/c/f41f097f68a33d392579885426d0734a81219501","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37990","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()\n\nThe function brcmf_usb_dl_writeimage() calls the function\nbrcmf_usb_dl_cmd() but dose not check its return value. The\n'state.state' and the 'state.bytes' are uninitialized if the\nfunction brcmf_usb_dl_cmd() fails. It is dangerous to use\nuninitialized variables in the conditions.\n\nAdd error handling for brcmf_usb_dl_cmd() to jump to error\nhandling path if the brcmf_usb_dl_cmd() fails and the\n'state.state' and the 'state.bytes' are uninitialized.\n\nImprove the error message to report more detailed error\ninformation.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00105,"ranking_epss":0.28639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08424a0922fb9e32a19b09d852ee87fb6c497538","https://git.kernel.org/stable/c/508be7c001437bacad7b9a43f08a723887bcd1ea","https://git.kernel.org/stable/c/524b70441baba453b193c418e3142bd31059cc1f","https://git.kernel.org/stable/c/62a4f2955d9a1745bdb410bf83fb16666d8865d6","https://git.kernel.org/stable/c/8e089e7b585d95122c8122d732d1d5ef8f879396","https://git.kernel.org/stable/c/972bf75e53f778c78039c5d139dd47443a6d66a1","https://git.kernel.org/stable/c/bdb435ef9815b1ae28eefffa01c6959d0fcf1fa7","https://git.kernel.org/stable/c/fa9b9f02212574ee1867fbefb0a675362a71b31d","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37991","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix double SIGFPE crash\n\nCamm noticed that on parisc a SIGFPE exception will crash an application with\na second SIGFPE in the signal handler.  Dave analyzed it, and it happens\nbecause glibc uses a double-word floating-point store to atomically update\nfunction descriptors. As a result of lazy binding, we hit a floating-point\nstore in fpe_func almost immediately.\n\nWhen the T bit is set, an assist exception trap occurs when when the\nco-processor encounters *any* floating-point instruction except for a double\nstore of register %fr0.  The latter cancels all pending traps.  Let's fix this\nby clearing the Trap (T) bit in the FP status register before returning to the\nsignal handler in userspace.\n\nThe issue can be reproduced with this test program:\n\nroot@parisc:~# cat fpe.c\n\nstatic void fpe_func(int sig, siginfo_t *i, void *v) {\n        sigset_t set;\n        sigemptyset(&set);\n        sigaddset(&set, SIGFPE);\n        sigprocmask(SIG_UNBLOCK, &set, NULL);\n        printf(\"GOT signal %d with si_code %ld\\n\", sig, i->si_code);\n}\n\nint main() {\n        struct sigaction action = {\n                .sa_sigaction = fpe_func,\n                .sa_flags = SA_RESTART|SA_SIGINFO };\n        sigaction(SIGFPE, &action, 0);\n        feenableexcept(FE_OVERFLOW);\n        return printf(\"%lf\\n\",1.7976931348623158E308*1.7976931348623158E308);\n}\n\nroot@parisc:~# gcc fpe.c -lm\nroot@parisc:~# ./a.out\n Floating point exception\n\nroot@parisc:~# strace -f ./a.out\n execve(\"./a.out\", [\"./a.out\"], 0xf9ac7034 /* 20 vars */) = 0\n getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0\n ...\n rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---\n +++ killed by SIGFPE +++\n Floating point exception","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00056,"ranking_epss":0.17808,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6","https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106","https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f","https://git.kernel.org/stable/c/757ba4d17b868482837c566cfefca59e2296c608","https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143","https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef","https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e","https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T18:15:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37979","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix sc7280 lpass potential buffer overflow\n\nCase values introduced in commit\n5f78e1fb7a3e (\"ASoC: qcom: Add driver support for audioreach solution\")\ncause out of bounds access in arrays of sc7280 driver data (e.g. in case\nof RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()).\n\nRedefine LPASS_MAX_PORTS to consider the maximum possible port id for\nq6dsp as sc7280 driver utilizes some of those values.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00071,"ranking_epss":0.21845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/a12c14577882b1f2b4cff0f86265682f16e97b0c","https://git.kernel.org/stable/c/a31a4934b31faea76e735bab17e63d02fcd8e029","https://git.kernel.org/stable/c/b807b7c81a6d066757a94af7b8fa5b6a37e4d0b3","https://git.kernel.org/stable/c/c0ce01e0ff8a0d61a7b089ab309cdc12bc527c39","https://git.kernel.org/stable/c/d78888853eb53f47ae16cf3aa5d0444d0331b9f8","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T17:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37982","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wl1251: fix memory leak in wl1251_tx_work\n\nThe skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails\nwith a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13c9744c1bcdb5de4e7dc1a78784788ecec52add","https://git.kernel.org/stable/c/2996144be660d930d5e394652abe08fe89dbe00e","https://git.kernel.org/stable/c/4a43fd36710669d67dbb5c16287a58412582ca26","https://git.kernel.org/stable/c/52f224009ce1e44805e6ff3ffc2a06af9c1c3c5b","https://git.kernel.org/stable/c/5a90c29d0204c5ffc45b43b4eced6eef0e19a33a","https://git.kernel.org/stable/c/8fd4b9551af214d037fbc9d8e179840b8b917841","https://git.kernel.org/stable/c/a0f0dc96de03ffeefc2a177b7f8acde565cb77f4","https://git.kernel.org/stable/c/f08448a885403722c5c77dae51964badfcb69495","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T17:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37967","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix deadlock\n\nThis patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock\nfunctions to the UCSI driver. ucsi_con_mutex_lock ensures the connector\nmutex is only locked if a connection is established and the partner pointer\nis valid. This resolves a deadlock scenario where\nucsi_displayport_remove_partner holds con->mutex waiting for\ndp_altmode_work to complete while dp_altmode_work attempts to acquire it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00069,"ranking_epss":0.21411,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/364618c89d4c57c85e5fc51a2446cd939bf57802","https://git.kernel.org/stable/c/5924b324468845fc795bd76f588f51d7ab4f202d","https://git.kernel.org/stable/c/61fc1a8e1e10cc784cab5829930838aaf1d37af5","https://git.kernel.org/stable/c/962ce9028ca6eb450d5c205238a3ee27de9d214d","https://git.kernel.org/stable/c/f32451ca4cb7dc53f2a0e2e66b84d34162747eb7","https://git.kernel.org/stable/c/f4bd982563c2fd41ec9ca6c517c392d759db801c","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T17:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37968","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: opt3001: fix deadlock due to concurrent flag access\n\nThe threaded IRQ function in this driver is reading the flag twice: once to\nlock a mutex and once to unlock it. Even though the code setting the flag\nis designed to prevent it, there are subtle cases where the flag could be\ntrue at the mutex_lock stage and false at the mutex_unlock stage. This\nresults in the mutex not being unlocked, resulting in a deadlock.\n\nFix it by making the opt3001_irq() code generally more robust, reading the\nflag into a variable and using the variable value at both stages.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d7def97e7eb65865ccc01bbdf4eb9e6bbe8a5b5","https://git.kernel.org/stable/c/2c95c8f0959d0a72575eabf2ff888f47ed6d8b77","https://git.kernel.org/stable/c/748ebd8e61d0bc182c331b8df3887af7285c8a8f","https://git.kernel.org/stable/c/7ca84f6a22d50bf8b31efe9eb05f9859947266d7","https://git.kernel.org/stable/c/957e8be112636d9bc692917286e81e54bd87decc","https://git.kernel.org/stable/c/a9c56ccb7cddfca754291fb24b108a5350a5fbe9","https://git.kernel.org/stable/c/e791bf216c9e236b34dabf514ec0ede140cca719","https://git.kernel.org/stable/c/f063a28002e3350088b4577c5640882bf4ea17ea","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-05-20T17:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37969","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo\n\nPrevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in\ncase pattern_len is equal to zero and the device FIFO is not empty.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16857370b3a30663515956b3bd27f3def6a2cf06","https://git.kernel.org/stable/c/35b8c0a284983b71d92d082c54b7eb655ed4194f","https://git.kernel.org/stable/c/4db7d923a8c298788181b796f71adf6ca499f966","https://git.kernel.org/stable/c/76727a1d81afde77d21ea8feaeb12d34605be6f4","https://git.kernel.org/stable/c/8114ef86e2058e2554111b793596f17bee23fa15","https://git.kernel.org/stable/c/9ce662851380fe2018e36e15c0bdcb1ad177ed95","https://git.kernel.org/stable/c/9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7","https://git.kernel.org/stable/c/dadf9116108315f2eb14c7415c7805f392c476b4","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T17:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37970","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo\n\nPrevent st_lsm6dsx_read_fifo from falling in an infinite loop in case\npattern_len is equal to zero and the device FIFO is not empty.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00081,"ranking_epss":0.24009,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/159ca7f18129834b6f4c7eae67de48e96c752fc9","https://git.kernel.org/stable/c/3bb6c02d6fe8347ce1785016d135ff539c20043c","https://git.kernel.org/stable/c/6c4a5000618a8c44200d455c92e2f2a4db264717","https://git.kernel.org/stable/c/84e39f628a3a3333add99076e4d6c8b42b12d3a0","https://git.kernel.org/stable/c/a1cad8a3bca41dead9980615d35efc7bff1fd534","https://git.kernel.org/stable/c/da33c4167b9cc1266a97215114cb74679f881d0c","https://git.kernel.org/stable/c/f06a1a1954527cc4ed086d926c81ff236b2adde9","https://git.kernel.org/stable/c/f3cf233c946531a92fe651ff2bd15ebbe60630a7","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T17:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37972","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: mtk-pmic-keys - fix possible null pointer dereference\n\nIn mtk_pmic_keys_probe, the regs parameter is only set if the button is\nparsed in the device tree. However, on hardware where the button is left\nfloating, that node will most likely be removed not to enable that\ninput. In that case the code will try to dereference a null pointer.\n\nLet's use the regs struct instead as it is defined for all supported\nplatforms. Note that it is ok setting the key reg even if that latter is\ndisabled as the interrupt won't be enabled anyway.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09429ddb5a91e9e8f72cd18c012ec4171c2f85ec","https://git.kernel.org/stable/c/11cdb506d0fbf5ac05bf55f5afcb3a215c316490","https://git.kernel.org/stable/c/334d74a798463ceec02a41eb0e2354aaac0d6249","https://git.kernel.org/stable/c/619c05fb176c272ac6cecf723446b39723ee6d97","https://git.kernel.org/stable/c/90fa6015ff83ef1c373cc61b7c924ab2bcbe1801","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T17:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37958","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below.  To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early.  In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio.  Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n<TASK>\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75","https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5","https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617","https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711","https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf","https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7","https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775","https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37959","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Scrub packet on bpf_redirect_peer\n\nWhen bpf_redirect_peer is used to redirect packets to a device in\nanother network namespace, the skb isn't scrubbed. That can lead skb\ninformation from one namespace to be \"misused\" in another namespace.\n\nAs one example, this is causing Cilium to drop traffic when using\nbpf_redirect_peer to redirect packets that just went through IPsec\ndecryption to a container namespace. The following pwru trace shows (1)\nthe packet path from the host's XFRM layer to the container's XFRM\nlayer where it's dropped and (2) the number of active skb extensions at\neach function.\n\n    NETNS       MARK  IFACE  TUPLE                                FUNC\n    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  xfrm_rcv_cb\n                             .active_extensions = (__u8)2,\n    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  xfrm4_rcv_cb\n                             .active_extensions = (__u8)2,\n    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  gro_cells_receive\n                             .active_extensions = (__u8)2,\n    [...]\n    4026533547  0     eth0   10.244.3.124:35473->10.244.2.158:53  skb_do_redirect\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  ip_rcv\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  ip_rcv_core\n                             .active_extensions = (__u8)2,\n    [...]\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  udp_queue_rcv_one_skb\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  __xfrm_policy_check\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  __xfrm_decode_session\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  security_xfrm_decode_session\n                             .active_extensions = (__u8)2,\n    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)\n                             .active_extensions = (__u8)2,\n\nIn this case, there are no XFRM policies in the container's network\nnamespace so the drop is unexpected. When we decrypt the IPsec packet,\nthe XFRM state used for decryption is set in the skb extensions. This\ninformation is preserved across the netns switch. When we reach the\nXFRM policy check in the container's netns, __xfrm_policy_check drops\nthe packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM\npolicy can't be found that matches the (host-side) XFRM state used for\ndecryption.\n\nThis patch fixes this by scrubbing the packet when using\nbpf_redirect_peer, as is done on typical netns switches via veth\ndevices except skb->mark and skb->tstamp are not zeroed.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00101,"ranking_epss":0.28057,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/355b0526336c0bf2bf7feaca033568ede524f763","https://git.kernel.org/stable/c/9e15ef33ba39fb6d9d1f51445957f16983a9437a","https://git.kernel.org/stable/c/b37e54259cab4f78b53953d6f6268b85f07bef3e","https://git.kernel.org/stable/c/c4327229948879814229b46aa26a750718888503","https://git.kernel.org/stable/c/de1067cc8cf0e8c11ae20cbe5c467aef19d04ded","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37961","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix uninit-value for saddr in do_output_route4\n\nsyzbot reports for uninit-value for the saddr argument [1].\ncommit 4754957f04f5 (\"ipvs: do not use random local source address for\ntunnels\") already implies that the input value of saddr\nshould be ignored but the code is still reading it which can prevent\nto connect the route. Fix it by changing the argument to ret_saddr.\n\n[1]\nBUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4167 [inline]\n slab_alloc_node mm/slub.c:4210 [inline]\n __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367\n kmalloc_noprof include/linux/slab.h:905 [inline]\n ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]\n __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nCPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)\nHardware name: Google Google Compute Engi\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00101,"ranking_epss":0.28057,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4","https://git.kernel.org/stable/c/7d0032112a0380d0b8d7c9005f621928a9b9fc76","https://git.kernel.org/stable/c/a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25","https://git.kernel.org/stable/c/adbc8cc1162951cb152ed7f147d5fbd35ce3e62f","https://git.kernel.org/stable/c/e34090d7214e0516eb8722aee295cb2507317c07","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37962","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leak in parse_lease_state()\n\nThe previous patch that added bounds check for create lease context\nintroduced a memory leak. When the bounds check fails, the function\nreturns NULL without freeing the previously allocated lease_ctx_info\nstructure.\n\nThis patch fixes the issue by adding kfree(lreq) before returning NULL\nin both boundary check cases.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2148d34371b06dac696c0497a98a6bf905a51650","https://git.kernel.org/stable/c/829e19ef741d9e9932abdc3bee5466195e0852cf","https://git.kernel.org/stable/c/af9e2d4732a548db8f6f5a90c2c20a789a3d7240","https://git.kernel.org/stable/c/eb4447bcce915b43b691123118893fca4f372a8f","https://git.kernel.org/stable/c/facf22c1a394c1e023dab5daf9a494f722771e1c","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37963","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Only mitigate cBPF programs loaded by unprivileged users\n\nSupport for eBPF programs loaded by unprivileged users is typically\ndisabled. This means only cBPF programs need to be mitigated for BHB.\n\nIn addition, only mitigate cBPF programs that were loaded by an\nunprivileged user. Privileged users can also load the same program\nvia eBPF, making the mitigation pointless.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/038866e01ea5e5a3d948898ac216e531e7848669","https://git.kernel.org/stable/c/477481c4348268136227348984b6699d6370b685","https://git.kernel.org/stable/c/6e52d043f7dbf1839a24a3fab2b12b0d3839de7a","https://git.kernel.org/stable/c/80251f62028f1ab2e09be5ca3123f84e8b00389a","https://git.kernel.org/stable/c/df53d418709205450a02bb4d71cbfb4ff86f2c1e","https://git.kernel.org/stable/c/e5f5100f1c64ac6c72671b2cf6b46542fce93706","https://git.kernel.org/stable/c/f300769ead032513a68e4a02e806393402e626f8","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37964","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Eliminate window where TLB flushes may be inadvertently skipped\n\ntl;dr: There is a window in the mm switching code where the new CR3 is\nset and the CPU should be getting TLB flushes for the new mm.  But\nshould_flush_tlb() has a bug and suppresses the flush.  Fix it by\nwidening the window where should_flush_tlb() sends an IPI.\n\nLong Version:\n\n=== History ===\n\nThere were a few things leading up to this.\n\nFirst, updating mm_cpumask() was observed to be too expensive, so it was\nmade lazier.  But being lazy caused too many unnecessary IPIs to CPUs\ndue to the now-lazy mm_cpumask().  So code was added to cull\nmm_cpumask() periodically[2].  But that culling was a bit too aggressive\nand skipped sending TLB flushes to CPUs that need them.  So here we are\nagain.\n\n=== Problem ===\n\nThe too-aggressive code in should_flush_tlb() strikes in this window:\n\n\t// Turn on IPIs for this CPU/mm combination, but only\n\t// if should_flush_tlb() agrees:\n\tcpumask_set_cpu(cpu, mm_cpumask(next));\n\n\tnext_tlb_gen = atomic64_read(&next->context.tlb_gen);\n\tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush);\n\tload_new_mm_cr3(need_flush);\n\t// ^ After 'need_flush' is set to false, IPIs *MUST*\n\t// be sent to this CPU and not be ignored.\n\n        this_cpu_write(cpu_tlbstate.loaded_mm, next);\n\t// ^ Not until this point does should_flush_tlb()\n\t// become true!\n\nshould_flush_tlb() will suppress TLB flushes between load_new_mm_cr3()\nand writing to 'loaded_mm', which is a window where they should not be\nsuppressed.  Whoops.\n\n=== Solution ===\n\nThankfully, the fuzzy \"just about to write CR3\" window is already marked\nwith loaded_mm==LOADED_MM_SWITCHING.  Simply checking for that state in\nshould_flush_tlb() is sufficient to ensure that the CPU is targeted with\nan IPI.\n\nThis will cause more TLB flush IPIs.  But the window is relatively small\nand I do not expect this to cause any kind of measurable performance\nimpact.\n\nUpdate the comment where LOADED_MM_SWITCHING is written since it grew\nyet another user.\n\nPeter Z also raised a concern that should_flush_tlb() might not observe\n'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off()\nwrites them.  Add a barrier to ensure that they are observed in the\norder they are written.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02ad4ce144bd27f71f583f667fdf3b3ba0753477","https://git.kernel.org/stable/c/12f703811af043d32b1c8a30001b2fa04d5cd0ac","https://git.kernel.org/stable/c/399ec9ca8fc4999e676ff89a90184ec40031cf59","https://git.kernel.org/stable/c/d41072906abec8bb8e01ed16afefbaa558908c89","https://git.kernel.org/stable/c/d87392094f96e162fa5fa5a8640d70cc0952806f","https://git.kernel.org/stable/c/fea4e317f9e7e1f449ce90dedc27a2d2a95bee5a","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37951","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Add job to pending list if the reset was skipped\n\nWhen a CL/CSD job times out, we check if the GPU has made any progress\nsince the last timeout. If so, instead of resetting the hardware, we skip\nthe reset and let the timer get rearmed. This gives long-running jobs a\nchance to complete.\n\nHowever, when `timedout_job()` is called, the job in question is removed\nfrom the pending list, which means it won't be automatically freed through\n`free_job()`. Consequently, when we skip the reset and keep the job\nrunning, the job won't be freed when it finally completes.\n\nThis situation leads to a memory leak, as exposed in [1] and [2].\n\nSimilarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when\nGPU is still active\"), this patch ensures the job is put back on the\npending list when extending the timeout.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00101,"ranking_epss":0.28057,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12125f7d9c15e6d8ac91d10373b2db2f17dcf767","https://git.kernel.org/stable/c/35e4079bf1a2570abffce6ababa631afcf8ea0e5","https://git.kernel.org/stable/c/422a8b10ba42097a704d6909ada2956f880246f2","https://git.kernel.org/stable/c/5235b56b7e5449d990d21d78723b1a5e7bb5738e","https://git.kernel.org/stable/c/a5f162727b91e480656da1876247a91f651f76de","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37953","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_deactivate() idempotent\n\nAlan reported a NULL pointer dereference in htb_next_rb_node()\nafter we made htb_qlen_notify() idempotent.\n\nIt turns out in the following case it introduced some regression:\n\nhtb_dequeue_tree():\n  |-> fq_codel_dequeue()\n    |-> qdisc_tree_reduce_backlog()\n      |-> htb_qlen_notify()\n        |-> htb_deactivate()\n  |-> htb_next_rb_node()\n  |-> htb_deactivate()\n\nFor htb_next_rb_node(), after calling the 1st htb_deactivate(), the\nclprio[prio]->ptr could be already set to  NULL, which means\nhtb_next_rb_node() is vulnerable here.\n\nFor htb_deactivate(), although we checked qlen before calling it, in\ncase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again\nwhich triggers the warning inside.\n\nTo fix the issues here, we need to:\n\n1) Make htb_deactivate() idempotent, that is, simply return if we\n   already call it before.\n2) Make htb_next_rb_node() safe against ptr==NULL.\n\nMany thanks to Alan for testing and for the reproducer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07","https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71","https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d","https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153","https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8","https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c","https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b","https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37947","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent out-of-bounds stream writes by validating *pos\n\nksmbd_vfs_stream_write() did not validate whether the write offset\n(*pos) was within the bounds of the existing stream data length (v_len).\nIf *pos was greater than or equal to v_len, this could lead to an\nout-of-bounds memory write.\n\nThis patch adds a check to ensure *pos is less than v_len before\nproceeding. If the condition fails, -EINVAL is returned.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00028,"ranking_epss":0.0807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04c8a38c60346bb5a7c49b276de7233f703ce9cb","https://git.kernel.org/stable/c/0ca6df4f40cf4c32487944aaf48319cb6c25accc","https://git.kernel.org/stable/c/7f61da79df86fd140c7768e668ad846bfa7ec8e1","https://git.kernel.org/stable/c/d62ba16563a86aae052f96d270b3b6f78fca154c","https://git.kernel.org/stable/c/e6356499fd216ed6343ae0363f4c9303f02c5034","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/CVE-2025-37947.c"],"published_time":"2025-05-20T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37948","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Add BHB mitigation to the epilogue for cBPF programs\n\nA malicious BPF program may manipulate the branch history to influence\nwhat the hardware speculates will happen next.\n\nOn exit from a BPF program, emit the BHB mititgation sequence.\n\nThis is only applied for 'classic' cBPF programs that are loaded by\nseccomp.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dfefc2ea2f29ced2416017d7e5b1253a54c2735","https://git.kernel.org/stable/c/38c345fd54afd9d6ed8d3fcddf3f6ea23887bf78","https://git.kernel.org/stable/c/42a20cf51011788f04cf2adbcd7681f02bdb6c27","https://git.kernel.org/stable/c/852b8ae934b5cbdc62496fa56ce9969aa2edda7f","https://git.kernel.org/stable/c/8fe5c37b0e08a97cf0210bb75970e945aaaeebab","https://git.kernel.org/stable/c/993f63239c219696aef8887a4e7d3a16bf5a8ece","https://git.kernel.org/stable/c/c6a8735d841bcb7649734bb3a787bb174c67c0d8","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37949","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxenbus: Use kref to track req lifetime\n\nMarek reported seeing a NULL pointer fault in the xenbus_thread\ncallstack:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: e030:__wake_up_common+0x4c/0x180\nCall Trace:\n <TASK>\n __wake_up_common_lock+0x82/0xd0\n process_msg+0x18e/0x2f0\n xenbus_thread+0x165/0x1c0\n\nprocess_msg+0x18e is req->cb(req).  req->cb is set to xs_wake_up(), a\nthin wrapper around wake_up(), or xenbus_dev_queue_reply().  It seems\nlike it was xs_wake_up() in this case.\n\nIt seems like req may have woken up the xs_wait_for_reply(), which\nkfree()ed the req.  When xenbus_thread resumes, it faults on the zero-ed\ndata.\n\nLinux Device Drivers 2nd edition states:\n\"Normally, a wake_up call can cause an immediate reschedule to happen,\nmeaning that other processes might run before wake_up returns.\"\n... which would match the behaviour observed.\n\nChange to keeping two krefs on each request.  One for the caller, and\none for xenbus_thread.  Each will kref_put() when finished, and the last\nwill free it.\n\nThis use of kref matches the description in\nDocumentation/core-api/kref.rst","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00105,"ranking_epss":0.28639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e94a246bb6d9538010b6c02d2b1d4717a97b2e5","https://git.kernel.org/stable/c/1f0304dfd9d217c2f8b04a9ef4b3258a66eedd27","https://git.kernel.org/stable/c/2466b0f66795c3c426cacc8998499f38031dbb59","https://git.kernel.org/stable/c/4d260a5558df4650eb87bc41b2c9ac2d6b2ba447","https://git.kernel.org/stable/c/8b02f85e84dc6f7c150cef40ddb69af5a25659e5","https://git.kernel.org/stable/c/8e9c8a0393b5f85f1820c565ab8105660f4e8f92","https://git.kernel.org/stable/c/cbfaf46b88a4c01b64c4186cdccd766c19ae644c","https://git.kernel.org/stable/c/f1bcac367bc95631afbb918348f30dec887d0e1b","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37938","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Verify event formats that have \"%*p..\"\n\nThe trace event verifier checks the formats of trace events to make sure\nthat they do not point at memory that is not in the trace event itself or\nin data that will never be freed. If an event references data that was\nallocated when the event triggered and that same data is freed before the\nevent is read, then the kernel can crash by reading freed memory.\n\nThe verifier runs at boot up (or module load) and scans the print formats\nof the events and checks their arguments to make sure that dereferenced\npointers are safe. If the format uses \"%*p..\" the verifier will ignore it,\nand that could be dangerous. Cover this case as well.\n\nAlso add to the sample code a use case of \"%*pbl\".","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03127354027508d076073b020d3070990fd6a958","https://git.kernel.org/stable/c/04b80d45ecfaf780981d6582899e3ab205e4aa08","https://git.kernel.org/stable/c/4d11fac941d83509be4e6a21038281d6d96da50c","https://git.kernel.org/stable/c/6854c87ac823181c810f8c07489ba543260c0023","https://git.kernel.org/stable/c/c7204fd1758c0caf1938e8a59809a1fdf28a8114","https://git.kernel.org/stable/c/ea8d7647f9ddf1f81e2027ed305299797299aa03","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37940","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Add cond_resched() to ftrace_graph_set_hash()\n\nWhen the kernel contains a large number of functions that can be traced,\nthe loop in ftrace_graph_set_hash() may take a lot of time to execute.\nThis may trigger the softlockup watchdog.\n\nAdd cond_resched() within the loop to allow the kernel to remain\nresponsive even when processing a large number of functions.\n\nThis matches the cond_resched() that is used in other locations of the\ncode that iterates over all functions that can be traced.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00051,"ranking_epss":0.16179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fce9574b9d515bcb8a75379a8053e18602424e3","https://git.kernel.org/stable/c/42ea22e754ba4f2b86f8760ca27f6f71da2d982c","https://git.kernel.org/stable/c/4429535acab750d963fdc3dfcc9e0eee42f4d599","https://git.kernel.org/stable/c/5d336ac215e5c76e43ef4bca9ba699835e53e2fd","https://git.kernel.org/stable/c/618655d54c5f8af5d57b77491d08c0f0ff77d114","https://git.kernel.org/stable/c/72be43ff061a889c6ee648a330a42486cafa15a6","https://git.kernel.org/stable/c/8dd7d7280357596ba63dfdb4c1725d9dd24bd42a","https://git.kernel.org/stable/c/dd38803c9088b848c6b56f4f6d7efc4497bfde61","https://git.kernel.org/stable/c/e5b4ae6f01d4a510d5725eca7254519a1093920d","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T16:15:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37936","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.\n\nWhen generating the MSR_IA32_PEBS_ENABLE value that will be loaded on\nVM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE\nvalue.  Consulting only the host kernel's host vs. guest masks results in\nrunning the guest with PEBS enabled even when the guest doesn't want to use\nPEBS.  Because KVM uses perf events to proxy the guest virtual PMU, simply\nlooking at exclude_host can't differentiate between events created by host\nuserspace, and events created by KVM on behalf of the guest.\n\nRunning the guest with PEBS unexpectedly enabled typically manifests as\ncrashes due to a near-infinite stream of #PFs.  E.g. if the guest hasn't\nwritten MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when\ntrying to record PEBS events.\n\nThe issue is most easily reproduced by running `perf kvm top` from before\ncommit 7b100989b4f6 (\"perf evlist: Remove __evlist__add_default\") (after\nwhich, `perf kvm top` effectively stopped using PEBS).\tThe userspace side\nof perf creates a guest-only PEBS event, which intel_guest_get_msrs()\nmisconstrues a guest-*owned* PEBS event.\n\nArguably, this is a userspace bug, as enabling PEBS on guest-only events\nsimply cannot work, and userspace can kill VMs in many other ways (there\nis no danger to the host).  However, even if this is considered to be bad\nuserspace behavior, there's zero downside to perf/KVM restricting PEBS to\nguest-owned events.\n\nNote, commit 854250329c02 (\"KVM: x86/pmu: Disable guest PEBS temporarily\nin two rare situations\") fixed the case where host userspace is profiling\nKVM *and* userspace, but missed the case where userspace is profiling only\nKVM.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/160153cf9e4aa875ad086cc094ce34aac8e13d63","https://git.kernel.org/stable/c/34b6fa11431aef71045ae5a00d90a7d630597eda","https://git.kernel.org/stable/c/44ee0afc9d1e7a7c1932698de01362ed80cfc4b5","https://git.kernel.org/stable/c/58f6217e5d0132a9f14e401e62796916aa055c1b","https://git.kernel.org/stable/c/86aa62895fc2fb7ab09d7ca40fae8ad09841f66b","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37937","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()\n\nIf dib8000_set_dds()'s call to dib8000_read32() returns zero, the result\nis a divide-by-zero.  Prevent that from happening.\n\nFixes the following warning with an UBSAN kernel:\n\n  drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/536f7f3595ef8187cfa9ea50d7d24fcf4e84e166","https://git.kernel.org/stable/c/6cfe46036b163e5a0f07c6b705b518148e1a8b2f","https://git.kernel.org/stable/c/75b42dfe87657ede3da3f279bd6b1b16d69af954","https://git.kernel.org/stable/c/976a85782246a29ba0f6d411a7a4f524cb9ea987","https://git.kernel.org/stable/c/9b76b198cf209797abcb1314c18ddeb90fe0827b","https://git.kernel.org/stable/c/b9249da6b0ed56269d4f21850df8e5b35dab50bd","https://git.kernel.org/stable/c/c8430e72b99936c206b37a8e2daebb3f8df7f2d8","https://git.kernel.org/stable/c/cd80277f652138d2619f149f86ae6d17bce721d1","https://git.kernel.org/stable/c/e63d465f59011dede0a0f1d21718b59a64c3ff5c","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T16:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37924","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in kerberos authentication\n\nSetting sess->user = NULL was introduced to fix the dangling pointer\ncreated by ksmbd_free_user. However, it is possible another thread could\nbe operating on the session and make use of sess->user after it has been\npassed to ksmbd_free_user but before sess->user is set to NULL.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00337,"ranking_epss":0.5651,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28c756738af44a404a91b77830d017bb0c525890","https://git.kernel.org/stable/c/b447463562238428503cfba1c913261047772f90","https://git.kernel.org/stable/c/e18c616718018dfc440e4a2d2b94e28fe91b1861","https://git.kernel.org/stable/c/e34a33d5d7e87399af0a138bb32f6a3e95dd83d2","https://git.kernel.org/stable/c/e86e9134e1d1c90a960dd57f59ce574d27b9a124","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37927","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid\n\nThere is a string parsing logic error which can lead to an overflow of hid\nor uid buffers. Comparing ACPIID_LEN against a total string length doesn't\ntake into account the lengths of individual hid and uid buffers so the\ncheck is insufficient in some cases. For example if the length of hid\nstring is 4 and the length of the uid string is 260, the length of str\nwill be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer\nwhich size is 256.\n\nThe same applies to the hid string with length 13 and uid string with\nlength 250.\n\nCheck the length of hid and uid strings separately to prevent\nbuffer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00098,"ranking_epss":0.27148,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10d901a95f8e766e5aa0bb9a983fb41271f64718","https://git.kernel.org/stable/c/13d67528e1ae4486e9ab24b70122fab104c73c29","https://git.kernel.org/stable/c/2b65060c84ee4d8dc64fae6d2728b528e9e832e1","https://git.kernel.org/stable/c/466d9da267079a8d3b69fa72dfa3a732e1f6dbb5","https://git.kernel.org/stable/c/8dee308e4c01dea48fc104d37f92d5b58c50b96c","https://git.kernel.org/stable/c/a65ebfed65fa62797ec1f5f1dcf7adb157a2de1e","https://git.kernel.org/stable/c/c3f37faa71f5d26dd2144b3f2b14525ec8f5e41f","https://git.kernel.org/stable/c/c8bdfc0297965bb13fa439d36ca9c4f7c8447f0f","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37928","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: don't schedule in atomic context\n\nA BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and\ntry_verify_in_tasklet are enabled.\n[  129.444685][  T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421\n[  129.444723][  T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4\n[  129.444740][  T934] preempt_count: 201, expected: 0\n[  129.444756][  T934] RCU nest depth: 0, expected: 0\n[  129.444781][  T934] Preemption disabled at:\n[  129.444789][  T934] [<ffffffd816231900>] shrink_work+0x21c/0x248\n[  129.445167][  T934] kernel BUG at kernel/sched/walt/walt_debug.c:16!\n[  129.445183][  T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[  129.445204][  T934] Skip md ftrace buffer dump for: 0x1609e0\n[  129.447348][  T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G        W  OE      6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8\n[  129.447362][  T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT)\n[  129.447373][  T934] Workqueue: dm_bufio_cache shrink_work\n[  129.447394][  T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  129.447406][  T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug]\n[  129.447435][  T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c\n[  129.447451][  T934] sp : ffffffc0843dbc90\n[  129.447459][  T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b\n[  129.447479][  T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68\n[  129.447497][  T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900\n[  129.447517][  T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030\n[  129.447535][  T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358\n[  129.447554][  T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003\n[  129.447572][  T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400\n[  129.447591][  T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8\n[  129.447610][  T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0\n[  129.447629][  T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000\n[  129.447647][  T934] Call trace:\n[  129.447655][  T934]  android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6]\n[  129.447681][  T934]  __might_resched+0x190/0x1a8\n[  129.447694][  T934]  shrink_work+0x180/0x248\n[  129.447706][  T934]  process_one_work+0x260/0x624\n[  129.447718][  T934]  worker_thread+0x28c/0x454\n[  129.447729][  T934]  kthread+0x118/0x158\n[  129.447742][  T934]  ret_from_fork+0x10/0x20\n[  129.447761][  T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000)\n[  129.447772][  T934] ---[ end trace 0000000000000000 ]---\n\ndm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet\nis enabled, and __scan will be called in atomic context.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00511,"ranking_epss":0.66395,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/69a37b3ba85088fc6b903b8e1db7f0a1d4d0b52d","https://git.kernel.org/stable/c/a3d8f0a7f5e8b193db509c7191fefeed3533fc44","https://git.kernel.org/stable/c/a99f5bf4f7197009859dbce14c12f8e2ce5a5a69","https://git.kernel.org/stable/c/c8c83052283bcf2fdd467a33d1d2bd5ba36e935a","https://git.kernel.org/stable/c/f45108257280e0a1cc951ce254853721b40c0812","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37929","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays\n\nCommit a5951389e58d (\"arm64: errata: Add newer ARM cores to the\nspectre_bhb_loop_affected() lists\") added some additional CPUs to the\nSpectre-BHB workaround, including some new arrays for designs that\nrequire new 'k' values for the workaround to be effective.\n\nUnfortunately, the new arrays omitted the sentinel entry and so\nis_midr_in_range_list() will walk off the end when it doesn't find a\nmatch. With UBSAN enabled, this leads to a crash during boot when\nis_midr_in_range_list() is inlined (which was more common prior to\nc8c2647e69be (\"arm64: Make  _midr_in_range_list() an exported\nfunction\")):\n\n |  Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP\n |  pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n |  pc : spectre_bhb_loop_affected+0x28/0x30\n |  lr : is_spectre_bhb_affected+0x170/0x190\n | [...]\n |  Call trace:\n |   spectre_bhb_loop_affected+0x28/0x30\n |   update_cpu_capabilities+0xc0/0x184\n |   init_cpu_features+0x188/0x1a4\n |   cpuinfo_store_boot_cpu+0x4c/0x60\n |   smp_prepare_boot_cpu+0x38/0x54\n |   start_kernel+0x8c/0x478\n |   __primary_switched+0xc8/0xd4\n |  Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020)\n |  ---[ end trace 0000000000000000 ]---\n |  Kernel panic - not syncing: aarch64 BRK: Fatal exception\n\nAdd the missing sentinel entries.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0011,"ranking_epss":0.29503,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/090c8714efe1c3c470301cc2f794c1ee2a57746c","https://git.kernel.org/stable/c/333579202f09e260e8116321df4c55f80a19b160","https://git.kernel.org/stable/c/3821cae9bd5a99a42d3d0be1b58e41f072cd4c4c","https://git.kernel.org/stable/c/446289b8b36b2ee98dabf6388acbddcc33ed41be","https://git.kernel.org/stable/c/6266b3509b2c6ebf2f9daf2239ff8eb60c5f5bd3","https://git.kernel.org/stable/c/e68da90ac00d8b681561aeb8f5d6c47af3a04861","https://git.kernel.org/stable/c/fee4d171451c1ad9e8aaf65fc0ab7d143a33bd72","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37930","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()\n\nNouveau is mostly designed in a way that it's expected that fences only\never get signaled through nouveau_fence_signal(). However, in at least\none other place, nouveau_fence_done(), can signal fences, too. If that\nhappens (race) a signaled fence remains in the pending list for a while,\nuntil it gets removed by nouveau_fence_update().\n\nShould nouveau_fence_context_kill() run in the meantime, this would be\na bug because the function would attempt to set an error code on an\nalready signaled fence.\n\nHave nouveau_fence_context_kill() check for a fence being signaled.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00102,"ranking_epss":0.28126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0453825167ecc816ec15c736e52316f69db0deb9","https://git.kernel.org/stable/c/126f5c6e0cb84e5c6f7a3a856d799d85668fb38e","https://git.kernel.org/stable/c/2ec0f5f6d4768f292c8406ed92fa699f184577e5","https://git.kernel.org/stable/c/39d6e889c0b19a2c79e1c74c843ea7c2d0f99c28","https://git.kernel.org/stable/c/47ca11836c35c5698088fd87f7fb4b0ffa217e17","https://git.kernel.org/stable/c/b771b2017260ffc3a8d4e81266619649bffcb242","https://git.kernel.org/stable/c/bbe5679f30d7690a9b6838a583b9690ea73fe0e9","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37931","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: adjust subpage bit start based on sectorsize\n\nWhen running machines with 64k page size and a 16k nodesize we started\nseeing tree log corruption in production.  This turned out to be because\nwe were not writing out dirty blocks sometimes, so this in fact affects\nall metadata writes.\n\nWhen writing out a subpage EB we scan the subpage bitmap for a dirty\nrange.  If the range isn't dirty we do\n\n\tbit_start++;\n\nto move onto the next bit.  The problem is the bitmap is based on the\nnumber of sectors that an EB has.  So in this case, we have a 64k\npagesize, 16k nodesize, but a 4k sectorsize.  This means our bitmap is 4\nbits for every node.  With a 64k page size we end up with 4 nodes per\npage.\n\nTo make this easier this is how everything looks\n\n[0         16k       32k       48k     ] logical address\n[0         4         8         12      ] radix tree offset\n[               64k page               ] folio\n[ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers\n[ | | | |  | | | |   | | | |   | | | | ] bitmap\n\nNow we use all of our addressing based on fs_info->sectorsize_bits, so\nas you can see the above our 16k eb->start turns into radix entry 4.\n\nWhen we find a dirty range for our eb, we correctly do bit_start +=\nsectors_per_node, because if we start at bit 0, the next bit for the\nnext eb is 4, to correspond to eb->start 16k.\n\nHowever if our range is clean, we will do bit_start++, which will now\nput us offset from our radix tree entries.\n\nIn our case, assume that the first time we check the bitmap the block is\nnot dirty, we increment bit_start so now it == 1, and then we loop\naround and check again.  This time it is dirty, and we go to find that\nstart using the following equation\n\n\tstart = folio_start + bit_start * fs_info->sectorsize;\n\nso in the case above, eb->start 0 is now dirty, and we calculate start\nas\n\n\t0 + 1 * fs_info->sectorsize = 4096\n\t4096 >> 12 = 1\n\nNow we're looking up the radix tree for 1, and we won't find an eb.\nWhat's worse is now we're using bit_start == 1, so we do bit_start +=\nsectors_per_node, which is now 5.  If that eb is dirty we will run into\nthe same thing, we will look at an offset that is not populated in the\nradix tree, and now we're skipping the writeout of dirty extent buffers.\n\nThe best fix for this is to not use sectorsize_bits to address nodes,\nbut that's a larger change.  Since this is a fs corruption problem fix\nit simply by always using sectors_per_node to increment the start bit.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.001,"ranking_epss":0.27786,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/396f4002710030ea1cfd4c789ebaf0a6969ab34f","https://git.kernel.org/stable/c/5111b148360f50cac9abbae8fca44cc0ac4bf9bf","https://git.kernel.org/stable/c/977849e8acd2466ac3cb49e04a3ecc73837f6b90","https://git.kernel.org/stable/c/b80db09b614cb7edec5bada1bc7c7b0eb3b453ea","https://git.kernel.org/stable/c/e08e49d986f82c30f42ad0ed43ebbede1e1e3739","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37932","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_qlen_notify() idempotent\n\nhtb_qlen_notify() always deactivates the HTB class and in fact could\ntrigger a warning if it is already deactivated. Therefore, it is not\nidempotent and not friendly to its callers, like fq_codel_dequeue().\n\nLet's make it idempotent to ease qdisc_tree_reduce_backlog() callers'\nlife.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a188c0e197383683fd093ab1ea6ce9a5869a6ea","https://git.kernel.org/stable/c/32ae12ce6a9f6bace186ca7335220ff59b6cc3cd","https://git.kernel.org/stable/c/5ba8b837b522d7051ef81bacf3d95383ff8edce5","https://git.kernel.org/stable/c/73cf6af13153d62f9b76eff422eea79dbc70f15e","https://git.kernel.org/stable/c/967955c9e57f8eebfccc298037d4aaf3d42bc1c9","https://git.kernel.org/stable/c/a61f1b5921761fbaf166231418bc1db301e5bf59","https://git.kernel.org/stable/c/bbbf5e0f87078b715e7a665d662a2c0e77f044ae","https://git.kernel.org/stable/c/e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37917","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll\n\nUse spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock\nand spin_unlock in mtk_star_emac driver to avoid spinlock recursion\noccurrence that can happen when enabling the DMA interrupts again in\nrx/tx poll.\n\n```\nBUG: spinlock recursion on CPU#0, swapper/0/0\n lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0,\n    .owner_cpu: 0\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted\n    6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT\nHardware name: MediaTek MT8365 Open Platform EVK (DT)\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x60/0x80\n dump_stack+0x18/0x24\n spin_dump+0x78/0x88\n do_raw_spin_lock+0x11c/0x120\n _raw_spin_lock+0x20/0x2c\n mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac]\n __handle_irq_event_percpu+0x48/0x140\n handle_irq_event+0x4c/0xb0\n handle_fasteoi_irq+0xa0/0x1bc\n handle_irq_desc+0x34/0x58\n generic_handle_domain_irq+0x1c/0x28\n gic_handle_irq+0x4c/0x120\n do_interrupt_handler+0x50/0x84\n el1_interrupt+0x34/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n regmap_mmio_read32le+0xc/0x20 (P)\n _regmap_bus_reg_read+0x6c/0xac\n _regmap_read+0x60/0xdc\n regmap_read+0x4c/0x80\n mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac]\n __napi_poll+0x38/0x188\n net_rx_action+0x164/0x2c0\n handle_softirqs+0x100/0x244\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x24/0x64\n do_softirq_own_stack+0x1c/0x40\n __irq_exit_rcu+0xd4/0x10c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n cpuidle_enter_state+0xac/0x320 (P)\n cpuidle_enter+0x38/0x50\n do_idle+0x1e4/0x260\n cpu_startup_entry+0x34/0x3c\n rest_init+0xdc/0xe0\n console_on_rootfs+0x0/0x6c\n __primary_switched+0x88/0x90\n```","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6fe0866014486736cc3ba1c6fd4606d3dbe55c9c","https://git.kernel.org/stable/c/7cb10f17bddc415f30fbc00a4e2b490e0d94c462","https://git.kernel.org/stable/c/8d40bf73fa7f31eac2b0a7c9d85de67df82ee7f3","https://git.kernel.org/stable/c/94107259f972d2fd896dbbcaa176b3b2451ff9e5","https://git.kernel.org/stable/c/bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629","https://git.kernel.org/stable/c/d886f8d85494d12b2752fd7c6c32162d982d5dd5","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37921","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: vnifilter: Fix unlocked deletion of default FDB entry\n\nWhen a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB\nentry associated with the default remote (assuming one was configured)\nis deleted without holding the hash lock. This is wrong and will result\nin a warning [1] being generated by the lockdep annotation that was\nadded by commit ebe642067455 (\"vxlan: Create wrappers for FDB lookup\").\n\nReproducer:\n\n # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1\n # bridge vni add vni 10010 remote 198.51.100.1 dev vx0\n # bridge vni del vni 10010 dev vx0\n\nFix by acquiring the hash lock before the deletion and releasing it\nafterwards. Blame the original commit that introduced the issue rather\nthan the one that exposed it.\n\n[1]\nWARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0\n[...]\nRIP: 0010:vxlan_find_mac+0x17f/0x1a0\n[...]\nCall Trace:\n <TASK>\n __vxlan_fdb_delete+0xbe/0x560\n vxlan_vni_delete_group+0x2ba/0x940\n vxlan_vni_del.isra.0+0x15f/0x580\n vxlan_process_vni_filter+0x38b/0x7b0\n vxlan_vnifilter_process+0x3bb/0x510\n rtnetlink_rcv_msg+0x2f7/0xb70\n netlink_rcv_skb+0x131/0x360\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n __sys_sendmsg+0x121/0x1b0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00062,"ranking_epss":0.19488,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/087a9eb9e5978e3ba362e1163691e41097e8ca20","https://git.kernel.org/stable/c/2d4a121296aa3940d2df9906f955c2b6b4e38bc3","https://git.kernel.org/stable/c/3576e9a80b6c4381b01ce0cbaa07f5e92d4492ed","https://git.kernel.org/stable/c/470206205588559e60035fceb5f256640cb45f99","https://git.kernel.org/stable/c/5cb9e07f84e527974b12e82e2549fa6c0cc6eef0","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37923","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix oob write in trace_seq_to_buffer()\n\nsyzbot reported this bug:\n==================================================================\nBUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\nBUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\nWrite of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260\n\nCPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106\n trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\n tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\n ....\n==================================================================\n\nIt has been reported that trace_seq_to_buffer() tries to copy more data\nthan PAGE_SIZE to buf. Therefore, to prevent this, we should use the\nsmaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00082,"ranking_epss":0.24195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/056ebbddb8faf4ddf83d005454dd78fc25c2d897","https://git.kernel.org/stable/c/1a3f9482b50b74fa9421bff8ceecfefd0dc06f8f","https://git.kernel.org/stable/c/1f27a3e93b8d674b24b27fcdbc6f72743cd96c0d","https://git.kernel.org/stable/c/441021e5b3c7d9bd1b963590652c415929f3b157","https://git.kernel.org/stable/c/665ce421041890571852422487f4c613d1824ba9","https://git.kernel.org/stable/c/c5d2b66c5ef5037b4b4360e5447605ff00ba1bd4","https://git.kernel.org/stable/c/f4b0174e9f18aaba59ee6ffdaf8827a7f94eb606","https://git.kernel.org/stable/c/f5178c41bb43444a6008150fe6094497135d07cb","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37909","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: Fix memleak issue when GSO enabled\n\nAlways map the `skb` to the LS descriptor. Previously skb was\nmapped to EXT descriptor when the number of fragments is zero with\nGSO enabled. Mapping the skb to EXT descriptor prevents it from\nbeing freed, leading to a memory leak","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00105,"ranking_epss":0.28639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/093855ce90177488eac772de4eefbb909033ce5f","https://git.kernel.org/stable/c/189b05f189cac9fd233ef04d31cb5078c4d09c39","https://git.kernel.org/stable/c/2d52e2e38b85c8b7bc00dca55c2499f46f8c8198","https://git.kernel.org/stable/c/6c65ee5ad632eb8dcd3a91cf5dc99b22535f44d9","https://git.kernel.org/stable/c/a0e0efbabbbe6a1859bc31bf65237ce91e124b9b","https://git.kernel.org/stable/c/dae1ce27ceaea7e1522025b15252e3cc52802622","https://git.kernel.org/stable/c/df993daa4c968b4b23078eacc248f6502ede8664","https://git.kernel.org/stable/c/f42c18e2f14c1b1fdd2a5250069a84bc854c398c","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37911","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix out-of-bound memcpy() during ethtool -w\n\nWhen retrieving the FW coredump using ethtool, it can sometimes cause\nmemory corruption:\n\nBUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nCorrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45):\n__bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nethtool_get_dump_data+0xdc/0x1a0\n__dev_ethtool+0xa1e/0x1af0\ndev_ethtool+0xa8/0x170\ndev_ioctl+0x1b5/0x580\nsock_do_ioctl+0xab/0xf0\nsock_ioctl+0x1ce/0x2e0\n__x64_sys_ioctl+0x87/0xc0\ndo_syscall_64+0x5c/0xf0\nentry_SYSCALL_64_after_hwframe+0x78/0x80\n\n...\n\nThis happens when copying the coredump segment list in\nbnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command.\nThe info->dest_buf buffer is allocated based on the number of coredump\nsegments returned by the FW.  The segment list is then DMA'ed by\nthe FW and the length of the DMA is returned by FW.  The driver then\ncopies this DMA'ed segment list to info->dest_buf.\n\nIn some cases, this DMA length may exceed the info->dest_buf length\nand cause the above BUG condition.  Fix it by capping the copy\nlength to not exceed the length of info->dest_buf.  The extra\nDMA data contains no useful information.\n\nThis code path is shared for the HWRM_DBG_COREDUMP_LIST and the\nHWRM_DBG_COREDUMP_RETRIEVE FW commands.  The buffering is different\nfor these 2 FW commands.  To simplify the logic, we need to move\nthe line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE\nup, so that the new check to cap the copy length will work for both\ncommands.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00143,"ranking_epss":0.34602,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43292b83424158fa6ec458799f3cb9c54d18c484","https://git.kernel.org/stable/c/44807af79efd0d78fa36383dd865ddfe7992c0a6","https://git.kernel.org/stable/c/44d81a9ebf0cad92512e0ffdf7412bfe20db66ec","https://git.kernel.org/stable/c/4d69864915a3a052538e4ba76cd6fd77cfc64ebe","https://git.kernel.org/stable/c/69b10dd23ab826d0c7f2d9ab311842251978d0c1","https://git.kernel.org/stable/c/6b87bd94f34370bbf1dfa59352bed8efab5bf419","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37912","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()\n\nAs mentioned in the commit baeb705fd6a7 (\"ice: always check VF VSI\npointer values\"), we need to perform a null pointer check on the return\nvalue of ice_get_vf_vsi() before using it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0561f2e374c3732b90e50f0a244791a4308ec67e","https://git.kernel.org/stable/c/073791e9cfe6e4a11a6d85816ba87b1aa207493e","https://git.kernel.org/stable/c/425c5f266b2edeee0ce16fedd8466410cdcfcfe3","https://git.kernel.org/stable/c/a32dcc3b8293600ddc4024731b4d027d4de061a4","https://git.kernel.org/stable/c/eae60cfe25d022d7f0321dba4cc23ad8e87ade48","https://git.kernel.org/stable/c/f68237982dc012230550f4ecf7ce286a9c37ddc9","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37913","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: qfq: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of qfq, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nThis patch checks whether the class was already added to the agg->active\nlist (cl_is_active) before doing the addition to cater for the reentrant\ncase.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00085,"ranking_epss":0.24787,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/005a479540478a820c52de098e5e767e63e36f0a","https://git.kernel.org/stable/c/041f410aec2c1751ee22b8b73ba05d38c3a6a602","https://git.kernel.org/stable/c/0aa23e0856b7cedb3c88d8e3d281c212c7e4fbeb","https://git.kernel.org/stable/c/0bf32d6fb1fcbf841bb9945570e0e2a70072c00f","https://git.kernel.org/stable/c/370218e8ce711684acc4cdd3cc3c6dd7956bc165","https://git.kernel.org/stable/c/53bc0b55178bd59bdd4bcd16349505cabf54b1a2","https://git.kernel.org/stable/c/a43783119e01849fbf2fe8855634e8989b240cb4","https://git.kernel.org/stable/c/f139f37dcdf34b67f5bf92bc8e0f7f6b3ac63aa4","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37914","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of ets, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether\nthe class was already added to the active_list (cl_is_active) before\ndoing the addition to cater for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0009,"ranking_epss":0.25592,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a6d0c00fa07972384b0c308c72db091d49988b6","https://git.kernel.org/stable/c/1f01e9f961605eb397c6ecd1d7b0233dfbf9077c","https://git.kernel.org/stable/c/24388ba0a1b1b6d4af1b205927ac7f7b119ee4ea","https://git.kernel.org/stable/c/554acc5a2ea9703e08023eb9a003f9e5a830a502","https://git.kernel.org/stable/c/72c3da7e6ceb74e74ddbb5a305a35c9fdfcac6e3","https://git.kernel.org/stable/c/9efb6a0fa88e0910d079fdfeb4f7ce4d4ac6c990","https://git.kernel.org/stable/c/bc321f714de693aae06e3786f88df2975376d996","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-20T16:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37897","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: plfxlc: Remove erroneous assert in plfxlc_mac_release\n\nplfxlc_mac_release() asserts that mac->lock is held. This assertion is\nincorrect, because even if it was possible, it would not be the valid\nbehaviour. The function is used when probe fails or after the device is\ndisconnected. In both cases mac->lock can not be held as the driver is\nnot working with the device at the moment. All functions that use mac->lock\nunlock it just after it was held. There is also no need to hold mac->lock\nfor plfxlc_mac_release() itself, as mac data is not affected, except for\nmac->flags, which is modified atomically.\n\nThis bug leads to the following warning:\n================================================================\nWARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0\nModules linked in:\nCPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106\nCall Trace:\n <TASK>\n probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694\n usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165\n usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238\n usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620\n hub_port_connect drivers/usb/core/hub.c:5477 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]\n port_event drivers/usb/core/hub.c:5773 [inline]\n hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855\n process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292\n worker_thread+0xa47/0x1200 kernel/workqueue.c:2439\n kthread+0x28d/0x320 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n </TASK>\n================================================================\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00077,"ranking_epss":0.23061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0fb15ae3b0a9221be01715dac0335647c79f3362","https://git.kernel.org/stable/c/36a9a2647810e57e704dde59abdf831380ca9102","https://git.kernel.org/stable/c/791a2d9e87c411aec0b9b2fb735fd15e48af9de9","https://git.kernel.org/stable/c/93d646911be1e5be20d4f5d6c48359464cef0097","https://git.kernel.org/stable/c/9ecb4af39f80cdda3e57825923243ec11e48be6b","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37901","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs\n\nOn Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not\nhave a corresponding MPM pin and should not be handled inside the MPM\ndriver. The IRQ domain hierarchy is always applied, so it's required to\nexplicitly disconnect the hierarchy for those. The pinctrl-msm driver marks\nthese with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but\nirq-qcom-mpm is currently missing the check. This is causing crashes when\nsetting up interrupts for non-wake GPIOs:\n\n root@rb1:~# gpiomon -c gpiochip1 10\n   irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1\n   Unable to handle kernel paging request at virtual address ffff8000a1dc3820\n   Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT)\n   pc : mpm_set_type+0x80/0xcc\n   lr : mpm_set_type+0x5c/0xcc\n   Call trace:\n    mpm_set_type+0x80/0xcc (P)\n    qcom_mpm_set_type+0x64/0x158\n    irq_chip_set_type_parent+0x20/0x38\n    msm_gpio_irq_set_type+0x50/0x530\n    __irq_set_trigger+0x60/0x184\n    __setup_irq+0x304/0x6bc\n    request_threaded_irq+0xc8/0x19c\n    edge_detector_setup+0x260/0x364\n    linereq_create+0x420/0x5a8\n    gpio_ioctl+0x2d4/0x6c0\n\nFix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that\nMPM is removed entirely from the hierarchy for non-wake GPIOs.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/38a05c0b87833f5b188ae43b428b1f792df2b384","https://git.kernel.org/stable/c/45aced97f01d5ab14c8a2a60f6748f18c501c3f5","https://git.kernel.org/stable/c/d5c10448f411a925dd59005785cb971f0626e032","https://git.kernel.org/stable/c/dfbaecf7e38f5e9bfa5e47a1e525ffbb58bab8cf","https://git.kernel.org/stable/c/f102342360950b56959e5fff4a874ea88ae13758","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37903","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix slab-use-after-free in hdcp\n\nThe HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector\nobjects without incrementing the kref reference counts. When using a\nUSB-C dock, and the dock is unplugged, the corresponding\namdgpu_dm_connector objects are freed, creating dangling pointers in the\nHDCP code. When the dock is plugged back, the dangling pointers are\ndereferenced, resulting in a slab-use-after-free:\n\n[   66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu]\n[   66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10\n\n[   66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233\n[   66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024\n[   66.776186] Workqueue: events event_property_validate [amdgpu]\n[   66.776494] Call Trace:\n[   66.776496]  <TASK>\n[   66.776497]  dump_stack_lvl+0x70/0xa0\n[   66.776504]  print_report+0x175/0x555\n[   66.776507]  ? __virt_addr_valid+0x243/0x450\n[   66.776510]  ? kasan_complete_mode_report_info+0x66/0x1c0\n[   66.776515]  kasan_report+0xeb/0x1c0\n[   66.776518]  ? event_property_validate+0x42f/0x6c0 [amdgpu]\n[   66.776819]  ? event_property_validate+0x42f/0x6c0 [amdgpu]\n[   66.777121]  __asan_report_load4_noabort+0x14/0x20\n[   66.777124]  event_property_validate+0x42f/0x6c0 [amdgpu]\n[   66.777342]  ? __lock_acquire+0x6b40/0x6b40\n[   66.777347]  ? enable_assr+0x250/0x250 [amdgpu]\n[   66.777571]  process_one_work+0x86b/0x1510\n[   66.777575]  ? pwq_dec_nr_in_flight+0xcf0/0xcf0\n[   66.777578]  ? assign_work+0x16b/0x280\n[   66.777580]  ? lock_is_held_type+0xa3/0x130\n[   66.777583]  worker_thread+0x5c0/0xfa0\n[   66.777587]  ? process_one_work+0x1510/0x1510\n[   66.777588]  kthread+0x3a2/0x840\n[   66.777591]  ? kthread_is_per_cpu+0xd0/0xd0\n[   66.777594]  ? trace_hardirqs_on+0x4f/0x60\n[   66.777597]  ? _raw_spin_unlock_irq+0x27/0x60\n[   66.777599]  ? calculate_sigpending+0x77/0xa0\n[   66.777602]  ? kthread_is_per_cpu+0xd0/0xd0\n[   66.777605]  ret_from_fork+0x40/0x90\n[   66.777607]  ? kthread_is_per_cpu+0xd0/0xd0\n[   66.777609]  ret_from_fork_asm+0x11/0x20\n[   66.777614]  </TASK>\n\n[   66.777643] Allocated by task 10:\n[   66.777646]  kasan_save_stack+0x39/0x60\n[   66.777649]  kasan_save_track+0x14/0x40\n[   66.777652]  kasan_save_alloc_info+0x37/0x50\n[   66.777655]  __kasan_kmalloc+0xbb/0xc0\n[   66.777658]  __kmalloc_cache_noprof+0x1c8/0x4b0\n[   66.777661]  dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu]\n[   66.777880]  drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper]\n[   66.777892]  drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper]\n[   66.777901]  drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper]\n[   66.777909]  drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper]\n[   66.777917]  process_one_work+0x86b/0x1510\n[   66.777919]  worker_thread+0x5c0/0xfa0\n[   66.777922]  kthread+0x3a2/0x840\n[   66.777925]  ret_from_fork+0x40/0x90\n[   66.777927]  ret_from_fork_asm+0x11/0x20\n\n[   66.777932] Freed by task 1713:\n[   66.777935]  kasan_save_stack+0x39/0x60\n[   66.777938]  kasan_save_track+0x14/0x40\n[   66.777940]  kasan_save_free_info+0x3b/0x60\n[   66.777944]  __kasan_slab_free+0x52/0x70\n[   66.777946]  kfree+0x13f/0x4b0\n[   66.777949]  dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu]\n[   66.778179]  drm_connector_free+0x7d/0xb0\n[   66.778184]  drm_mode_object_put.part.0+0xee/0x160\n[   66.778188]  drm_mode_object_put+0x37/0x50\n[   66.778191]  drm_atomic_state_default_clear+0x220/0xd60\n[   66.778194]  __drm_atomic_state_free+0x16e/0x2a0\n[   66.778197]  drm_mode_atomic_ioctl+0x15ed/0x2ba0\n[   66.778200]  drm_ioctl_kernel+0x17a/0x310\n[   66.778203]  drm_ioctl+0x584/0xd10\n[   66.778206]  amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu]\n[   66.778375]  __x64_sys_ioctl+0x139/0x1a0\n[   66.778378]  x64_sys_call+0xee7/0xfb0\n[   66.778381] \n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0007,"ranking_epss":0.21586,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a782a83d130ceac6c98a87639ddd89640bff486","https://git.kernel.org/stable/c/bbc66abcd297be67e3d835276e21e6fdc65205a6","https://git.kernel.org/stable/c/be593d9d91c5a3a363d456b9aceb71029aeb3f1d","https://git.kernel.org/stable/c/dd329f04dda35a66e0c9ed462ba91bd5f2c8be70","https://git.kernel.org/stable/c/e25139c4aa5621f2db8e86688c33546cdd885e42","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37905","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Balance device refcount when destroying devices\n\nUsing device_find_child() to lookup the proper SCMI device to destroy\ncauses an unbalance in device refcount, since device_find_child() calls an\nimplicit get_device(): this, in turns, inhibits the call of the provided\nrelease methods upon devices destruction.\n\nAs a consequence, one of the structures that is not freed properly upon\ndestruction is the internal struct device_private dev->p populated by the\ndrivers subsystem core.\n\nKMemleak detects this situation since loading/unloding some SCMI driver\ncauses related devices to be created/destroyed without calling any\ndevice_release method.\n\nunreferenced object 0xffff00000f583800 (size 512):\n  comm \"insmod\", pid 227, jiffies 4294912190\n  hex dump (first 32 bytes):\n    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........\n    ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff  ........`6......\n  backtrace (crc 114e2eed):\n    kmemleak_alloc+0xbc/0xd8\n    __kmalloc_cache_noprof+0x2dc/0x398\n    device_add+0x954/0x12d0\n    device_register+0x28/0x40\n    __scmi_device_create.part.0+0x1bc/0x380\n    scmi_device_create+0x2d0/0x390\n    scmi_create_protocol_devices+0x74/0xf8\n    scmi_device_request_notifier+0x1f8/0x2a8\n    notifier_call_chain+0x110/0x3b0\n    blocking_notifier_call_chain+0x70/0xb0\n    scmi_driver_register+0x350/0x7f0\n    0xffff80000a3b3038\n    do_one_initcall+0x12c/0x730\n    do_init_module+0x1dc/0x640\n    load_module+0x4b20/0x5b70\n    init_module_from_file+0xec/0x158\n\n$ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0\ndevice_add+0x954/0x12d0:\nkmalloc_noprof at include/linux/slab.h:901\n(inlined by) kzalloc_noprof at include/linux/slab.h:1037\n(inlined by) device_private_init at drivers/base/core.c:3510\n(inlined by) device_add at drivers/base/core.c:3561\n\nBalance device refcount by issuing a put_device() on devices found via\ndevice_find_child().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0009,"ranking_epss":0.25537,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3","https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da","https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb","https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8","https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599","https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"],"published_time":"2025-05-20T16:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37892","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: inftlcore: Add error check for inftl_read_oob()\n\nIn INFTL_findwriteunit(), the return value of inftl_read_oob()\nneed to be checked. A proper implementation can be\nfound in INFTL_deleteblock(). The status will be set as\nSECTOR_IGNORE to break from the while-loop correctly\nif the inftl_read_oob() fails.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00052,"ranking_epss":0.16507,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0300e751170cf80c05ca1a762a7b449e8ca6b693","https://git.kernel.org/stable/c/114d94f095aa405fa9a51484c4be34846d7bb386","https://git.kernel.org/stable/c/1c22356dfb041e5292835c9ff44d5f91bef8dd18","https://git.kernel.org/stable/c/5479a6af3c96f73bec2d2819532b6d6814f52dd6","https://git.kernel.org/stable/c/6af3b92b1c0b58ca281d0e1501bad2567f73c1a5","https://git.kernel.org/stable/c/7772621041ee78823ccc5f1fe38f6faa22af7023","https://git.kernel.org/stable/c/b828d394308e8e00df0a6f57e7dabae609bb8b7b","https://git.kernel.org/stable/c/d027951dc85cb2e15924c980dc22a6754d100c7c","https://git.kernel.org/stable/c/e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-20T11:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47273","summary":"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00487,"ranking_epss":0.65374,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88","https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b","https://github.com/pypa/setuptools/issues/4946","https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf","https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html","https://github.com/pypa/setuptools/issues/4946"],"published_time":"2025-05-17T16:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37890","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard's report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon't insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00082,"ranking_epss":0.24195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547","https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421","https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202","https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21","https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef","https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5","https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0","https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-16T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-47287","summary":"Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.01164,"ranking_epss":0.78571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3","https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m","https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html"],"published_time":"2025-05-15T22:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37889","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Consistently treat platform_max as control value\n\nThis reverts commit 9bdd10d57a88 (\"ASoC: ops: Shift tested values in\nsnd_soc_put_volsw() by +min\"), and makes some additional related\nupdates.\n\nThere are two ways the platform_max could be interpreted; the maximum\nregister value, or the maximum value the control can be set to. The\npatch moved from treating the value as a control value to a register\none. When the patch was applied it was technically correct as\nsnd_soc_limit_volume() also used the register interpretation. However,\neven then most of the other usages treated platform_max as a\ncontrol value, and snd_soc_limit_volume() has since been updated to\nalso do so in commit fb9ad24485087 (\"ASoC: ops: add correct range\ncheck for limiting volume\"). That patch however, missed updating\nsnd_soc_put_volsw() back to the control interpretation, and fixing\nsnd_soc_info_volsw_range(). The control interpretation makes more\nsense as limiting is typically done from the machine driver, so it is\nappropriate to use the customer facing representation rather than the\ninternal codec representation. Update all the code to consistently use\nthis interpretation of platform_max.\n\nFinally, also add some comments to the soc_mixer_control struct to\nhopefully avoid further patches switching between the two approaches.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3","https://git.kernel.org/stable/c/296c8295ae34045da0214882628d49c1c060dd8a","https://git.kernel.org/stable/c/544055329560d4b64fe204fc6be325ebc24c72ca","https://git.kernel.org/stable/c/694110bc2407a61f02a770cbb5f39b51e4ec77c6","https://git.kernel.org/stable/c/a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6","https://git.kernel.org/stable/c/c402f184a053c8e7ca325e50f04bbbc1e4fee019","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37879","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\n9p/net: fix improper handling of bogus negative read/write replies\n\nIn p9_client_write() and p9_client_read_once(), if the server\nincorrectly replies with success but a negative write/read count then we\nwould consider written (negative) <= rsize (positive) because both\nvariables were signed.\n\nMake variables unsigned to avoid this problem.\n\nThe reproducer linked below now fails with the following error instead\nof a null pointer deref:\n9pnet: bogus RWRITE count (4294967295 > 3)","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00055,"ranking_epss":0.17433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/374e4cd75617c8c2552f562f39dd989583f5c330","https://git.kernel.org/stable/c/468ff4a7c61fb811c596a7c44b6a5455e40fd12b","https://git.kernel.org/stable/c/a68768e280b7d0c967ea509e791bb9b90adc94a5","https://git.kernel.org/stable/c/c548f95688e2b5ae0e2ae43d53cf717156c7d034","https://git.kernel.org/stable/c/d0259a856afca31d699b706ed5e2adf11086c73b","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37881","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()\n\nThe variable d->name, returned by devm_kasprintf(), could be NULL.\nA pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00089,"ranking_epss":0.25414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/052fb65335befeae8500e88d69ea022266baaf6d","https://git.kernel.org/stable/c/36d68151712e525450f0fbb3045e7110f0d9b610","https://git.kernel.org/stable/c/61006ca381b4d65d2b8ca695ea8da1ce18d6dee3","https://git.kernel.org/stable/c/8c75f3e6a433d92084ad4e78b029ae680865420f","https://git.kernel.org/stable/c/a777ccfb9ba8d43f745e41b69ba39d4a506a081e","https://git.kernel.org/stable/c/c8d4faf452a627f9b09c3a5c366133a19e5b7a28","https://git.kernel.org/stable/c/cfa7984f69359761b07a7831c1258c0fde1e0389","https://git.kernel.org/stable/c/d26a6093d52904cacdbb75424c323c19b443a890","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37883","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Add check for get_zeroed_page()\n\nAdd check for the return value of get_zeroed_page() in\nsclp_console_init() to prevent null pointer dereference.\nFurthermore, to solve the memory leak caused by the loop\nallocation, add a free helper to do the free job.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00054,"ranking_epss":0.17156,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/28e5a867aa542e369e211c2baba7044228809a99","https://git.kernel.org/stable/c/397254706eba9d8f99fd237feede7ab3169a7f9a","https://git.kernel.org/stable/c/3b3aa72636a6205933609ec274a8747720c1ee3f","https://git.kernel.org/stable/c/3db42c75a921854a99db0a2775814fef97415bac","https://git.kernel.org/stable/c/e1e00dc45648125ef7cb87ebc3b581ac224e7b39","https://git.kernel.org/stable/c/f69f8a93aacf6e99af7b1cc992d8ca2cc07b96fb","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37884","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix deadlock between rcu_tasks_trace and event_mutex.\n\nFix the following deadlock:\nCPU A\n_free_event()\n  perf_kprobe_destroy()\n    mutex_lock(&event_mutex)\n      perf_trace_event_unreg()\n        synchronize_rcu_tasks_trace()\n\nThere are several paths where _free_event() grabs event_mutex\nand calls sync_rcu_tasks_trace. Above is one such case.\n\nCPU B\nbpf_prog_test_run_syscall()\n  rcu_read_lock_trace()\n    bpf_prog_run_pin_on_cpu()\n      bpf_prog_load()\n        bpf_tracing_func_proto()\n          trace_set_clr_event()\n            mutex_lock(&event_mutex)\n\nDelegate trace_set_clr_event() to workqueue to avoid\nsuch lock dependency.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00047,"ranking_epss":0.14713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/45286680b385f2592db3003554872388dee66d68","https://git.kernel.org/stable/c/4580f4e0ebdf8dc8d506ae926b88510395a0c1d1","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37885","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reset IRTE to host control if *new* route isn't postable\n\nRestore an IRTE back to host control (remapped or posted MSI mode) if the\n*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of\nthe GSI routing type.  Updating the IRTE if and only if the new GSI is an\nMSI results in KVM leaving an IRTE posting to a vCPU.\n\nThe dangling IRTE can result in interrupts being incorrectly delivered to\nthe guest, and in the worst case scenario can result in use-after-free,\ne.g. if the VM is torn down, but the underlying host IRQ isn't freed.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00067,"ranking_epss":0.20977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/023816bd5fa46fab94d1e7917fe131b79ed1fb41","https://git.kernel.org/stable/c/116c7d35b8f72eac383b9fd371d7c1a8ffc2968b","https://git.kernel.org/stable/c/3066ec21d1a33896125747f68638725f456308db","https://git.kernel.org/stable/c/3481fd96d801715942b6f69fe251133128156f30","https://git.kernel.org/stable/c/9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2","https://git.kernel.org/stable/c/b5de7ac74f69603ad803c524b840bffd36368fc3","https://git.kernel.org/stable/c/e5f2dee9f7fcd2ff4b97869f3c66a0d89c167769","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37871","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n            T1                            T2\n                                nfs4_laundromat\n                                 nfs4_get_client_reaplist\n                                  nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx->flc_lock\n                                   spin_lock // clp->cl_lock\n                                   nfs4_lockowner_has_blockers\n                                    locks_owner_has_blockers\n                                     spin_lock // flctx->flc_lock\n nfsd_break_deleg_cb\n  nfsd_break_one_deleg\n   nfs4_put_stid\n    refcount_dec_and_lock\n     spin_lock // clp->cl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->\nnfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5","https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc","https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9","https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb","https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c","https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26","https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37875","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix PTM cycle trigger logic\n\nWriting to clear the PTM status 'valid' bit while the PTM cycle is\ntriggered results in unreliable PTM operation. To fix this, clear the\nPTM 'trigger' and status after each PTM transaction.\n\nThe issue can be reproduced with the following:\n\n$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m\n\nNote: 1000 Hz (-R 1000) is unrealistically large, but provides a way to\nquickly reproduce the issue.\n\nPHC2SYS exits with:\n\n\"ioctl PTP_OFFSET_PRECISE: Connection timed out\" when the PTM transaction\n  fails\n\nThis patch also fixes a hang in igc_probe() when loading the igc\ndriver in the kdump kernel on systems supporting PTM.\n\nThe igc driver running in the base kernel enables PTM trigger in\nigc_probe().  Therefore the driver is always in PTM trigger mode,\nexcept in brief periods when manually triggering a PTM cycle.\n\nWhen a crash occurs, the NIC is reset while PTM trigger is enabled.\nDue to a hardware problem, the NIC is subsequently in a bad busmaster\nstate and doesn't handle register reads/writes.  When running\nigc_probe() in the kdump kernel, the first register access to a NIC\nregister hangs driver probing and ultimately breaks kdump.\n\nWith this patch, igc has PTM trigger disabled most of the time,\nand the trigger is only enabled for very brief (10 - 100 us) periods\nwhen manually triggering a PTM cycle.  Chances that a crash occurs\nduring a PTM trigger are not 0, but extremely reduced.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00084,"ranking_epss":0.24503,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c03e4fbe1321697d9d04587e21e416705e1b19f","https://git.kernel.org/stable/c/16194ca3f3b4448a062650c869a7b3b206c6f5d3","https://git.kernel.org/stable/c/31959e06143692f7e02b8eef7d7d6ac645637906","https://git.kernel.org/stable/c/8e404ad95d2c10c261e2ef6992c7c12dde03df0e","https://git.kernel.org/stable/c/c1f174edaccc5a00f8e218c42a0aa9156efd5f76","https://git.kernel.org/stable/c/f3516229cd12dcd45f23ed01adab17e8772b1bd5","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37862","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: pidff: Fix null pointer dereference in pidff_find_fields\n\nThis function triggered a null pointer dereference if used to search for\na report that isn't implemented on the device. This happened both for\noptional and required reports alike.\n\nThe same logic was applied to pidff_find_special_field and although\npidff_init_fields should return an error earlier if one of the required\nreports is missing, future modifications could change this logic and\nresurface this possible null pointer dereference again.\n\nLKML bug report:\nhttps://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00059,"ranking_epss":0.18677,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22a05462c3d0eee15154faf8d13c49e6295270a5","https://git.kernel.org/stable/c/3a507184f9307e19cb441b897c49e7843c94e56b","https://git.kernel.org/stable/c/44a1b8b2027afbb37e418993fb23561bdb9efb38","https://git.kernel.org/stable/c/6b4449e4f03326fbd2136e67bfcc1e6ffe61541d","https://git.kernel.org/stable/c/be706a48bb7896d4130edc82811233d1d62158e7","https://git.kernel.org/stable/c/d230becb9d38b7325c5c38d051693e4c26b1829b","https://git.kernel.org/stable/c/ddb147885225d768025f6818df533d30edf3e102","https://git.kernel.org/stable/c/e368698da79af821f18c099520deab1219c2044b","https://git.kernel.org/stable/c/f8f4d77710e1c38f4a2bd26c88c4878b5b5e817a","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37865","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported\n\nRussell King reports that on the ZII dev rev B, deleting a bridge VLAN\nfrom a user port fails with -ENOENT:\nhttps://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/\n\nThis comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(),\nwhich tries to find an MST entry in &chip->msts associated with the SID,\nbut fails and returns -ENOENT as such.\n\nBut we know that this chip does not support MST at all, so that is not\nsurprising. The question is why does the guard in mv88e6xxx_mst_put()\nnot exit early:\n\n\tif (!sid)\n\t\treturn 0;\n\nAnd the answer seems to be simple: the sid comes from vlan.sid which\nsupposedly was previously populated by mv88e6xxx_vtu_get().\nBut some chip->info->ops->vtu_getnext() implementations do not populate\nvlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case,\nlater in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is\njust residual stack memory.\n\nTesting for sid == 0 covers all cases of a non-bridge VLAN or a bridge\nVLAN mapped to the default MSTI. For some chips, SID 0 is valid and\ninstalled by mv88e6xxx_stu_setup(). A chip which does not support the\nSTU would implicitly only support mapping all VLANs to the default MSTI,\nso although SID 0 is not valid, it would be sufficient, if we were to\nzero-initialize the vlan structure, to fix the bug, due to the\ncoincidence that a test for vlan.sid == 0 already exists and leads to\nthe same (correct) behavior.\n\nAnother option which would be sufficient would be to add a test for\nmv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one\nwhich already exists in mv88e6xxx_mst_get(). But that placement means\nthe caller will have to dereference vlan.sid, which means it will access\nuninitialized memory, which is not nice even if it ignores it later.\n\nSo we end up making both modifications, in order to not rely just on the\nsid == 0 coincidence, but also to avoid having uninitialized structure\nfields which might get temporarily accessed.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20535,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/35cde75c08a1fa1a5ac0467afe2709caceeef002","https://git.kernel.org/stable/c/9da4acbd60664271d34a627f7f63cd5bad8eba74","https://git.kernel.org/stable/c/9ee6d3a368ed34f2457863da3085c676e9e37a3d","https://git.kernel.org/stable/c/afae9087301471970254a9180e5a26d3d8e8af09","https://git.kernel.org/stable/c/ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37867","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Silence oversized kvmalloc() warning\n\nsyzkaller triggered an oversized kvmalloc() warning.\nSilence it by adding __GFP_NOWARN.\n\nsyzkaller log:\n WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180\n CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__kvmalloc_node_noprof+0x175/0x180\n RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246\n RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b\n RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002\n RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000\n R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n FS:  00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ib_umem_odp_get+0x1f6/0x390\n  mlx5_ib_reg_user_mr+0x1e8/0x450\n  ib_uverbs_reg_mr+0x28b/0x440\n  ib_uverbs_write+0x7d3/0xa30\n  vfs_write+0x1ac/0x6c0\n  ksys_write+0x134/0x170\n  ? __sanitizer_cov_trace_pc+0x1c/0x50\n  do_syscall_64+0x50/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d81bb58a203ad5f4044dc18cfbc230c194f650a","https://git.kernel.org/stable/c/6c588e9afbab240c921f936cb676dac72e2e2b66","https://git.kernel.org/stable/c/791daf8240cedf27af8794038ae1d32ef643bce6","https://git.kernel.org/stable/c/9a0e6f15029e1a8a21e40f06fd05aa52b7f063de","https://git.kernel.org/stable/c/ae470d06320dea4002d441784d691f0a26b4322d","https://git.kernel.org/stable/c/f476eba25fdf70faa7b19a3e0fb00e65c5b53106","https://git.kernel.org/stable/c/f94ac90ce7bd6f9266ad0d99044ed86e8d1416c1","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37851","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: Add 'plane' value check\n\nFunction dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB\nof the enum parameter plane.\n\nThe value of this parameter is initialized in dss_init_overlays and in the\ncurrent state of the code it cannot take this value so it's not a real\nproblem.\n\nFor the purposes of defensive coding it wouldn't be superfluous to check\nthe parameter value, because some functions down the call stack process\nthis value correctly and some not.\n\nFor example, in dispc_ovl_setup_global_alpha it may lead to buffer\noverflow.\n\nAdd check for this value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00055,"ranking_epss":0.17268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09dbf22fd68c2f1a81ab89670ffa1ec3033436c4","https://git.kernel.org/stable/c/3e411827f31db7f938a30a3c7a7599839401ec30","https://git.kernel.org/stable/c/4efd8ef5e40f2c7a4a91a5a9f03140bfa827da89","https://git.kernel.org/stable/c/52eafaa56f8f6d6a0cdff9282b25b4acbde34edc","https://git.kernel.org/stable/c/660a53a0694d1f3789802509fe729dd4656fc5e0","https://git.kernel.org/stable/c/9b0a41589ee70529b20e1e0108d03f10c649bdc4","https://git.kernel.org/stable/c/a570efb4d877adbf3db2dc95487f2ba6bfdd148a","https://git.kernel.org/stable/c/cdf41d72e8b015d9ea68f5a1c0a79624e7c312aa","https://git.kernel.org/stable/c/fda15c5b96b883d62fb2d84a3a1422aa87717897","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37852","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()\n\nAdd error handling to propagate amdgpu_cgs_create_device() failures\nto the caller. When amdgpu_cgs_create_device() fails, release hwmgr\nand return -ENOMEM to prevent null pointer dereference.\n\n[v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00054,"ranking_epss":0.17156,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1435e895d4fc967d64e9f5bf81e992ac32f5ac76","https://git.kernel.org/stable/c/22ea19cc089013b55c240134dbb2797700ff5a6a","https://git.kernel.org/stable/c/55ef52c30c3e747f145a64de96192e37a8fed670","https://git.kernel.org/stable/c/b784734811438f11533e2fb9e0deb327844bdb56","https://git.kernel.org/stable/c/dc4380f34613eaae997b3ed263bd1cb3d0fd0075","https://git.kernel.org/stable/c/f8693e1bae9c08233a2f535c3f412e157df32b33","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37854","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mode1 reset crash issue\n\nIf HW scheduler hangs and mode1 reset is used to recover GPU, KFD signal\nuser space to abort the processes. After process abort exit, user queues\nstill use the GPU to access system memory before h/w is reset while KFD\ncleanup worker free system memory and free VRAM.\n\nThere is use-after-free race bug that KFD allocate and reuse the freed\nsystem memory, and user queue write to the same system memory to corrupt\nthe data structure and cause driver crash.\n\nTo fix this race, KFD cleanup worker terminate user queues, then flush\nreset_domain wq to wait for any GPU ongoing reset complete, and then\nfree outstanding BOs.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00071,"ranking_epss":0.21845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/57c9dabda80ac167de8cd71231baae37cc2f442d","https://git.kernel.org/stable/c/6f30a847432cae84c7428e9b684b3e3fa49b2391","https://git.kernel.org/stable/c/89af6b39f028c130d4362f57042927f005423e6a","https://git.kernel.org/stable/c/9c4bcdf4068aae3e17e31c144300be405cfa03ff","https://git.kernel.org/stable/c/f0b4440cdc1807bb6ec3dce0d6de81170803569b","https://git.kernel.org/stable/c/ffd37d7d44d7e0b6e769d4fe6590e327f8cc3951","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37857","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: st: Fix array overflow in st_setup()\n\nChange the array size to follow parms size instead of a fixed value.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00049,"ranking_epss":0.15366,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/574b399a7fb6ae71c97e26d122205c4a720c0e43","https://git.kernel.org/stable/c/736ae988bfb5932c05625baff70fba224d547c08","https://git.kernel.org/stable/c/7fe3b4deed8b93609058c37c9a11df1d2b2c0423","https://git.kernel.org/stable/c/a018d1cf990d0c339fe0e29b762ea5dc10567d67","https://git.kernel.org/stable/c/ad4c3037dc77739a625246a2a0fb23b8f3402c06","https://git.kernel.org/stable/c/c6015d0f7a2236ddb3928b2dfcb1c556a1368b55","https://git.kernel.org/stable/c/e4d1ca0a84a6650d3172eb8c07ef2fbc585b0d96","https://git.kernel.org/stable/c/e6b585d016c47ca8a37b92ea8a3fe35c0b585256","https://git.kernel.org/stable/c/f746fe0c51e044d1248dc67918328bfb3d86b639","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37858","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Prevent integer overflow in AG size calculation\n\nThe JFS filesystem calculates allocation group (AG) size using 1 <<\nl2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB\naggregates on 32-bit systems), this 32-bit shift operation causes undefined\nbehavior and improper AG sizing.\n\nOn 32-bit architectures:\n- Left-shifting 1 by 32+ bits results in 0 due to integer overflow\n- This creates invalid AG sizes (0 or garbage values) in\nsbi->bmap->db_agsize\n- Subsequent block allocations would reference invalid AG structures\n- Could lead to:\n  - Filesystem corruption during extend operations\n  - Kernel crashes due to invalid memory accesses\n  - Security vulnerabilities via malformed on-disk structures\n\nFix by casting to s64 before shifting:\nbmp->db_agsize = (s64)1 << l2agsize;\n\nThis ensures 64-bit arithmetic even on 32-bit architectures. The cast\nmatches the data type of db_agsize (s64) and follows similar patterns in\nJFS block calculation code.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00032,"ranking_epss":0.09047,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a","https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba","https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2","https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829","https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e","https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239","https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329","https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454","https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37859","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: avoid infinite loop to schedule delayed worker\n\nWe noticed the kworker in page_pool_release_retry() was waken\nup repeatedly and infinitely in production because of the\nbuggy driver causing the inflight less than 0 and warning\nus in page_pool_inflight()[1].\n\nSince the inflight value goes negative, it means we should\nnot expect the whole page_pool to get back to work normally.\n\nThis patch mitigates the adverse effect by not rescheduling\nthe kworker when detecting the inflight negative in\npage_pool_release_retry().\n\n[1]\n[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------\n[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages\n...\n[Mon Feb 10 20:36:11 2025] Call Trace:\n[Mon Feb 10 20:36:11 2025]  page_pool_release_retry+0x23/0x70\n[Mon Feb 10 20:36:11 2025]  process_one_work+0x1b1/0x370\n[Mon Feb 10 20:36:11 2025]  worker_thread+0x37/0x3a0\n[Mon Feb 10 20:36:11 2025]  kthread+0x11a/0x140\n[Mon Feb 10 20:36:11 2025]  ? process_one_work+0x370/0x370\n[Mon Feb 10 20:36:11 2025]  ? __kthread_cancel_work+0x40/0x40\n[Mon Feb 10 20:36:11 2025]  ret_from_fork+0x35/0x40\n[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---\nNote: before this patch, the above calltrace would flood the\ndmesg due to repeated reschedule of release_dw kworker.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00055,"ranking_epss":0.17268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/43130d02baa137033c25297aaae95fd0edc41654","https://git.kernel.org/stable/c/7204335d1991c23fc615ab76f31f175748a578e1","https://git.kernel.org/stable/c/738d1812ec2e395e953258aea912ddd867d11a13","https://git.kernel.org/stable/c/90e089a64504982f8d62f223027cb9f903781f78","https://git.kernel.org/stable/c/91522aba56e9fcdf64da25ffef9b27f8fad48e0f","https://git.kernel.org/stable/c/95f17738b86fd198924d874a5639bcdc49c7e5b8","https://git.kernel.org/stable/c/9f71db4fb82deb889e0bac4a51b34daea7d506a3","https://git.kernel.org/stable/c/c3c7c57017ce1d4b2d3788c1fc59e7e39026e158","https://git.kernel.org/stable/c/e74e5aa33228c5e2cb4fc80ad103541a7b7805ec","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37844","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: avoid NULL pointer dereference in dbg call\n\ncifs_server_dbg() implies server to be non-NULL so\nmove call under condition to avoid NULL pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20048e658652e731f5cadf4a695925e570ca0ff9","https://git.kernel.org/stable/c/6c14ee6af8f1f188b668afd6d003f7516a507b08","https://git.kernel.org/stable/c/864ba5c651b03830f36f0906c21af05b15c1aaa6","https://git.kernel.org/stable/c/9c9000cb91b986eb7f75835340c67857ab97c09b","https://git.kernel.org/stable/c/b2a1833e1c63e2585867ebeaf4dd41494dcede4b","https://git.kernel.org/stable/c/b4885bd5935bb26f0a414ad55679a372e53f9b9b","https://git.kernel.org/stable/c/ba3ce6c60cd5db258687dfeba9fc608f5e7cadf3","https://git.kernel.org/stable/c/e0717385f5c51e290c2cd2ad4699a778316b5132","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37849","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Tear down vGIC on failed vCPU creation\n\nIf kvm_arch_vcpu_create() fails to share the vCPU page with the\nhypervisor, we propagate the error back to the ioctl but leave the\nvGIC vCPU data initialised. Note only does this leak the corresponding\nmemory when the vCPU is destroyed but it can also lead to use-after-free\nif the redistributor device handling tries to walk into the vCPU.\n\nAdd the missing cleanup to kvm_arch_vcpu_create(), ensuring that the\nvGIC vCPU structures are destroyed on error.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00058,"ranking_epss":0.18196,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e","https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52","https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672","https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5","https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73","https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37850","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()\n\nWith CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a\ndivide-by-zero in the following line:\n\n\tdo_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));\n\ndue to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate()\nreturns zero.\n\nThis is presumably just a theoretical problem: COMPILE_TEST overrides\nthe dependency on RALINK which would select COMMON_CLK.  Regardless it's\na good idea to check for the error explicitly to avoid divide-by-zero.\n\nFixes the following warning:\n\n  drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section\n\n[ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4cb15042b5f3ec0474e91cf379120cc597625dbb","https://git.kernel.org/stable/c/77fb96dbe350e8a5ae4965ff9f6e7049f3966a6b","https://git.kernel.org/stable/c/7ca59947b5fcf94e7ea4029d1bd0f7c41500a161","https://git.kernel.org/stable/c/8b9f60725d74b72c238e4437c957d0217746b506","https://git.kernel.org/stable/c/8ddbec73ea2598d8414e8f7103241b55cf877010","https://git.kernel.org/stable/c/c343856ff2689ce0afef823592732fc178ef4aac","https://git.kernel.org/stable/c/e1206d8e1651c9f62e5640b69b14d925b1a0a00a","https://git.kernel.org/stable/c/e3cf0c38d3ce754ad63005102fcfeb0b7ff3290b","https://git.kernel.org/stable/c/f3e9cf266c2c103cf071e15d7a17e2c699fff3c5","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37836","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix reference leak in pci_register_host_bridge()\n\nIf device_register() fails, call put_device() to give up the reference to\navoid a memory leak, per the comment at device_register().\n\nFound by code review.\n\n[bhelgaas: squash Dan Carpenter's double free fix from\nhttps://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3297497ad2246eb9243849bfbbc57a0dea97d76e","https://git.kernel.org/stable/c/804443c1f27883926de94c849d91f5b7d7d696e9","https://git.kernel.org/stable/c/9707d0c932f41006a2701afc926b232b50e356b4","https://git.kernel.org/stable/c/b783478e0c53ffb4f04f25fb4e21ef7f482b05df","https://git.kernel.org/stable/c/bbba4c50a2d2a1d3f3bf31cc4b8280cb492bf2c7","https://git.kernel.org/stable/c/bd2a352a0d72575f1842d28c14c10089f0cfe1ae","https://git.kernel.org/stable/c/f4db1b2c9ae3d013733c302ee70cac943b7070c0","https://git.kernel.org/stable/c/f9208aec86226524ec1cb68a09ac70e974ea6536","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37839","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: remove wrong sb->s_sequence check\n\nJournal emptiness is not determined by sb->s_sequence == 0 but rather by\nsb->s_start == 0 (which is set a few lines above). Furthermore 0 is a\nvalid transaction ID so the check can spuriously trigger. Remove the\ninvalid WARN_ON.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0005,"ranking_epss":0.15635,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3b4643ffaf72d7a5a357e9bf68b1775f8cfe7e77","https://git.kernel.org/stable/c/9eaec071f111cd2124ce9a5b93536d3f6837d457","https://git.kernel.org/stable/c/ad926f735b4d4f10768fec7d080cadeb6d075cac","https://git.kernel.org/stable/c/b0cca357f85beb6144ab60c62dcc98508cc044bf","https://git.kernel.org/stable/c/b479839525fe7906966cdc4b5b2afbca048558a1","https://git.kernel.org/stable/c/c88f7328bb0fff66520fc9164f02b1d06e083c1b","https://git.kernel.org/stable/c/c98eb9ffb1d9c98237b5e1668eee17654e129fb0","https://git.kernel.org/stable/c/cf30432f5b3064ff85d85639c2f0106f89c566f6","https://git.kernel.org/stable/c/e6eff39dd0fe4190c6146069cc16d160e71d1148","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37840","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: fix PM resume warning\n\nFixed warning on PM resume as shown below caused due to uninitialized\nstruct nand_operation that checks chip select field :\nWARN_ON(op->cs >= nanddev_ntargets(&chip->base)\n\n[   14.588522] ------------[ cut here ]------------\n[   14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8\n[   14.588553] Modules linked in: bdc udc_core\n[   14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G        W          6.14.0-rc4-g5394eea10651 #16\n[   14.588590] Tainted: [W]=WARN\n[   14.588593] Hardware name: Broadcom STB (Flattened Device Tree)\n[   14.588598] Call trace:\n[   14.588604]  dump_backtrace from show_stack+0x18/0x1c\n[   14.588622]  r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c\n[   14.588625]  show_stack from dump_stack_lvl+0x70/0x7c\n[   14.588639]  dump_stack_lvl from dump_stack+0x18/0x1c\n[   14.588653]  r5:c08d40b0 r4:c1003cb0\n[   14.588656]  dump_stack from __warn+0x84/0xe4\n[   14.588668]  __warn from warn_slowpath_fmt+0x18c/0x194\n[   14.588678]  r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000\n[   14.588681]  warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8\n[   14.588695]  r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048\n[   14.588697]  nand_reset_op from brcmnand_resume+0x13c/0x150\n[   14.588714]  r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040\n[   14.588717]  brcmnand_resume from platform_pm_resume+0x34/0x54\n[   14.588735]  r5:00000010 r4:c0840a50\n[   14.588738]  platform_pm_resume from dpm_run_callback+0x5c/0x14c\n[   14.588757]  dpm_run_callback from device_resume+0xc0/0x324\n[   14.588776]  r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010\n[   14.588779]  device_resume from dpm_resume+0x130/0x160\n[   14.588799]  r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0\n[   14.588802]  dpm_resume from dpm_resume_end+0x14/0x20\n[   14.588822]  r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414\n[   14.588826]  r4:00000010\n[   14.588828]  dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8\n[   14.588848]  r5:c228a414 r4:00000000\n[   14.588851]  suspend_devices_and_enter from pm_suspend+0x228/0x2bc\n[   14.588868]  r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000\n[   14.588871]  r4:00000003\n[   14.588874]  pm_suspend from state_store+0x74/0xd0\n[   14.588889]  r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003\n[   14.588892]  state_store from kobj_attr_store+0x1c/0x28\n[   14.588913]  r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250\n[   14.588916]  kobj_attr_store from sysfs_kf_write+0x40/0x4c\n[   14.588936]  r5:c3502900 r4:c0d92a48\n[   14.588939]  sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0\n[   14.588956]  r5:c3502900 r4:c3501f40\n[   14.588960]  kernfs_fop_write_iter from vfs_write+0x250/0x420\n[   14.588980]  r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00\n[   14.588983]  r4:c042a88c\n[   14.588987]  vfs_write from ksys_write+0x74/0xe4\n[   14.589005]  r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00\n[   14.589008]  r4:c34f7f00\n[   14.589011]  ksys_write from sys_write+0x10/0x14\n[   14.589029]  r7:00000004 r6:004421c0 r5:00443398 r4:00000004\n[   14.589032]  sys_write from ret_fast_syscall+0x0/0x5c\n[   14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)\n[   14.589050] 9fa0:                   00000004 00443398 00000004 00443398 00000004 00000001\n[   14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78\n[   14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8\n[   14.589065] ---[ end trace 0000000000000000 ]---\n\nThe fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when\ndoing PM resume operation in compliance with the controller support for single\ndie nand chip. Switching from nand_reset_op() to nan\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00065,"ranking_epss":0.20215,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2","https://git.kernel.org/stable/c/6f567c6a5250e3531cfd9c7ff254ecc2650464fa","https://git.kernel.org/stable/c/7266066b9469f04ed1d4c0fdddaea1425835eb55","https://git.kernel.org/stable/c/8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7","https://git.kernel.org/stable/c/9bd51723ab51580e077c91d494c37e80703b8524","https://git.kernel.org/stable/c/9dd161f707ecb7db38e5f529e979a5b6eb565b2d","https://git.kernel.org/stable/c/c2eb3cffb0d972c5503e4d48921971c81def0fe5","https://git.kernel.org/stable/c/ddc210cf8b8a8be68051ad958bf3e2cef6b681c2","https://git.kernel.org/stable/c/fbcb584efa5cd912ff8a151d67b8fe22f4162a85","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37841","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npm: cpupower: bench: Prevent NULL dereference on malloc failure\n\nIf malloc returns NULL due to low memory, 'config' pointer can be NULL.\nAdd a check to prevent NULL dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00049,"ranking_epss":0.15366,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e297a02e03dceb2874789ca40bd4e65c5371704","https://git.kernel.org/stable/c/208baa3ec9043a664d9acfb8174b332e6b17fb69","https://git.kernel.org/stable/c/34a9394794b0f97af6afedc0c9ee2012c24b28ed","https://git.kernel.org/stable/c/5e38122aa3fd0f9788186e86a677925bfec0b2d1","https://git.kernel.org/stable/c/79bded9d70142d2a11d931fc029afece471641db","https://git.kernel.org/stable/c/87b9f0867c0afa7e892f4b30c36cff6bf2707f85","https://git.kernel.org/stable/c/942a4b97fc77516678b1d8af1521ff9a94c13b3e","https://git.kernel.org/stable/c/ceec06f464d5cfc0ba966225f7d50506ceb62242","https://git.kernel.org/stable/c/f8d28fa305b78c5d1073b63f26db265ba8291ae1","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-09T07:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37829","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()\n\ncpufreq_cpu_get_raw() can return NULL when the target CPU is not present\nin the policy->cpus mask. scpi_cpufreq_get_rate() does not check for\nthis case, which results in a NULL pointer dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/124bddf123311cd1f18bffd63a5d974468d59c67","https://git.kernel.org/stable/c/19e0eaa62e8831f2bc0285fef3bf8faaa7f3e09b","https://git.kernel.org/stable/c/28fbd7b13b4d3074b16db913aedc9d8d37ab41e7","https://git.kernel.org/stable/c/73b24dc731731edf762f9454552cb3a5b7224949","https://git.kernel.org/stable/c/8fbaa76690f67a7cbad315f89d607b46e3e06ede","https://git.kernel.org/stable/c/ad4796f2da495b2cbbd0fccccbcbf63f2aeee613","https://git.kernel.org/stable/c/da8ee91e532486055ecf88478d38c2f3dc234182","https://git.kernel.org/stable/c/fdf035d9c5436536ffcfea0ac6adeb5dda3c3a23","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37830","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()\n\ncpufreq_cpu_get_raw() can return NULL when the target CPU is not present\nin the policy->cpus mask. scmi_cpufreq_get_rate() does not check for\nthis case, which results in a NULL pointer dereference.\n\nAdd NULL check after cpufreq_cpu_get_raw() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00125,"ranking_epss":0.31819,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/484d3f15cc6cbaa52541d6259778e715b2c83c54","https://git.kernel.org/stable/c/4e3d1c1925d8e752992cd893d03d974e6807ac16","https://git.kernel.org/stable/c/7ccfadfb2562337b4f0462a86a9746a6eea89718","https://git.kernel.org/stable/c/bd1dcfba72aac4159c1d5e17cd861e702e6c19ac","https://git.kernel.org/stable/c/cfaca93b8fe317b7faa9af732e0ba8c9081fa018","https://git.kernel.org/stable/c/ea834c90aa7cc80a1b456f7a91432734d5087d16","https://git.kernel.org/stable/c/f9c5423855e3687262d881aeee5cfb3bc8577bff","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37818","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Return NULL from huge_pte_offset() for invalid PMD\n\nLoongArch's huge_pte_offset() currently returns a pointer to a PMD slot\neven if the underlying entry points to invalid_pte_table (indicating no\nmapping). Callers like smaps_hugetlb_range() fetch this invalid entry\nvalue (the address of invalid_pte_table) via this pointer.\n\nThe generic is_swap_pte() check then incorrectly identifies this address\nas a swap entry on LoongArch, because it satisfies the \"!pte_present()\n&& !pte_none()\" conditions. This misinterpretation, combined with a\ncoincidental match by is_migration_entry() on the address bits, leads to\nkernel crashes in pfn_swap_entry_to_page().\n\nFix this at the architecture level by modifying huge_pte_offset() to\ncheck the PMD entry's content using pmd_none() before returning. If the\nentry is invalid (i.e., it points to invalid_pte_table), return NULL\ninstead of the pointer to the slot.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2ca9380b12711afe95b3589bd82b59623b3c96b3","https://git.kernel.org/stable/c/34256805720993e37adf6127371a1265aea8376a","https://git.kernel.org/stable/c/51424fd171cee6a33f01f7c66b8eb23ac42289d4","https://git.kernel.org/stable/c/b49f085cd671addbda4802d6b9382513f7dd0f30","https://git.kernel.org/stable/c/bd51834d1cf65a2c801295d230c220aeebf87a73","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37819","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()\n\nWith ACPI in place, gicv2m_get_fwnode() is registered with the pci\nsubsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime\nduring a PCI host bridge probe. But, the call back is wrongly marked as\n__init, causing it to be freed, while being registered with the PCI\nsubsystem and could trigger:\n\n Unable to handle kernel paging request at virtual address ffff8000816c0400\n  gicv2m_get_fwnode+0x0/0x58 (P)\n  pci_set_bus_msi_domain+0x74/0x88\n  pci_register_host_bridge+0x194/0x548\n\nThis is easily reproducible on a Juno board with ACPI boot.\n\nRetain the function for later use.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00082,"ranking_epss":0.24195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c241dedc43a036599757cd08f356253fa3e5014","https://git.kernel.org/stable/c/2f2803e4b5e4df2b08d378deaab78b1681ef9b30","https://git.kernel.org/stable/c/3318dc299b072a0511d6dfd8367f3304fb6d9827","https://git.kernel.org/stable/c/3939d6f29d34cdb60e3f68b76e39e00a964a1d51","https://git.kernel.org/stable/c/47bee0081b483b077c7560bc5358ad101f89c8ef","https://git.kernel.org/stable/c/b63de43af8d215b0499eac28b2caa4439183efc1","https://git.kernel.org/stable/c/dc0d654eb4179b06d3206e4396d072108b9ba082","https://git.kernel.org/stable/c/f95659affee301464f0d058d528d96b35b452da8","https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-08T07:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37820","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: handle NULL returned by xdp_convert_buff_to_frame()\n\nThe function xdp_convert_buff_to_frame() may return NULL if it fails\nto correctly convert the XDP buffer into an XDP frame due to memory\nconstraints, internal errors, or invalid data. Failing to check for NULL\nmay lead to a NULL pointer dereference if the result is used later in\nprocessing, potentially causing crashes, data corruption, or undefined\nbehavior.\n\nOn XDP redirect failure, the associated page must be released explicitly\nif it was previously retained via get_page(). Failing to do so may result\nin a memory leak, as the pages reference count is not decremented.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5b83d30c63f9964acb1bc63eb8e670b9e0d2c240","https://git.kernel.org/stable/c/cc3628dcd851ddd8d418bf0c897024b4621ddc92","https://git.kernel.org/stable/c/cefd8a2e2de46209ce66e6d30c237eb59b6c5bfa","https://git.kernel.org/stable/c/d6a9c4e6f9b3ec3ad98468c950ad214af8a2efb9","https://git.kernel.org/stable/c/eefccd889df3b49d92e7349d94c4aa7e1ba19f6c","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37823","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too\n\nSimilarly to the previous patch, we need to safe guard hfsc_dequeue()\ntoo. But for this one, we don't have a reliable reproducer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00052,"ranking_epss":0.16507,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11bccb054c1462fb069219f8e98e97a5a730758e","https://git.kernel.org/stable/c/2f46d14919c39528c6e540ebc43f90055993eedc","https://git.kernel.org/stable/c/68f256305ceb426d545a0dc31f83c2ab1d211a1e","https://git.kernel.org/stable/c/6ccbda44e2cc3d26fd22af54c650d6d5d801addf","https://git.kernel.org/stable/c/76c4c22c2437d3d3880efc0f62eca06ef078d290","https://git.kernel.org/stable/c/c6936266f8bf98a53f28ef9a820e6a501e946d09","https://git.kernel.org/stable/c/c6f035044104c6ff656f4565cd22938dc892528c","https://git.kernel.org/stable/c/da7936518996d290e2fcfcaf6cd7e15bfd87804a","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37824","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL pointer dereference in tipc_mon_reinit_self()\n\nsyzbot reported:\n\ntipc: Node number set to 1055423674\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: events tipc_net_finalize_work\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n </TASK>\n...\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nThere is a racing condition between workqueue created when enabling\nbearer and another thread created when disabling bearer right after\nthat as follow:\n\nenabling_bearer                          | disabling_bearer\n---------------                          | ----------------\ntipc_disc_timeout()                      |\n{                                        | bearer_disable()\n ...                                     | {\n schedule_work(&tn->work);               |  tipc_mon_delete()\n ...                                     |  {\n}                                        |   ...\n                                         |   write_lock_bh(&mon->lock);\n                                         |   mon->self = NULL;\n                                         |   write_unlock_bh(&mon->lock);\n                                         |   ...\n                                         |  }\ntipc_net_finalize_work()                 | }\n{                                        |\n ...                                     |\n tipc_net_finalize()                     |\n {                                       |\n  ...                                    |\n  tipc_mon_reinit_self()                 |\n  {                                      |\n   ...                                   |\n   write_lock_bh(&mon->lock);            |\n   mon->self->addr = tipc_own_addr(net); |\n   write_unlock_bh(&mon->lock);          |\n   ...             \n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ceef62a328ce1288598c9242576292671f21e96","https://git.kernel.org/stable/c/4d5e1e2d3e9d70beff7beab44fd6ce91405a405e","https://git.kernel.org/stable/c/5fd464fd24de93d0eca377554bf0ff2548f76f30","https://git.kernel.org/stable/c/a3df56010403b2cd26388096ebccf959d23c4dcc","https://git.kernel.org/stable/c/d63527e109e811ef11abb1c2985048fdb528b4cb","https://git.kernel.org/stable/c/dd6cb0a8575b00fbd503e96903184125176f4fa3","https://git.kernel.org/stable/c/e6613b6d41f4010c4d484cbc7bfca690d8d522a2","https://git.kernel.org/stable/c/e79e8e05aa46f90d21023f0ffe6f136ed6a20932","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37810","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: check that event count does not exceed event buffer length\n\nThe event count is read from register DWC3_GEVNTCOUNT.\nThere is a check for the count being zero, but not for exceeding the\nevent buffer length.\nCheck that event count does not exceed event buffer length,\navoiding an out-of-bounds access when memcpy'ing the event.\nCrash log:\nUnable to handle kernel paging request at virtual address ffffffc0129be000\npc : __memcpy+0x114/0x180\nlr : dwc3_check_event_buf+0xec/0x348\nx3 : 0000000000000030 x2 : 000000000000dfc4\nx1 : ffffffc0129be000 x0 : ffffff87aad60080\nCall trace:\n__memcpy+0x114/0x180\ndwc3_interrupt+0x24/0x34","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00067,"ranking_epss":0.20977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/015c39f38e69a491d2abd5e98869a500a9459b3b","https://git.kernel.org/stable/c/52a7c9d930b95aa8b1620edaba4818040c32631f","https://git.kernel.org/stable/c/63ccd26cd1f6600421795f6ca3e625076be06c9f","https://git.kernel.org/stable/c/99d655119b870ee60e4dbf310aa9a1ed8d9ede3d","https://git.kernel.org/stable/c/a44547015287a19001384fe94dbff84c92ce4ee1","https://git.kernel.org/stable/c/b43225948b231b3f331194010f84512bee4d9f59","https://git.kernel.org/stable/c/c0079630f268843a25ed75226169cba40e0d8880","https://git.kernel.org/stable/c/c4d80e41cb42008dceb35e5dbf52574d93beac0d","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37811","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: ci_hdrc_imx: fix usbmisc handling\n\nusbmisc is an optional device property so it is totally valid for the\ncorresponding data->usbmisc_data to have a NULL value.\n\nCheck that before dereferencing the pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace static\nanalysis tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ee460498ced49196149197c9f6d29a10e5e0798","https://git.kernel.org/stable/c/121e9f80ea5478bca3a8f3f26593fd66f87da649","https://git.kernel.org/stable/c/2aa87bd825377f5073b76701780a902cd0fc725a","https://git.kernel.org/stable/c/4e28f79e3dffa52d327b46d1a78dac16efb5810b","https://git.kernel.org/stable/c/8060b719676e8c0e5a2222c2977ba0458d9d9535","https://git.kernel.org/stable/c/887902ca73490f38c69fd6149ef361a041cf912f","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37812","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: Fix deadlock when using NCM gadget\n\nThe cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit\n58f2fcb3a845 (\"usb: cdnsp: Fix deadlock issue during using NCM gadget\").\n\nUnder PREEMPT_RT the deadlock can be readily triggered by heavy network\ntraffic, for example using \"iperf --bidir\" over NCM ethernet link.\n\nThe deadlock occurs because the threaded interrupt handler gets\npreempted by a softirq, but both are protected by the same spinlock.\nPrevent deadlock by disabling softirq during threaded irq handler.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00051,"ranking_epss":0.16179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09e90a9689a4aac7a2f726dc2aa472b0b37937b7","https://git.kernel.org/stable/c/48a62deb857f0694f611949015e70ad194d97159","https://git.kernel.org/stable/c/59a760e4796a3cd88d8b9d7706e0a638de677751","https://git.kernel.org/stable/c/74cd6e408a4c010e404832f0e4609d29bf1d0c41","https://git.kernel.org/stable/c/a1059896f2bfdcebcdc7153c3be2307ea319501f","https://git.kernel.org/stable/c/b96239582531775f2fdcb14de29bdb6870fd4c8c","https://git.kernel.org/stable/c/c27db84ed44e50ff90d9e3a2a25fae2e0a0fa015","https://git.kernel.org/stable/c/eebfb64c624fc738b669100173344fb441c5e719","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37817","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: fix a double free bug in chameleon_parse_gdd()\n\nIn chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'\nwould be released in mcb_device_register() via put_device().\nThus, goto 'err' label and free 'mdev' again causes a double free.\nJust return if mcb_device_register() fails.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00067,"ranking_epss":0.20977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4ffe8c9fb561e4427dd1a3056cd5b3685b74f78d","https://git.kernel.org/stable/c/59f993cd36b6e28a394ba3d977e8ffe5c9884e3b","https://git.kernel.org/stable/c/7c7f1bfdb2249f854a736d9b79778c7e5a29a150","https://git.kernel.org/stable/c/96838eb1836fd372e42be5db84f0b333b65146a6","https://git.kernel.org/stable/c/bcc7d58ee5173e34306026bd01e1fbf75e169d37","https://git.kernel.org/stable/c/c5b8a549ef1fcc6066b037a3962c79d60465ba0b","https://git.kernel.org/stable/c/d70184958b0ea8c0fd52e2b456654b503e769fc8","https://git.kernel.org/stable/c/df1a5d5c6134224f9298e5189230f9d29ae50cac","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37808","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: null - Use spin lock instead of mutex\n\nAs the null algorithm may be freed in softirq context through\naf_alg, use spin locks instead of mutexes to protect the default\nnull algorithm.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0486de3c1b8223138dcc614846bd76364f758de6","https://git.kernel.org/stable/c/1b66a5920b7fc7cc6251192a3fcad115b6d75dd5","https://git.kernel.org/stable/c/1dd4a8561d85dea545cf93f56efc48df8176e218","https://git.kernel.org/stable/c/8cf2945512a8c0ef74ddd5b5a4f6b6a2fb1a4efb","https://git.kernel.org/stable/c/dcc47a028c24e793ce6d6efebfef1a1e92f80297","https://git.kernel.org/stable/c/e27244cbe10658a66b8775be7f0acc4ad2f618d6","https://git.kernel.org/stable/c/e307c54ac8198bf09652c72603ba6e6d97798410","https://git.kernel.org/stable/c/f7a5a5c8e1ec16a4b2041398abe95de0e14572ef","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-08T07:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-47619","summary":"syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00507,"ranking_epss":0.66238,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/syslog-ng/syslog-ng/blob/b0ccc8952d333fbc2d97e51fddc0b569a15e7a7d/lib/transport/tls-verifier.c#L78-L110","https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006","https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2","https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg","https://lists.debian.org/debian-lts-announce/2025/05/msg00034.html","https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg"],"published_time":"2025-05-07T16:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-21546","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix WRITE_SAME No Data Buffer crash\n\nIn newer version of the SBC specs, we have a NDOB bit that indicates there\nis no data buffer that gets written out. If this bit is set using commands\nlike \"sg_write_same --ndob\" we will crash in target_core_iblock/file's\nexecute_write_same handlers when we go to access the se_cmd->t_data_sg\nbecause its NULL.\n\nThis patch adds a check for the NDOB bit in the common WRITE SAME code\nbecause we don't support it. And, it adds a check for zero SG elements in\neach handler in case the initiator tries to send a normal WRITE SAME with\nno data buffer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00068,"ranking_epss":0.21072,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510","https://git.kernel.org/stable/c/54e57be2573cf0b8bf650375fd8752987b6c3d3b","https://git.kernel.org/stable/c/ccd3f449052449a917a3e577d8ba0368f43b8f29","https://git.kernel.org/stable/c/d8e6a27e9238dd294d6f2f401655f300dca20899","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-02T22:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-4215","summary":"A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.","cvss":3.1,"cvss_version":3.0,"cvss_v2":2.6,"cvss_v3":3.1,"epss":0.0134,"ranking_epss":0.79969,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c","https://github.com/gorhill/uBlock/releases/tag/1.63.3b17","https://vuldb.com/?ctiid.307194","https://vuldb.com/?id.307194","https://vuldb.com/?submit.562301","https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html","https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"],"published_time":"2025-05-02T21:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37797","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n   codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n   the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n   are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn't emptied.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00082,"ranking_epss":0.24195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/20d584a33e480ae80d105f43e0e7b56784da41b9","https://git.kernel.org/stable/c/28b09a067831f7317c3841812276022d6c940677","https://git.kernel.org/stable/c/39b9095dd3b55d9b2743df038c32138efa34a9de","https://git.kernel.org/stable/c/3aa852e3605000d5c47035c3fc3a986d14ccfa9f","https://git.kernel.org/stable/c/3df275ef0a6ae181e8428a6589ef5d5231e58b5c","https://git.kernel.org/stable/c/86cd4641c713455a4f1c8e54c370c598c2b1cee0","https://git.kernel.org/stable/c/bb583c88d23b72d8d16453d24856c99bd93dadf5","https://git.kernel.org/stable/c/fcc8ede663569c704fb00a702973bd6c00373283","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-02T15:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37798","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncodel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()\n\nAfter making all ->qlen_notify() callbacks idempotent, now it is safe to\nremove the check of qlen!=0 from both fq_codel_dequeue() and\ncodel_qdisc_dequeue().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00078,"ranking_epss":0.23445,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2f9761a94bae33d26e6a81b31b36e7d776d93dc1","https://git.kernel.org/stable/c/342debc12183b51773b3345ba267e9263bdfaaef","https://git.kernel.org/stable/c/4d55144b12e742404bb3f8fee6038bafbf45619d","https://git.kernel.org/stable/c/7a742a9506849d1c1aa71e36c89855ceddc7d58e","https://git.kernel.org/stable/c/829c49b6b2ff45b043739168fd1245e4e1a91a30","https://git.kernel.org/stable/c/a57fe60ef4cf96bfbb6b58397ec28bdb5a5c6b31","https://git.kernel.org/stable/c/cc71a757da78dd4aa1b4a9b19cb011833730ccf2","https://git.kernel.org/stable/c/e73c838c80dccb9e4f19becc11d9f3cb4a27d483","https://git.kernel.org/stable/c/eda741fe155ddf5ecd2dd3bfbd4fc3c0c7dbb450","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-05-02T15:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37788","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path\n\nIn the for loop used to allocate the loc_array and bmap for each port, a\nmemory leak is possible when the allocation for loc_array succeeds,\nbut the allocation for bmap fails. This is because when the control flow\ngoes to the label free_eth_finfo, only the allocations starting from\n(i-1)th iteration are freed.\n\nFix that by freeing the loc_array in the bmap allocation error path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00ffb3724ce743578163f5ade2884374554ca021","https://git.kernel.org/stable/c/08aa59c0be768596467552c129e9f82166779a67","https://git.kernel.org/stable/c/118d05b530343cd9322607b9719405ba254a4183","https://git.kernel.org/stable/c/76deedea08899885f076aba0bb80bd1276446822","https://git.kernel.org/stable/c/dafb6e433ab2333b67be05433dc9c6ccbc7b1284","https://git.kernel.org/stable/c/e9de08e15aee35b96064960f95997bb6c1209c4b","https://git.kernel.org/stable/c/fa2d7708955e4f8212fd69bab1da604e60cb0b15","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37789","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix nested key length validation in the set() action\n\nIt's not safe to access nla_len(ovs_key) if the data is smaller than\nthe netlink header.  Check that the attribute is OK first.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00067,"ranking_epss":0.20977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03d7262dd53e8c404da35cc81aaa887fd901f76b","https://git.kernel.org/stable/c/1489c195c8eecd262aa6712761ba5288203e28ec","https://git.kernel.org/stable/c/54c6957d1123a2032099b9eab51c314800f677ce","https://git.kernel.org/stable/c/65d91192aa66f05710cfddf6a14b5a25ee554dba","https://git.kernel.org/stable/c/7fcaec0b2ab8fa5fbf0b45e5512364a168f445bd","https://git.kernel.org/stable/c/824a7c2df5127b2402b68a21a265d413e78dcad7","https://git.kernel.org/stable/c/a27526e6b48eee9e2d82efff502c4f272f1a91d4","https://git.kernel.org/stable/c/be80768d4f3b6fd13f421451cc3fee8778aba8bc","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37790","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Set SOCK_RCU_FREE\n\nBind lookup runs under RCU, so ensure that a socket doesn't go away in\nthe middle of a lookup.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3f899bd6dd56ddc46509b526e23a8f0a97712a6d","https://git.kernel.org/stable/c/52024cd6ec71a6ca934d0cc12452bd8d49850679","https://git.kernel.org/stable/c/5c1313b93c8c2e3904a48aa88e2fa1db28c607ae","https://git.kernel.org/stable/c/a8a3b61ce140e2b0a72a779e8d70f60c0cf1e47a","https://git.kernel.org/stable/c/b9764ebebb007249fb733a131b6110ff333b6616","https://git.kernel.org/stable/c/e3b5edbdb45924a7d4206d13868a2aac71f1e53d","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37792","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btrtl: Prevent potential NULL dereference\n\nThe btrtl_initialize() function checks that rtl_load_file() either\nhad an error or it loaded a zero length file.  However, if it loaded\na zero length file then the error code is not set correctly.  It\nresults in an error pointer vs NULL bug, followed by a NULL pointer\ndereference.  This was detected by Smatch:\n\ndrivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2d7c60c2a38b4b461fa960ad0995136a6bfe0756","https://git.kernel.org/stable/c/324dddea321078a6eeb535c2bff5257be74c9799","https://git.kernel.org/stable/c/3db6605043b50c8bb768547b23e0222f67ceef3e","https://git.kernel.org/stable/c/53ceef799dcfc22c734d600811bfc9dd32eaea0a","https://git.kernel.org/stable/c/73dc99c0ea94abd22379b2d82cacbc73f3e18ec1","https://git.kernel.org/stable/c/aaf356f872a60db1e96fb762a62c4607fd22741f","https://git.kernel.org/stable/c/c3e9717276affe59fd8213706db021b493e81e34","https://git.kernel.org/stable/c/d8441818690d795232331bd8358545c5c95b6b72","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37781","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cros-ec-tunnel: defer probe if parent EC is not present\n\nWhen i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent\ndevice will not be found, leading to NULL pointer dereference.\n\nThat can also be reproduced by unbinding the controller driver and then\nloading i2c-cros-ec-tunnel module (or binding the device).\n\n[  271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[  271.998215] #PF: supervisor read access in kernel mode\n[  272.003351] #PF: error_code(0x0000) - not-present page\n[  272.008485] PGD 0 P4D 0\n[  272.011022] Oops: Oops: 0000 [#1] SMP NOPTI\n[  272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S                  6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full)  3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5\n[  272.030312] Tainted: [S]=CPU_OUT_OF_SPEC\n[  272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021\n[  272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]\n[  272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9\n[  272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282\n[  272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000\n[  272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00\n[  272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000\n[  272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000\n[  272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10\n[  272.108198] FS:  00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000\n[  272.116282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0\n[  272.129155] Call Trace:\n[  272.131606]  <TASK>\n[  272.133709]  ? acpi_dev_pm_attach+0xdd/0x110\n[  272.137985]  platform_probe+0x69/0xa0\n[  272.141652]  really_probe+0x152/0x310\n[  272.145318]  __driver_probe_device+0x77/0x110\n[  272.149678]  driver_probe_device+0x1e/0x190\n[  272.153864]  __driver_attach+0x10b/0x1e0\n[  272.157790]  ? driver_attach+0x20/0x20\n[  272.161542]  bus_for_each_dev+0x107/0x150\n[  272.165553]  bus_add_driver+0x15d/0x270\n[  272.169392]  driver_register+0x65/0x110\n[  272.173232]  ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]\n[  272.182617]  do_one_initcall+0x110/0x350\n[  272.186543]  ? security_kernfs_init_security+0x49/0xd0\n[  272.191682]  ? __kernfs_new_node+0x1b9/0x240\n[  272.195954]  ? security_kernfs_init_security+0x49/0xd0\n[  272.201093]  ? __kernfs_new_node+0x1b9/0x240\n[  272.205365]  ? kernfs_link_sibling+0x105/0x130\n[  272.209810]  ? kernfs_next_descendant_post+0x1c/0xa0\n[  272.214773]  ? kernfs_activate+0x57/0x70\n[  272.218699]  ? kernfs_add_one+0x118/0x160\n[  272.222710]  ? __kernfs_create_file+0x71/0xa0\n[  272.227069]  ? sysfs_add_bin_file_mode_ns+0xd6/0x110\n[  272.232033]  ? internal_create_group+0x453/0x4a0\n[  272.236651]  ? __vunmap_range_noflush+0x214/0x2d0\n[  272.241355]  ? __free_frozen_pages+0x1dc/0x420\n[  272.245799]  ? free_vmap_area_noflush+0x10a/0x1c0\n[  272.250505]  ? load_module+0x1509/0x16f0\n[  272.254431]  do_init_module+0x60/0x230\n[  272.258181]  __se_sys_finit_module+0x27a/0x370\n[  272.262627]  do_syscall_64+0x6a/0xf0\n[  272.266206]  ? do_syscall_64+0x76/0xf0\n[  272.269956]  ? irqentry_exit_to_user_mode+0x79/0x90\n[  272.274836]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[  272.279887] RIP: 0033:0x7b9309168d39\n[  272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8\n[  272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/092de5ac8cb2eaa9593a765fa92ba39d8173f984","https://git.kernel.org/stable/c/1355b5ca4782be85a2ef7275e4c508f770d0fb27","https://git.kernel.org/stable/c/3090cad5ccff8963b95160f4060068048a1e4c4c","https://git.kernel.org/stable/c/424eafe65647a8d6c690284536e711977153195a","https://git.kernel.org/stable/c/b66d4910a608427367c4e21499e149f085782df7","https://git.kernel.org/stable/c/cd83035b6f2a102c2d5acd3bfb2a11ff967aaba6","https://git.kernel.org/stable/c/da8edc9eb2516aface7f86be5fa6d09c0d07b9f8","https://git.kernel.org/stable/c/e89bf1311d4497c6743f3021e9c481b16c3a41c9","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37775","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix the warning from __kernel_write_iter\n\n[ 2110.972290] ------------[ cut here ]------------\n[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280\n\nThis patch doesn't allow writing to directory.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19772,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1ed343481ba6911178bc5ca7a51be319eafcc747","https://git.kernel.org/stable/c/2a879da5c34a1e5d971e815d5b30f27eb6d69efc","https://git.kernel.org/stable/c/44079e544c9f6e3e9fb43a16ddf8b08cf686d657","https://git.kernel.org/stable/c/b37f2f332b40ad1c27f18682a495850f2f04db0a","https://git.kernel.org/stable/c/b7ce8db490286c2e009758fa1416d66aeb333614","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37778","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix dangling pointer in krb_authenticate\n\nkrb_authenticate frees sess->user and does not set the pointer\nto NULL. It calls ksmbd_krb5_authenticate to reinitialise\nsess->user but that function may return without doing so. If\nthat happens then smb2_sess_setup, which calls krb_authenticate,\nwill be accessing free'd memory when it later uses sess->user.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0007,"ranking_epss":0.21501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325","https://git.kernel.org/stable/c/1e440d5b25b7efccb3defe542a73c51005799a5f","https://git.kernel.org/stable/c/6e30c0e10210c714f3d4453dc258d4abcc70364e","https://git.kernel.org/stable/c/d5b554bc8d554ed6ddf443d3db2fad9f665cec10","https://git.kernel.org/stable/c/e83e39a5f6a01a81411a4558a59a10f87aa88dd6","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37780","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: Prevent the use of too small fid\n\nsyzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]\n\nThe handle_bytes value passed in by the reproducing program is equal to 12.\nIn handle_to_path(), only 12 bytes of memory are allocated for the structure\nfile_handle->f_handle member, which causes an out-of-bounds access when\naccessing the member parent_block of the structure isofs_fid in isofs,\nbecause accessing parent_block requires at least 16 bytes of f_handle.\nHere, fh_len is used to indirectly confirm that the value of handle_bytes\nis greater than 3 before accessing parent_block.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\nRead of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466\nCPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x198/0x550 mm/kasan/report.c:521\n kasan_report+0xd8/0x138 mm/kasan/report.c:634\n __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380\n isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\n exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523\n do_handle_to_path+0xa0/0x198 fs/fhandle.c:257\n handle_to_path fs/fhandle.c:385 [inline]\n do_handle_open+0x8cc/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 6466:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306\n kmalloc_noprof include/linux/slab.h:905 [inline]\n handle_to_path fs/fhandle.c:357 [inline]\n do_handle_open+0x5a4/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00052,"ranking_epss":0.16507,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e","https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845","https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb","https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b","https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0","https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a","https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa","https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37769","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm/smu11: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n(cherry picked from commit da7dc714a8f8e1c9fc33c57cd63583779a3bef71)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/63a150400194592206817124268ff6f43947e8c9","https://git.kernel.org/stable/c/7ba88b5cccc1a99c1afb96e31e7eedac9907704c","https://git.kernel.org/stable/c/de2cba068c9c648503973b57696d035cfe58a9f6","https://git.kernel.org/stable/c/de6f8e0534cfabc528c969d453150ca90b24fb01","https://git.kernel.org/stable/c/fc9d55377353321e78f9e108d15f72a17e8c6ee2","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37770","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05de66de280ea1bd0459c994bfd2dd332cfbc2a9","https://git.kernel.org/stable/c/0c02fcbe4a1393a3c02da6ae35e72493cfdb2155","https://git.kernel.org/stable/c/4b8c3c0d17c07f301011e2908fecd2ebdcfe3d1c","https://git.kernel.org/stable/c/587de3ca7875c06fe3c3aa4073a85c4eff46591f","https://git.kernel.org/stable/c/836a189fb422e7efb81c51d5160e47ec7bc11500","https://git.kernel.org/stable/c/bd4d90adbca1862d03e581e10e74ab73ec75e61b","https://git.kernel.org/stable/c/e109528bbf460e50074c156253d9080d223ee37f","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37771","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/402964994e8ece29702383b234fabcf04791ff95","https://git.kernel.org/stable/c/5096174074114f83c700a27869c54362cbb10f3e","https://git.kernel.org/stable/c/6413fed016208171592c88b5df002af8a1387e24","https://git.kernel.org/stable/c/7d641c2b83275d3b0424127b2e0d2d0f7dd82aef","https://git.kernel.org/stable/c/b7c41df4913789ebfe73cc1e17c6401d4c5eab69","https://git.kernel.org/stable/c/baa54adb5e0599299b8f088efb5544d876a3eb62","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37772","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix workqueue crash in cma_netevent_work_handler\n\nstruct rdma_cm_id has member \"struct work_struct net_work\"\nthat is reused for enqueuing cma_netevent_work_handler()s\nonto cma_wq.\n\nBelow crash[1] can occur if more than one call to\ncma_netevent_callback() occurs in quick succession,\nwhich further enqueues cma_netevent_work_handler()s for the\nsame rdma_cm_id, overwriting any previously queued work-item(s)\nthat was just scheduled to run i.e. there is no guarantee\nthe queued work item may run between two successive calls\nto cma_netevent_callback() and the 2nd INIT_WORK would overwrite\nthe 1st work item (for the same rdma_cm_id), despite grabbing\nid_table_lock during enqueue.\n\nAlso drgn analysis [2] indicates the work item was likely overwritten.\n\nFix this by moving the INIT_WORK() to __rdma_create_id(),\nso that it doesn't race with any existing queue_work() or\nits worker thread.\n\n[1] Trimmed crash stack:\n=============================================\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nkworker/u256:6 ... 6.12.0-0...\nWorkqueue:  cma_netevent_work_handler [rdma_cm] (rdma_cm)\nRIP: 0010:process_one_work+0xba/0x31a\nCall Trace:\n worker_thread+0x266/0x3a0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n=============================================\n\n[2] drgn crash analysis:\n\n>>> trace = prog.crashed_thread().stack_trace()\n>>> trace\n(0)  crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)\n(1)  __crash_kexec (kernel/crash_core.c:122:4)\n(2)  panic (kernel/panic.c:399:3)\n(3)  oops_end (arch/x86/kernel/dumpstack.c:382:3)\n...\n(8)  process_one_work (kernel/workqueue.c:3168:2)\n(9)  process_scheduled_works (kernel/workqueue.c:3310:3)\n(10) worker_thread (kernel/workqueue.c:3391:4)\n(11) kthread (kernel/kthread.c:389:9)\n\nLine workqueue.c:3168 for this kernel version is in process_one_work():\n3168\tstrscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);\n\n>>> trace[8][\"work\"]\n*(struct work_struct *)0xffff92577d0a21d8 = {\n\t.data = (atomic_long_t){\n\t\t.counter = (s64)536870912,    <=== Note\n\t},\n\t.entry = (struct list_head){\n\t\t.next = (struct list_head *)0xffff924d075924c0,\n\t\t.prev = (struct list_head *)0xffff924d075924c0,\n\t},\n\t.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,\n}\n\nSuspicion is that pwq is NULL:\n>>> trace[8][\"pwq\"]\n(struct pool_workqueue *)<absent>\n\nIn process_one_work(), pwq is assigned from:\nstruct pool_workqueue *pwq = get_work_pwq(work);\n\nand get_work_pwq() is:\nstatic struct pool_workqueue *get_work_pwq(struct work_struct *work)\n{\n \tunsigned long data = atomic_long_read(&work->data);\n\n \tif (data & WORK_STRUCT_PWQ)\n \t\treturn work_struct_pwq(data);\n \telse\n \t\treturn NULL;\n}\n\nWORK_STRUCT_PWQ is 0x4:\n>>> print(repr(prog['WORK_STRUCT_PWQ']))\nObject(prog, 'enum work_flags', value=4)\n\nBut work->data is 536870912 which is 0x20000000.\nSo, get_work_pwq() returns NULL and we crash in process_one_work():\n3168\tstrscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);\n=============================================","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14","https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7","https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447","https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a","https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37773","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: add filesystem context source name check\n\nIn certain scenarios, for example, during fuzz testing, the source\nname may be NULL, which could lead to a kernel panic. Therefore, an\nextra check for the source name should be added.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe","https://git.kernel.org/stable/c/5ee09cdaf3414f6c92960714af46d3d90eede2f3","https://git.kernel.org/stable/c/9d6dcf18a1b49990295ac8a05fd9bdfd27ccbf88","https://git.kernel.org/stable/c/a648d80f8d9b208beee03a2d9aa690cfacf1d41e","https://git.kernel.org/stable/c/a94fd938df2b1628da66b498aa0eeb89593bc7a2","https://git.kernel.org/stable/c/b84f13fdad10a543e2e65bab7e81b3f0bceabd67","https://git.kernel.org/stable/c/c3e31d613951c299487844c4d1686a933e8ee291","https://git.kernel.org/stable/c/f6ec52710dc5e156b774cbef5d0f5c99b1c53a80","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37765","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix ttm_bo_delayed_delete oops\n\nFix an oops in ttm_bo_delayed_delete which results from dererencing a\ndangling pointer:\n\nOops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP\nCPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216\nHardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024\nWorkqueue: ttm ttm_bo_delayed_delete [ttm]\nRIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290\nCode: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b\nRSP: 0018:ffffbf9383473d60 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b\nR13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc\nFS:  0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __die_body.cold+0x19/0x26\n ? die_addr+0x3d/0x70\n ? exc_general_protection+0x159/0x460\n ? asm_exc_general_protection+0x27/0x30\n ? dma_resv_iter_first_unlocked+0x55/0x290\n dma_resv_wait_timeout+0x56/0x100\n ttm_bo_delayed_delete+0x69/0xb0 [ttm]\n process_one_work+0x217/0x5c0\n worker_thread+0x1c8/0x3d0\n ? apply_wqattrs_cleanup.part.0+0xc0/0xc0\n kthread+0x10b/0x240\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork+0x40/0x70\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork_asm+0x11/0x20\n </TASK>\n\nThe cause of this is:\n\n- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the\n  reference to the shared dma_buf. The reference count is 0, so the\n  dma_buf is destroyed, which in turn decrements the corresponding\n  amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -\n  calling drm_gem_object_release then dma_resv_fini (which destroys the\n  reservation object), then finally freeing the amdgpu_bo.\n\n- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory\n  formerly allocated to the amdgpu_bo.\n\n- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls\n  ttm_bo_release, which schedules ttm_bo_delayed_delete.\n\n- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,\n  resulting in a general protection fault.\n\nFix this by moving the drm_prime_gem_destroy call from\nnouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will\nbe run after ttm_bo_delayed_delete.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12b038d521c75e3521522503becf3bc162628469","https://git.kernel.org/stable/c/31e94c7989572f96926673614a3b958915a13ca9","https://git.kernel.org/stable/c/47761deabb69a5df0c2c4ec400d80bb3e072bd2e","https://git.kernel.org/stable/c/6b95947ee780f4e1fb26413a1437d05bcb99712b","https://git.kernel.org/stable/c/6e2c805996a49998d31ac522beb1534ca417e761","https://git.kernel.org/stable/c/706868a1a1072cffd8bd63f7e161d79141099849","https://git.kernel.org/stable/c/8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3","https://git.kernel.org/stable/c/ada78110b2d3ec88b398a49703bd336d4cee7a08","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37766","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/068091b796480819bf70b159f17e222ad8bea900","https://git.kernel.org/stable/c/42f7b5d12c28b2a601a98d10a80c6db1fe1a2900","https://git.kernel.org/stable/c/4e3d9508c056d7e0a56b58d5c81253e2a0d22b6c","https://git.kernel.org/stable/c/6b9f9b998b107c7539f148a013d789ddb860c3b9","https://git.kernel.org/stable/c/80814924260cea431a8fc6137d11cc8cb331a10c","https://git.kernel.org/stable/c/affd2241927a1e74c0aecd50c2d920dc4213c56d","https://git.kernel.org/stable/c/ce773dd844ee19a605af27f11470887e0f2044a9","https://git.kernel.org/stable/c/ffd688804425579a472fbd2525bedb58b1d28bd9","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37767","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/327107bd7f052f4ee2d0c966c7ae879822f1814f","https://git.kernel.org/stable/c/8f7b5987e21e003cafac28f0e4d323e6496f83ba","https://git.kernel.org/stable/c/c3ff73e3bddf1a6c30d7effe4018d12ba0cadd2e","https://git.kernel.org/stable/c/f23e9116ebb71b63fe9cec0dcac792aa9af30b0c","https://git.kernel.org/stable/c/f2904fa2b9da943db6bef7c0f8b3fb4fc14acbc4","https://git.kernel.org/stable/c/fb803d4bb9ea0a61c21c4987505e4d4ae18f9fdc","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37768","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3cdd02cb70682d7d205ca6dc02a4d1eb76758d24","https://git.kernel.org/stable/c/5fc4fb54f6f064c25bfbbfd443aa861d3422dd4c","https://git.kernel.org/stable/c/7c246a05df51c52fe0852ce56ba10c41e6ed1f39","https://git.kernel.org/stable/c/8e9c4f8d197d5709c75effa5d58e80b4fa01981a","https://git.kernel.org/stable/c/9e4f1e21fe7b93a8ef57db433071266c2590e260","https://git.kernel.org/stable/c/b0742a709be7979c7a480772046a1f36d09dab00","https://git.kernel.org/stable/c/be0fffc4152aac4f0291ed2d793f3cfee788449d","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T14:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37756","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: explicitly disallow disconnect\n\nsyzbot discovered that it can disconnect a TLS socket and then\nrun into all sort of unexpected corner cases. I have a vague\nrecollection of Eric pointing this out to us a long time ago.\nSupporting disconnect is really hard, for one thing if offload\nis enabled we'd need to wait for all packets to be _acked_.\nDisconnect is not commonly used, disallow it.\n\nThe immediate problem syzbot run into is the warning in the strp,\nbut that's just the easiest bug to trigger:\n\n  WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n  RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n  Call Trace:\n   <TASK>\n   tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363\n   tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043\n   inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678\n   sock_recvmsg_nosec net/socket.c:1023 [inline]\n   sock_recvmsg+0x109/0x280 net/socket.c:1045\n   __sys_recvfrom+0x202/0x380 net/socket.c:2237","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.0697,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2bcad8fefcecdd5f005d8c550b25d703c063c34a","https://git.kernel.org/stable/c/5071a1e606b30c0c11278d3c6620cd6a24724cf6","https://git.kernel.org/stable/c/7bdcf5bc35ae59fc4a0fa23276e84b4d1534a3cf","https://git.kernel.org/stable/c/8513411ec321942bd3cfed53d5bb700665c67d86","https://git.kernel.org/stable/c/9fcbca0f801580cbb583e9cb274e2c7fbe766ca6","https://git.kernel.org/stable/c/ac91c6125468be720eafde9c973994cb45b61d44","https://git.kernel.org/stable/c/c665bef891e8972e1d3ce5bbc0d42a373346a2c3","https://git.kernel.org/stable/c/f3ce4d3f874ab7919edca364c147ac735f9f1d04","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37757","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix memory leak in tipc_link_xmit\n\nIn case the backlog transmit queue for system-importance messages is overloaded,\ntipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to\nmemory leak and failure when a skb is allocated.\n\nThis commit fixes this issue by purging the skb list before tipc_link_xmit()\nreturns.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09c2dcda2c551bba30710c33f6ac678ae7395389","https://git.kernel.org/stable/c/24e6280cdd7f8d01fc6b9b365fb800c2fb7ea9bb","https://git.kernel.org/stable/c/69ae94725f4fc9e75219d2d69022029c5b24bc9a","https://git.kernel.org/stable/c/7c5957f7905b4aede9d7a559d271438f3ca9e852","https://git.kernel.org/stable/c/84895f5ce3829d9fc030e5ec2d8729da4c0c9d08","https://git.kernel.org/stable/c/a40cbfbb8f95c325430f017883da669b2aa927d4","https://git.kernel.org/stable/c/d0e02d3d27a0b4dcb13f954f537ca1dd8f282dcf","https://git.kernel.org/stable/c/d4d40e437adb376be16b3a12dd5c63f0fa768247","https://git.kernel.org/stable/c/ed06675d3b8cd37120b447646d53f7cd3e6fcd63","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37758","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()\n\ndevm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does\nnot check for this case, which can result in a NULL pointer dereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17d5e6e915fad5a261db3698c9c5bbe702102d7c","https://git.kernel.org/stable/c/2ba9e4c69207777bb0775c7c091800ecd69de144","https://git.kernel.org/stable/c/2dc53c7a0c1f57b082931facafa804a7ca32a9a6","https://git.kernel.org/stable/c/5b09bf6243b0bc0ae58bd9efdf6f0de5546f8d06","https://git.kernel.org/stable/c/a551f75401793ba8075d7f46ffc931ce5151f03f","https://git.kernel.org/stable/c/ad320e408a8c95a282ab9c05cdf0c9b95e317985","https://git.kernel.org/stable/c/c022287f6e599422511aa227dc6da37b58d9ceac","https://git.kernel.org/stable/c/d0d720f9282839b9db625a376c02a1426a16b0ae","https://git.kernel.org/stable/c/ee2b0301d6bfe16b35d57947687c664ecb815775","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37748","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group\n\nCurrently, mtk_iommu calls during probe iommu_device_register before\nthe hw_list from driver data is initialized. Since iommu probing issue\nfix, it leads to NULL pointer dereference in mtk_iommu_device_group when\nhw_list is accessed with list_first_entry (not null safe).\n\nSo, change the call order to ensure iommu_device_register is called\nafter the driver data are initialized.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0007,"ranking_epss":0.21512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2f75cb27bef43c8692b0f5e471e5632f6a9beb99","https://git.kernel.org/stable/c/38e8844005e6068f336a3ad45451a562a0040ca1","https://git.kernel.org/stable/c/69f9d2d37d1207c5a73dac52a4ce1361ead707f5","https://git.kernel.org/stable/c/6abd09bed43b8d83d461e0fb5b9a200a06aa8a27","https://git.kernel.org/stable/c/a0842539e8ef9386c070156103aff888e558a60c","https://git.kernel.org/stable/c/ce7d3b2f6f393fa35f0ea12861b83a1ca28b295c","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37749","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ppp: Add bound checking for skb data on ppp_sync_txmung\n\nEnsure we have enough data in linear buffer from skb before accessing\ninitial bytes. This prevents potential out-of-bounds accesses\nwhen processing short packets.\n\nWhen ppp_sync_txmung receives an incoming package with an empty\npayload:\n(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)\n$18 = {\n\ttype = 0x1,\n\tver = 0x1,\n\tcode = 0x0,\n\tsid = 0x2,\n        length = 0x0,\n\ttag = 0xffff8880371cdb96\n}\n\nfrom the skb struct (trimmed)\n      tail = 0x16,\n      end = 0x140,\n      head = 0xffff88803346f400 \"4\",\n      data = 0xffff88803346f416 \":\\377\",\n      truesize = 0x380,\n      len = 0x0,\n      data_len = 0x0,\n      mac_len = 0xe,\n      hdr_len = 0x0,\n\nit is not safe to access data[2].\n\n[pabeni@redhat.com: fixed subj typo]","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.0005,"ranking_epss":0.15635,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f6eb9fa87a781d5370c0de7794ae242f1a95ee5","https://git.kernel.org/stable/c/529401c8f12ecc35f9ea5d946d5a5596cf172b48","https://git.kernel.org/stable/c/6e8a6bf43cea4347121ab21bb1ed8d7bef7e732e","https://git.kernel.org/stable/c/99aa698dec342a07125d733e39aab4394b3b7e05","https://git.kernel.org/stable/c/aabc6596ffb377c4c9c8f335124b92ea282c9821","https://git.kernel.org/stable/c/b4c836d33ca888695b2f2665f948bc1b34fbd533","https://git.kernel.org/stable/c/b78f2b458f56a5a4d976c8e01c43dbf58d3ea2ca","https://git.kernel.org/stable/c/de5a4f0cba58625e88b7bebd88f780c8c0150997","https://git.kernel.org/stable/c/fbaffe8bccf148ece8ad67eb5d7aa852cabf59c8","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37752","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type 'struct sfq_head[128]'\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00036,"ranking_epss":0.10683,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49","https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d","https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219","https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688","https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4","https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9","https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70","https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a","https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23161","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type\n\nThe access to the PCI config space via pci_ops::read and pci_ops::write is\na low-level hardware access. The functions can be accessed with disabled\ninterrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this\npurpose.\n\nA spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be\nacquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in\nthe same context as the pci_lock.\n\nMake vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with\ninterrupts disabled.\n\nThis was reported as:\n\n  BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n  Call Trace:\n   rt_spin_lock+0x4e/0x130\n   vmd_pci_read+0x8d/0x100 [vmd]\n   pci_user_read_config_byte+0x6f/0xe0\n   pci_read_config+0xfe/0x290\n   sysfs_kf_bin_read+0x68/0x90\n\n[bigeasy: reword commit message]\nTested-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>\n[kwilczynski: commit log]\n[bhelgaas: add back report info from\nhttps://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00042,"ranking_epss":0.12902,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13e5148f70e81991acbe0bab5b1b50ba699116e7","https://git.kernel.org/stable/c/18056a48669a040bef491e63b25896561ee14d90","https://git.kernel.org/stable/c/20d0a9062c031068fa39f725a32f182b709b5525","https://git.kernel.org/stable/c/2358046ead696ca5c7c628d6c0e2c6792619a3e5","https://git.kernel.org/stable/c/5c3cfcf0b4bf43530788b08a8eaf7896ec567484","https://git.kernel.org/stable/c/c250262d6485ca333e9821f85b07eb383ec546b1","https://git.kernel.org/stable/c/c2968c812339593ac6e2bdd5cc3adabe3f05fa53","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23163","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: don't propagate flags on open\n\nWith the device instance lock, there is now a possibility of a deadlock:\n\n[    1.211455] ============================================\n[    1.211571] WARNING: possible recursive locking detected\n[    1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted\n[    1.211823] --------------------------------------------\n[    1.211936] ip/184 is trying to acquire lock:\n[    1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0\n[    1.212207]\n[    1.212207] but task is already holding lock:\n[    1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0\n[    1.212487]\n[    1.212487] other info that might help us debug this:\n[    1.212626]  Possible unsafe locking scenario:\n[    1.212626]\n[    1.212751]        CPU0\n[    1.212815]        ----\n[    1.212871]   lock(&dev->lock);\n[    1.212944]   lock(&dev->lock);\n[    1.213016]\n[    1.213016]  *** DEADLOCK ***\n[    1.213016]\n[    1.213143]  May be due to missing lock nesting notation\n[    1.213143]\n[    1.213294] 3 locks held by ip/184:\n[    1.213371]  #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0\n[    1.213543]  #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0\n[    1.213727]  #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0\n[    1.213895]\n[    1.213895] stack backtrace:\n[    1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5\n[    1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[    1.213994] Call Trace:\n[    1.213995]  <TASK>\n[    1.213996]  dump_stack_lvl+0x8e/0xd0\n[    1.214000]  print_deadlock_bug+0x28b/0x2a0\n[    1.214020]  lock_acquire+0xea/0x2a0\n[    1.214027]  __mutex_lock+0xbf/0xd40\n[    1.214038]  dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI\n[    1.214040]  vlan_dev_open+0xa5/0x170 # ndo_open on vlandev\n[    1.214042]  __dev_open+0x145/0x270\n[    1.214046]  __dev_change_flags+0xb0/0x1e0\n[    1.214051]  netif_change_flags+0x22/0x60 # IFF_UP vlandev\n[    1.214053]  dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info\n[    1.214055]  vlan_device_event+0x766/0x7c0 # on netdevsim0\n[    1.214058]  notifier_call_chain+0x78/0x120\n[    1.214062]  netif_open+0x6d/0x90\n[    1.214064]  dev_open+0x5b/0xb0 # locks netdevsim0\n[    1.214066]  bond_enslave+0x64c/0x1230\n[    1.214075]  do_set_master+0x175/0x1e0 # on netdevsim0\n[    1.214077]  do_setlink+0x516/0x13b0\n[    1.214094]  rtnl_newlink+0xaba/0xb80\n[    1.214132]  rtnetlink_rcv_msg+0x440/0x490\n[    1.214144]  netlink_rcv_skb+0xeb/0x120\n[    1.214150]  netlink_unicast+0x1f9/0x320\n[    1.214153]  netlink_sendmsg+0x346/0x3f0\n[    1.214157]  __sock_sendmsg+0x86/0xb0\n[    1.214160]  ____sys_sendmsg+0x1c8/0x220\n[    1.214164]  ___sys_sendmsg+0x28f/0x2d0\n[    1.214179]  __x64_sys_sendmsg+0xef/0x140\n[    1.214184]  do_syscall_64+0xec/0x1d0\n[    1.214190]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[    1.214191] RIP: 0033:0x7f2d1b4a7e56\n\nDevice setup:\n\n     netdevsim0 (down)\n     ^        ^\n  bond        netdevsim1.100@netdevsim1 allmulticast=on (down)\n\nWhen we enslave the lower device (netdevsim0) which has a vlan, we\npropagate vlan's allmuti/promisc flags during ndo_open. This causes\n(re)locking on of the real_dev.\n\nPropagate allmulti/promisc on flags change, not on the open. There\nis a slight semantics change that vlans that are down now propagate\nthe flags, but this seems unlikely to result in the real issues.\n\nReproducer:\n\n  echo 0 1 > /sys/bus/netdevsim/new_device\n\n  dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)\n  dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)\n\n  ip link set dev $dev name netdevsim0\n  ip link set dev netdevsim0 up\n\n  ip link add link netdevsim0 name netdevsim0.100 type vlan id 100\n  ip link set dev netdevsim0.100 allm\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/27b918007d96402aba10ed52a6af8015230f1793","https://git.kernel.org/stable/c/299d7d27af6b5844cda06a0fdfa635705e1bc50f","https://git.kernel.org/stable/c/523fa0979d842443aa14b80002e45b471cbac137","https://git.kernel.org/stable/c/538b43aa21e3b17c110104efd218b966d2eda5f8","https://git.kernel.org/stable/c/53fb25e90c0a503a17c639341ba5e755cb2feb5c","https://git.kernel.org/stable/c/8980018a9806743d9b80837330d46f06ecf78516","https://git.kernel.org/stable/c/a32f1d4f1f4c9d978698f3c718621f6198f2e7ac","https://git.kernel.org/stable/c/b1e3eeb037256a2f1206a8d69810ec47eb152026","https://git.kernel.org/stable/c/d537859e56bcc3091805c524484a4c85386b3cc8","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37738","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: ignore xattrs past end\n\nOnce inside 'ext4_xattr_inode_dec_ref_all' we should\nignore xattrs entries past the 'end' entry.\n\nThis fixes the following KASAN reported issue:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nRead of size 4 at addr ffff888012c120c4 by task repro/2065\n\nCPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x1fd/0x300\n ? tcp_gro_dev_warn+0x260/0x260\n ? _printk+0xc0/0x100\n ? read_lock_is_recursive+0x10/0x10\n ? irq_work_queue+0x72/0xf0\n ? __virt_addr_valid+0x17b/0x4b0\n print_address_description+0x78/0x390\n print_report+0x107/0x1f0\n ? __virt_addr_valid+0x17b/0x4b0\n ? __virt_addr_valid+0x3ff/0x4b0\n ? __phys_addr+0xb5/0x160\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n kasan_report+0xcc/0x100\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ? ext4_xattr_delete_inode+0xd30/0xd30\n ? __ext4_journal_ensure_credits+0x5f0/0x5f0\n ? __ext4_journal_ensure_credits+0x2b/0x5f0\n ? inode_update_timestamps+0x410/0x410\n ext4_xattr_delete_inode+0xb64/0xd30\n ? ext4_truncate+0xb70/0xdc0\n ? ext4_expand_extra_isize_ea+0x1d20/0x1d20\n ? __ext4_mark_inode_dirty+0x670/0x670\n ? ext4_journal_check_start+0x16f/0x240\n ? ext4_inode_is_fast_symlink+0x2f2/0x3a0\n ext4_evict_inode+0xc8c/0xff0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n ? do_raw_spin_unlock+0x53/0x8a0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n evict+0x4ac/0x950\n ? proc_nr_inodes+0x310/0x310\n ? trace_ext4_drop_inode+0xa2/0x220\n ? _raw_spin_unlock+0x1a/0x30\n ? iput+0x4cb/0x7e0\n do_unlinkat+0x495/0x7c0\n ? try_break_deleg+0x120/0x120\n ? 0xffffffff81000000\n ? __check_object_size+0x15a/0x210\n ? strncpy_from_user+0x13e/0x250\n ? getname_flags+0x1dc/0x530\n __x64_sys_unlinkat+0xc8/0xf0\n do_syscall_64+0x65/0x110\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x434ffd\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8\nRSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107\nRAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd\nRDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005\nRBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001\n </TASK>\n\nThe buggy address belongs to the object at ffff888012c12000\n which belongs to the cache filp of size 360\nThe buggy address is located 196 bytes inside of\n freed 360-byte region [ffff888012c12000, ffff888012c12168)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12\nhead: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x40(head|node=0|zone=0)\npage_type: f5(slab)\nraw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nraw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nhead: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000\nhead: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                           ^\n ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888012c12180: fc fc fc fc fc fc fc fc fc\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0005,"ranking_epss":0.15635,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/362a90cecd36e8a5c415966d0b75b04a0270e4dd","https://git.kernel.org/stable/c/3bc6317033f365ce578eb6039445fb66162722fd","https://git.kernel.org/stable/c/6aff941cb0f7d0c897c3698ad2e30672709135e3","https://git.kernel.org/stable/c/76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3","https://git.kernel.org/stable/c/836e625b03a666cf93ff5be328c8cb30336db872","https://git.kernel.org/stable/c/c8e008b60492cf6fd31ef127aea6d02fd3d314cd","https://git.kernel.org/stable/c/cf9291a3449b04688b81e32621e88de8f4314b54","https://git.kernel.org/stable/c/eb59cc31b6ea076021d14b04e7faab1636b87d0e","https://git.kernel.org/stable/c/f737418b6de31c962c7192777ee4018906975383","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37739","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()\n\nsyzbot reports an UBSAN issue as below:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10\nindex 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')\nCPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429\n get_nid fs/f2fs/node.h:381 [inline]\n f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181\n f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886\n f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093\n aio_write+0x56b/0x7c0 fs/aio.c:1633\n io_submit_one+0x8a7/0x18a0 fs/aio.c:2052\n __do_sys_io_submit fs/aio.c:2111 [inline]\n __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f238798cde9\n\nindex 18446744073709550692 (decimal, unsigned long long)\n= 0xfffffffffffffc64 (hexadecimal, unsigned long long)\n= -924 (decimal, long long)\n\nIn f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to\naccess .i_nid[-924], it means both offset[0] and level should zero.\n\nThe possible case should be in f2fs_do_truncate_blocks(), we try to\ntruncate inode size to zero, however, dn.ofs_in_node is zero and\ndn.node_page is not an inode page, so it fails to truncate inode page,\nand then pass zeroed free_from to f2fs_truncate_inode_blocks(), result\nin this issue.\n\n\tif (dn.ofs_in_node || IS_INODE(dn.node_page)) {\n\t\tf2fs_truncate_data_blocks_range(&dn, count);\n\t\tfree_from += count;\n\t}\n\nI guess the reason why dn.node_page is not an inode page could be: there\nare multiple nat entries share the same node block address, once the node\nblock address was reused, f2fs_get_node_page() may load a non-inode block.\n\nLet's add a sanity check for such condition to avoid out-of-bounds access\nissue.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00067,"ranking_epss":0.20977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573","https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d","https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de","https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f","https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa","https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747","https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0","https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37740","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add sanity check for agwidth in dbMount\n\nThe width in dmapctl of the AG is zero, it trigger a divide error when\ncalculating the control page level in dbAllocAG.\n\nTo avoid this issue, add a check for agwidth in dbAllocAG.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00049,"ranking_epss":0.15366,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/722e72f7f9c69fcb3ab7988c2471feff7a4c8de1","https://git.kernel.org/stable/c/a065cec230aa807c18828a3eee82f1c8592c2adf","https://git.kernel.org/stable/c/a260bf14cd347878f01f70739ba829442a474a16","https://git.kernel.org/stable/c/a741f29ac8b6374c9904be8b7ac7cdfcd7e7e4fa","https://git.kernel.org/stable/c/c8c96a9e7660e5e5eea445978fe8f2e432d91c1f","https://git.kernel.org/stable/c/cc0bc4cb62ce5fa0c383e3bf0765d01f46bd49ac","https://git.kernel.org/stable/c/ccd97c8a4f90810f228ee40d1055148fa146dd57","https://git.kernel.org/stable/c/ddf2846f22e8575d6b4b6a66f2100f168b8cd73d","https://git.kernel.org/stable/c/e3f85edb03183fb06539e5b50dd2c4bb42b869f0","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37741","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Prevent copying of nlink with value 0 from disk inode\n\nsyzbot report a deadlock in diFree. [1]\n\nWhen calling \"ioctl$LOOP_SET_STATUS64\", the offset value passed in is 4,\nwhich does not match the mounted loop device, causing the mapping of the\nmounted loop device to be invalidated.\n\nWhen creating the directory and creating the inode of iag in diReadSpecial(),\nread the page of fixed disk inode (AIT) in raw mode in read_metapage(), the\nmetapage data it returns is corrupted, which causes the nlink value of 0 to be\nassigned to the iag inode when executing copy_from_dinode(), which ultimately\ncauses a deadlock when entering diFree().\n\nTo avoid this, first check the nlink value of dinode before setting iag inode.\n\n[1]\nWARNING: possible recursive locking detected\n6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted\n--------------------------------------------\nsyz-executor301/5309 is trying to acquire lock:\nffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n\nbut task is already holding lock:\nffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(&(imap->im_aglock[index]));\n  lock(&(imap->im_aglock[index]));\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n5 locks held by syz-executor301/5309:\n #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515\n #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]\n #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026\n #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037\n check_deadlock kernel/locking/lockdep.c:3089 [inline]\n validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891\n __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156\n evict+0x4e8/0x9b0 fs/inode.c:725\n diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]\n duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022\n diNewIAG fs/jfs/jfs_imap.c:2597 [inline]\n diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669\n diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225\n vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n __do_sys_mkdirat fs/namei.c:4295 [inline]\n __se_sys_mkdirat fs/namei.c:4293 [inline]\n __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n do_syscall_x64 arch/x86/en\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00038,"ranking_epss":0.11564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456","https://git.kernel.org/stable/c/86bfeaa18f9e4615b97f2d613e0fcc4ced196527","https://git.kernel.org/stable/c/8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9","https://git.kernel.org/stable/c/994787341358816d91b2fded288ecb7f129f2b27","https://git.kernel.org/stable/c/a2b560815528ae8e266fca6038bb5585d13aaef4","https://git.kernel.org/stable/c/aeb926e605f97857504bdf748f575e40617e2ef9","https://git.kernel.org/stable/c/b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e","https://git.kernel.org/stable/c/b61e69bb1c049cf507e3c654fa3dc1568231bd07","https://git.kernel.org/stable/c/c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-37742","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of imap allocated in the diMount() function\n\nsyzbot reports that hex_dump_to_buffer is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nhex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nprint_hex_dump+0x13d/0x3e0 lib/hexdump.c:276\ndiFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876\njfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156\nevict+0x723/0xd10 fs/inode.c:796\niput_final fs/inode.c:1946 [inline]\niput+0x97b/0xdb0 fs/inode.c:1972\ntxUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367\ntxLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\njfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733\nkthread+0x6b9/0xef0 kernel/kthread.c:464\nret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:4121 [inline]\nslab_alloc_node mm/slub.c:4164 [inline]\n__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320\nkmalloc_noprof include/linux/slab.h:901 [inline]\ndiMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105\njfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176\njfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523\nget_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636\nget_tree_bdev+0x37/0x50 fs/super.c:1659\njfs_get_tree+0x34/0x40 fs/jfs/super.c:635\nvfs_get_tree+0xb1/0x5a0 fs/super.c:1814\ndo_new_mount+0x71f/0x15e0 fs/namespace.c:3560\npath_mount+0x742/0x1f10 fs/namespace.c:3887\ndo_mount fs/namespace.c:3900 [inline]\n__do_sys_mount fs/namespace.c:4111 [inline]\n__se_sys_mount+0x71f/0x800 fs/namespace.c:4088\n__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088\nx64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n=====================================================\n\nThe reason is that imap is not properly initialized after memory\nallocation. It will cause the snprintf() function to write uninitialized\ndata into linebuf within hex_dump_to_buffer().\n\nFix this by using kzalloc instead of kmalloc to clear its content at the\nbeginning in diMount().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00054,"ranking_epss":0.17156,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee","https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097","https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c","https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b","https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea","https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde","https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23151","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00054,"ranking_epss":0.1709,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0686a818d77a431fc3ba2fab4b46bbb04e8c9380","https://git.kernel.org/stable/c/178e5657c8fd285125cc6743a81b513bce099760","https://git.kernel.org/stable/c/3e7ecf181cbdde9753204ada3883ca1704d8702b","https://git.kernel.org/stable/c/5f084993c90d9d0b4a52a349ede5120f992a7ca1","https://git.kernel.org/stable/c/899d0353ea69681f474b6bc9de32c663b89672da","https://git.kernel.org/stable/c/a77955f7704b2a00385e232cbcc1cb06b5c7a425","https://git.kernel.org/stable/c/ee1fce83ed56450087309b9b74ad9bcb2b010fa6","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23156","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: refactor hfi packet parsing logic\n\nwords_count denotes the number of words in total payload, while data\npoints to payload of various property within it. When words_count\nreaches last word, data can access memory beyond the total payload. This\ncan lead to OOB access. With this patch, the utility api for handling\nindividual properties now returns the size of data consumed. Accordingly\nremaining bytes are calculated before parsing the payload, thereby\neliminates the OOB access possibilities.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00081,"ranking_epss":0.23928,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/05b07e52a0d08239147ba3460045855f4fb398de","https://git.kernel.org/stable/c/0beabe9b49190a02321b02792b29fc0f0e28b51f","https://git.kernel.org/stable/c/0f9a4bab7d83738963365372e4745854938eab2d","https://git.kernel.org/stable/c/6d278c5548d840c4d85d445347b2a5c31b2ab3a0","https://git.kernel.org/stable/c/9edaaa8e3e15aab1ca413ab50556de1975bcb329","https://git.kernel.org/stable/c/a736c72d476d1c7ca7be5018f2614ee61168ad01","https://git.kernel.org/stable/c/bb3fd8b7906a12dc2b61389abb742bf6542d97fb","https://git.kernel.org/stable/c/f195e94c7af921d99abd79f57026a218d191d2c7","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23157","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: add check to avoid out of bound access\n\nThere is a possibility that init_codecs is invoked multiple times during\nmanipulated payload from video firmware. In such case, if codecs_count\ncan get incremented to value more than MAX_CODEC_NUM, there can be OOB\naccess. Reset the count so that it always starts from beginning.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00065,"ranking_epss":0.20215,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/172bf5a9ef70a399bb227809db78442dc01d9e48","https://git.kernel.org/stable/c/1ad6aa1464b8a5ce5c194458315021e8d216108e","https://git.kernel.org/stable/c/26bbedd06d85770581fda5d78e78539bb088fad1","https://git.kernel.org/stable/c/2b8b9ea4e26a501eb220ea189e42b4527e65bdfa","https://git.kernel.org/stable/c/53e376178ceacca3ef1795038b22fc9ef45ff1d3","https://git.kernel.org/stable/c/b2541e29d82da8a0df728aadec3e0a8db55d517b","https://git.kernel.org/stable/c/cb5be9039f91979f8a2fac29f529f746d7848f3e","https://git.kernel.org/stable/c/d4d88ece4ba91df5b02f1d3f599650f9e9fc0f45","https://git.kernel.org/stable/c/e5133a0b25463674903fdc0528e0a29b7267130e","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23158","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add check to handle incorrect queue size\n\nqsize represents size of shared queued between driver and video\nfirmware. Firmware can modify this value to an invalid large value. In\nsuch situation, empty_space will be bigger than the space actually\navailable. Since new_wr_idx is not checked, so the following code will\nresult in an OOB write.\n...\nqsize = qhdr->q_size\n\nif (wr_idx >= rd_idx)\n empty_space = qsize - (wr_idx - rd_idx)\n....\nif (new_wr_idx < qsize) {\n memcpy(wr_ptr, packet, dwords << 2) --> OOB write\n\nAdd check to ensure qsize is within the allocated size while\nreading and writing packets into the queue.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00065,"ranking_epss":0.20215,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/101a86619aab42bb61f2253bbf720121022eab86","https://git.kernel.org/stable/c/1b86c1917e16bafbbb08ab90baaff533aa36c62d","https://git.kernel.org/stable/c/32af5c1fdb9bc274f52ee0472d3b060b18e4aab4","https://git.kernel.org/stable/c/40084302f639b3fe954398c5ba5ee556b7242b54","https://git.kernel.org/stable/c/679424f8b31446f90080befd0300ea915485b096","https://git.kernel.org/stable/c/69baf245b23e20efda0079238b27fc63ecf13de1","https://git.kernel.org/stable/c/a45957bcde529169188929816775a575de77d84f","https://git.kernel.org/stable/c/cf5f7bb4e0d786f4d9d50ae6b5963935eab71d75","https://git.kernel.org/stable/c/edb89d69b1438681daaf5ca90aed3242df94cc96","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23159","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add a check to handle OOB in sfr region\n\nsfr->buf_size is in shared memory and can be modified by malicious user.\nOOB write is possible when the size is made higher than actual sfr data\nbuffer. Cap the size to allocated size for such cases.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b8fb257234e7d2d4b3f48af07c5aa5e11c71634","https://git.kernel.org/stable/c/4dd109038d513b92d4d33524ffc89ba32e02ba48","https://git.kernel.org/stable/c/4e95233af57715d81830fe82b408c633edff59f4","https://git.kernel.org/stable/c/530f623f56a6680792499a8404083e17f8ec51f4","https://git.kernel.org/stable/c/5af611c70fb889d46d2f654b8996746e59556750","https://git.kernel.org/stable/c/8879397c0da5e5ec1515262995e82cdfd61b282a","https://git.kernel.org/stable/c/a062d8de0be5525ec8c52f070acf7607ec8cbfe4","https://git.kernel.org/stable/c/d78a8388a27b265fcb2b8d064f088168ac9356b0","https://git.kernel.org/stable/c/f4b211714bcc70effa60c34d9fa613d182e3ef1e","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23160","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization\n\nOn Mediatek devices with a system companion processor (SCP) the mtk_scp\nstructure has to be removed explicitly to avoid a resource leak.\nFree the structure in case the allocation of the firmware structure fails\nduring the firmware initialization.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00101,"ranking_epss":0.28057,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4936cd5817af35d23e4d283f48fa59a18ef481e4","https://git.kernel.org/stable/c/69dd5bbdd79c65445bb17c3c53510783bc1d756c","https://git.kernel.org/stable/c/9f009fa823c54ca0857c81f7525ea5a5d32de29c","https://git.kernel.org/stable/c/ac94e1db4b2053059779472eb58a64d504964240","https://git.kernel.org/stable/c/d6cb086aa52bd51378a4c9e2b25d2def97770205","https://git.kernel.org/stable/c/fd7bb97ede487b9f075707b7408a9073e0d474b1","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23142","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: detect and prevent references to a freed transport in sendmsg\n\nsctp_sendmsg() re-uses associations and transports when possible by\ndoing a lookup based on the socket endpoint and the message destination\naddress, and then sctp_sendmsg_to_asoc() sets the selected transport in\nall the message chunks to be sent.\n\nThere's a possible race condition if another thread triggers the removal\nof that selected transport, for instance, by explicitly unbinding an\naddress with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have\nbeen set up and before the message is sent. This can happen if the send\nbuffer is full, during the period when the sender thread temporarily\nreleases the socket lock in sctp_wait_for_sndbuf().\n\nThis causes the access to the transport data in\nsctp_outq_select_transport(), when the association outqueue is flushed,\nto result in a use-after-free read.\n\nThis change avoids this scenario by having sctp_transport_free() signal\nthe freeing of the transport, tagging it as \"dead\". In order to do this,\nthe patch restores the \"dead\" bit in struct sctp_transport, which was\nremoved in\ncommit 47faa1e4c50e (\"sctp: remove the dead field of sctp_transport\").\n\nThen, in the scenario where the sender thread has released the socket\nlock in sctp_wait_for_sndbuf(), the bit is checked again after\nre-acquiring the socket lock to detect the deletion. This is done while\nholding a reference to the transport to prevent it from being freed in\nthe process.\n\nIf the transport was deleted while the socket lock was relinquished,\nsctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the\nsend.\n\nThe bug was found by a private syzbot instance (see the error report [1]\nand the C reproducer that triggers it [2]).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00065,"ranking_epss":0.20215,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f7df4899299ce4662e5f95badb9dbc57cc37fa5","https://git.kernel.org/stable/c/2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee","https://git.kernel.org/stable/c/3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8","https://git.kernel.org/stable/c/547762250220325d350d0917a7231480e0f4142b","https://git.kernel.org/stable/c/5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2","https://git.kernel.org/stable/c/7a63f4fb0efb4e69efd990cbb740a848679ec4b0","https://git.kernel.org/stable/c/9e7c37fadb3be1fc33073fcf10aa96d166caa697","https://git.kernel.org/stable/c/c6fefcb71d246baaf3bacdad1af7ff50ebcfe652","https://git.kernel.org/stable/c/f1a69a940de58b16e8249dff26f74c8cc59b32be","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23143","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n\nWhen I ran the repro [0] and waited a few seconds, I observed two\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\n\nReproduction Steps:\n\n  1) Mount CIFS\n  2) Add an iptables rule to drop incoming FIN packets for CIFS\n  3) Unmount CIFS\n  4) Unload the CIFS module\n  5) Remove the iptables rule\n\nAt step 3), the CIFS module calls sock_release() for the underlying\nTCP socket, and it returns quickly.  However, the socket remains in\nFIN_WAIT_1 because incoming FIN packets are dropped.\n\nAt this point, the module's refcnt is 0 while the socket is still\nalive, so the following rmmod command succeeds.\n\n  # ss -tan\n  State      Recv-Q Send-Q Local Address:Port  Peer Address:Port\n  FIN-WAIT-1 0      477        10.0.2.15:51062   10.0.0.137:445\n\n  # lsmod | grep cifs\n  cifs                 1159168  0\n\nThis highlights a discrepancy between the lifetime of the CIFS module\nand the underlying TCP socket.  Even after CIFS calls sock_release()\nand it returns, the TCP socket does not die immediately in order to\nclose the connection gracefully.\n\nWhile this is generally fine, it causes an issue with LOCKDEP because\nCIFS assigns a different lock class to the TCP socket's sk->sk_lock\nusing sock_lock_init_class_and_name().\n\nOnce an incoming packet is processed for the socket or a timer fires,\nsk->sk_lock is acquired.\n\nThen, LOCKDEP checks the lock context in check_wait_context(), where\nhlock_class() is called to retrieve the lock class.  However, since\nthe module has already been unloaded, hlock_class() logs a warning\nand returns NULL, triggering the null-ptr-deref.\n\nIf LOCKDEP is enabled, we must ensure that a module calling\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\nwhile such a socket is still alive to prevent this issue.\n\nLet's hold the module reference in sock_lock_init_class_and_name()\nand release it when the socket is freed in sk_prot_free().\n\nNote that sock_lock_init() clears sk->sk_owner for svc_create_socket()\nthat calls sock_lock_init_class_and_name() for a listening socket,\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\n\n[0]:\nCIFS_SERVER=\"10.0.0.137\"\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\nDEV=\"enp0s3\"\nCRED=\"/root/WindowsCredential.txt\"\n\nMNT=$(mktemp -d /tmp/XXXXXX)\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\n\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\n\nfor i in $(seq 10);\ndo\n    umount ${MNT}\n    rmmod cifs\n    sleep 1\ndone\n\nrm -r ${MNT}\n\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\n\n[1]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\n...\nCall Trace:\n <IRQ>\n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\n...\n\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G        W          6.14.0 #36\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire (kernel/\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00092,"ranking_epss":0.25997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569","https://git.kernel.org/stable/c/2155802d3313d7b8365935c6b8d6edc0ddd7eb94","https://git.kernel.org/stable/c/5f7f6abd92b6c8dc8f19625ef93c3a18549ede04","https://git.kernel.org/stable/c/83083c5fc7cf9b0f136a42f26aba60da380f3601","https://git.kernel.org/stable/c/905d43b8ad2436c240f844acb3ebcc7a99b8ebf1","https://git.kernel.org/stable/c/b7489b753667bc9245958a4896c9419743083c27","https://git.kernel.org/stable/c/c11247a21aab4b50a23c8b696727d7483de2f1e1","https://git.kernel.org/stable/c/d51e47e2ab6ef10a317d576075cf625cdbf96426","https://git.kernel.org/stable/c/feda73ad44a5cc80f6bf796bb1099a3fe71576d4","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23144","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led_bl: Hold led_access lock when calling led_sysfs_disable()\n\nLockdep detects the following issue on led-backlight removal:\n  [  142.315935] ------------[ cut here ]------------\n  [  142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80\n  ...\n  [  142.500725] Call trace:\n  [  142.503176]  led_sysfs_enable+0x54/0x80 (P)\n  [  142.507370]  led_bl_remove+0x80/0xa8 [led_bl]\n  [  142.511742]  platform_remove+0x30/0x58\n  [  142.515501]  device_remove+0x54/0x90\n  ...\n\nIndeed, led_sysfs_enable() has to be called with the led_access\nlock held.\n\nHold the lock when calling led_sysfs_disable().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00105,"ranking_epss":0.28639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11d128f7eacec276c75cf4712880a6307ca9c885","https://git.kernel.org/stable/c/1c82f5a393d8b9a5c1ea032413719862098afd4b","https://git.kernel.org/stable/c/276822a00db3c1061382b41e72cafc09d6a0ec30","https://git.kernel.org/stable/c/61a5c565fd2442d3128f3bab5f022658adc3a4e6","https://git.kernel.org/stable/c/74c7d67a3c305fc1fa03c32a838e8446fb7aee14","https://git.kernel.org/stable/c/87d947a0607be384bfe7bb0935884a711e35ca07","https://git.kernel.org/stable/c/b447885ec9130cf86f355e011dc6b94d6ccfb5b7","https://git.kernel.org/stable/c/b8ddf5107f53789448900f04fa220f34cd2f777e","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23145","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n'subflow_req->msk' ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the 'subflow_req->msk' under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc","https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0","https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1","https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb","https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d","https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b","https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803","https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23146","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: ene-kb3930: Fix a potential NULL pointer dereference\n\nThe off_gpios could be NULL. Add missing check in the kb3930_probe().\nThis is similar to the issue fixed in commit b1ba8bcb2d1f\n(\"backlight: hx8357: Fix potential NULL pointer dereference\").\n\nThis was detected by our static analysis tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2edb5b29b197d90b4d08cd45e911c0bcf24cb895","https://git.kernel.org/stable/c/4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199","https://git.kernel.org/stable/c/6dc88993ee3fa8365ff6a5d6514702f70ba6863a","https://git.kernel.org/stable/c/76d0f4199bc5b51acb7b96c6663a8953543733ad","https://git.kernel.org/stable/c/7b47df6498f223c8956bfe0d994a0e42a520dfcd","https://git.kernel.org/stable/c/90ee23c2514a22a9c2bb39a540cbe1c9acb27d0b","https://git.kernel.org/stable/c/b1758417310d2cc77e52cd15103497e52e2614f6","https://git.kernel.org/stable/c/ea07760676bba49319d553af80c239da053b5fb1","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23147","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Add NULL pointer check in i3c_master_queue_ibi()\n\nThe I3C master driver may receive an IBI from a target device that has not\nbeen probed yet. In such cases, the master calls `i3c_master_queue_ibi()`\nto queue an IBI work task, leading to \"Unable to handle kernel read from\nunreadable memory\" and resulting in a kernel panic.\n\nTypical IBI handling flow:\n1. The I3C master scans target devices and probes their respective drivers.\n2. The target device driver calls `i3c_device_request_ibi()` to enable IBI\n   and assigns `dev->ibi = ibi`.\n3. The I3C master receives an IBI from the target device and calls\n   `i3c_master_queue_ibi()` to queue the target device driver’s IBI\n   handler task.\n\nHowever, since target device events are asynchronous to the I3C probe\nsequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,\nleading to a kernel panic.\n\nAdd a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing\nan uninitialized `dev->ibi`, ensuring stability.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09359e7c8751961937cb5fc50220969b0a4e1058","https://git.kernel.org/stable/c/1b54faa5f47fa7c642179744aeff03f0810dc62e","https://git.kernel.org/stable/c/3ba402610843d7d15c7f3966a461deeeaff7fba4","https://git.kernel.org/stable/c/6871a676aa534e8f218279672e0445c725f81026","https://git.kernel.org/stable/c/bd496a44f041da9ef3afe14d1d6193d460424e91","https://git.kernel.org/stable/c/d83b0c03ef8fbea2f03029a1cc1f5041f0e1d47f","https://git.kernel.org/stable/c/e6bba328578feb58c614c11868c259b40484c5fa","https://git.kernel.org/stable/c/fe4a4fc179b7898055555a11685915473588392e","https://git.kernel.org/stable/c/ff9d61db59bb27d16d3f872bff2620d50856b80c","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23148","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()\n\nsoc_dev_attr->revision could be NULL, thus,\na pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4129760e462f45f14e61b10408ace61aa7c2ed30","https://git.kernel.org/stable/c/44a2572a0fdcf3e7565763690d579b998a8f0562","https://git.kernel.org/stable/c/475b9b45dc32eba58ab794b5d47ac689fc018398","https://git.kernel.org/stable/c/4f51d169fd0d4821bce775618db024062b09a3f7","https://git.kernel.org/stable/c/5f80fd2ff8bfd13e41554741740e0ca8e6445ded","https://git.kernel.org/stable/c/8ce469d23205249bb17c1135ccadea879576adfc","https://git.kernel.org/stable/c/8ee067cf0cf82429e9b204283c7d0d8d6891d10e","https://git.kernel.org/stable/c/c8222ef6cf29dd7cad21643228f96535cc02b327","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23150","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe following loop is located right above 'if' statement.\n\nfor (i = count-1; i >= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 > blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00063,"ranking_epss":0.19923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10","https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17","https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433","https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f","https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162","https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af","https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d","https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5","https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23140","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error\n\nAfter devm_request_irq() fails with error in pci_endpoint_test_request_irq(),\nthe pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs\nhave been released.\n\nHowever, some requested IRQs remain unreleased, so there are still\n/proc/irq/* entries remaining, and this results in WARN() with the\nfollowing message:\n\n  remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'\n  WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c\n\nTo solve this issue, set the number of remaining IRQs to test->num_irqs,\nand release IRQs in advance by calling pci_endpoint_test_release_irq().\n\n[kwilczynski: commit log]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00066,"ranking_epss":0.20654,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0557e70e2aeba8647bf5a950820b67cfb86533db","https://git.kernel.org/stable/c/54c9f299ad7d7c4be5d271ed12d01a59e95b8907","https://git.kernel.org/stable/c/5a4b7181213268c9b07bef8800905528435db44a","https://git.kernel.org/stable/c/705be96504779e4a333ea042b4779ea941f0ace9","https://git.kernel.org/stable/c/770407f6173f4f39f4e2c1b54422b79ce6c98bdb","https://git.kernel.org/stable/c/9d5118b107b1a2353ed0dff24404aee2e6b7ca0a","https://git.kernel.org/stable/c/e516e187bf32d8decc7c7d0025ae4857cad13c0e","https://git.kernel.org/stable/c/f6cb7828c8e17520d4f5afb416515d3fae1af9a9","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23141","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses\n\nAcquire a lock on kvm->srcu when userspace is getting MP state to handle a\nrather extreme edge case where \"accepting\" APIC events, i.e. processing\npending INIT or SIPI, can trigger accesses to guest memory.  If the vCPU\nis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP\nstate will trigger a nested VM-Exit by way of ->check_nested_events(), and\nemuating the nested VM-Exit can access guest memory.\n\nThe splat was originally hit by syzkaller on a Google-internal kernel, and\nreproduced on an upstream kernel by hacking the triple_fault_event_test\nselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a\nmemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.\n\n  =============================\n  WARNING: suspicious RCU usage\n  6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted\n  -----------------------------\n  include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!\n\n  other info that might help us debug this:\n\n  rcu_scheduler_active = 2, debug_locks = 1\n  1 lock held by triple_fault_ev/1256:\n   #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]\n\n  stack backtrace:\n  CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x7f/0x90\n   lockdep_rcu_suspicious+0x144/0x190\n   kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]\n   kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n   read_and_check_msr_entry+0x2e/0x180 [kvm_intel]\n   __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]\n   kvm_check_nested_events+0x1b/0x30 [kvm]\n   kvm_apic_accept_events+0x33/0x100 [kvm]\n   kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]\n   kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]\n   __x64_sys_ioctl+0x8b/0xb0\n   do_syscall_64+0x6c/0x170\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   </TASK>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00035,"ranking_epss":0.10185,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e","https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44","https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1","https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be","https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da","https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-3891","summary":"A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.01334,"ranking_epss":0.79927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2025:10002","https://access.redhat.com/errata/RHSA-2025:10003","https://access.redhat.com/errata/RHSA-2025:10004","https://access.redhat.com/errata/RHSA-2025:10006","https://access.redhat.com/errata/RHSA-2025:10007","https://access.redhat.com/errata/RHSA-2025:10008","https://access.redhat.com/errata/RHSA-2025:10010","https://access.redhat.com/errata/RHSA-2025:4597","https://access.redhat.com/errata/RHSA-2025:9396","https://access.redhat.com/security/cve/CVE-2025-3891","https://bugzilla.redhat.com/show_bug.cgi?id=2361633","https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b","https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86","https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html"],"published_time":"2025-04-29T12:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-21605","summary":"Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from \"NOAUTH\" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.01547,"ranking_epss":0.81349,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/redis/redis/releases/tag/7.4.3","https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff","https://github.com/valkey-io/valkey/releases/tag/8.1.1","https://lists.debian.org/debian-lts-announce/2025/05/msg00014.html","https://www.vicarius.io/vsociety/posts/cve-2025-21605-detection-script-memory-exhaustion-vulnerability-in-redis-database","https://www.vicarius.io/vsociety/posts/cve-2025-21605-mitigation-script-memory-exhaustion-vulnerability-in-redis-database"],"published_time":"2025-04-23T16:15:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-43965","summary":"In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.","cvss":2.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.9,"epss":0.00226,"ranking_epss":0.45403,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9","https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-44---2025-02-22","https://lists.debian.org/debian-lts-announce/2025/04/msg00035.html"],"published_time":"2025-04-23T15:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38575","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use aead_request_free to match aead_request_alloc\n\nUse aead_request_free() instead of kfree() to properly free memory\nallocated by aead_request_alloc(). This ensures sensitive crypto data\nis zeroed before being freed.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00113,"ranking_epss":0.29914,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1de7fec4d3012672e31eeb6679ea60f7ca010ef9","https://git.kernel.org/stable/c/3e341dbd5f5a6e5a558e67da80731dc38a7f758c","https://git.kernel.org/stable/c/46caeae23035192b9cc41872c827f30d0233f16e","https://git.kernel.org/stable/c/571b342d4688801fc1f6a1934389dac09425dc93","https://git.kernel.org/stable/c/6171063e9d046ffa46f51579b2ca4a43caef581a","https://git.kernel.org/stable/c/a6b594868268c3a7bfaeced912525cd2c445529a","https://git.kernel.org/stable/c/aef10ccd74512c52e30c5ee19d0031850973e78d","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-04-18T07:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-38637","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: skbprio: Remove overly strict queue assertions\n\nIn the current implementation, skbprio enqueue/dequeue contains an assertion\nthat fails under certain conditions when SKBPRIO is used as a child qdisc under\nTBF with specific parameters. The failure occurs because TBF sometimes peeks at\npackets in the child qdisc without actually dequeuing them when tokens are\nunavailable.\n\nThis peek operation creates a discrepancy between the parent and child qdisc\nqueue length counters. When TBF later receives a high-priority packet,\nSKBPRIO's queue length may show a different value than what's reflected in its\ninternal priority queue tracking, triggering the assertion.\n\nThe fix removes this overly strict assertions in SKBPRIO, they are not\nnecessary at all.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00097,"ranking_epss":0.27009,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/034b293bf17c124fec0f0e663f81203b00aa7a50","https://git.kernel.org/stable/c/1284733bab736e598341f1d3f3b94e2a322864a8","https://git.kernel.org/stable/c/1dcc144c322a8d526b791135604c0663f1af9d85","https://git.kernel.org/stable/c/2286770b07cb5268c03d11274b8efd43dff0d380","https://git.kernel.org/stable/c/2f35b7673a3aa3d09b3eb05811669622ebaa98ca","https://git.kernel.org/stable/c/32ee79682315e6d3c99947b3f38b078a09a66919","https://git.kernel.org/stable/c/7abc8318ce0712182bf0783dcfdd9a6a8331160e","https://git.kernel.org/stable/c/864ca690ff135078d374bd565b9872f161c614bc","https://git.kernel.org/stable/c/ce8fe975fd99b49c29c42e50f2441ba53112b2e8","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-04-18T07:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-32433","summary":"Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"epss":0.53995,"ranking_epss":0.97996,"kev":true,"propose_action":"Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.","ransomware_campaign":"Unknown","references":["https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12","https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f","https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891","https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2","http://www.openwall.com/lists/oss-security/2025/04/16/2","http://www.openwall.com/lists/oss-security/2025/04/18/1","http://www.openwall.com/lists/oss-security/2025/04/18/2","http://www.openwall.com/lists/oss-security/2025/04/18/6","http://www.openwall.com/lists/oss-security/2025/04/19/1","https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html","https://security.netapp.com/advisory/ntap-20250425-0001/","https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py","https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433"],"published_time":"2025-04-16T22:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-2291","summary":"Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.00302,"ranking_epss":0.53478,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.pgbouncer.org/changelog.html#pgbouncer-124x","https://lists.debian.org/debian-lts-announce/2025/05/msg00032.html"],"published_time":"2025-04-16T18:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23138","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: fix pipe accounting mismatch\n\nCurrently, watch_queue_set_size() modifies the pipe buffers charged to\nuser->pipe_bufs without updating the pipe->nr_accounted on the pipe\nitself, due to the if (!pipe_has_watch_queue()) test in\npipe_resize_ring(). This means that when the pipe is ultimately freed,\nwe decrement user->pipe_bufs by something other than what than we had\ncharged to it, potentially leading to an underflow. This in turn can\ncause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.\n\nTo remedy this, explicitly account for the pipe usage in\nwatch_queue_set_size() to match the number set via account_pipe_buffers()\n\n(It's unclear why watch_queue_set_size() does not update nr_accounted;\nit may be due to intentional overprovisioning in watch_queue_set_size()?)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00119,"ranking_epss":0.30886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade","https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d","https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284","https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f","https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12","https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547","https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787","https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-04-16T15:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-22119","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: init wiphy_work before allocating rfkill fails\n\nsyzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]\n\nAfter rfkill allocation fails, the wiphy release process will be performed,\nwhich will cause cfg80211_dev_free to access the uninitialized wiphy_work\nrelated data.\n\nMove the initialization of wiphy_work to before rfkill initialization to\navoid this issue.\n\n[1]\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n assign_lock_key kernel/locking/lockdep.c:983 [inline]\n register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297\n __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103\n lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162\n cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196\n device_release+0xa1/0x240 drivers/base/core.c:2568\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e4/0x5a0 lib/kobject.c:737\n put_device+0x1f/0x30 drivers/base/core.c:3774\n wiphy_free net/wireless/core.c:1224 [inline]\n wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562\n ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835\n mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185\n hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242\n genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg net/socket.c:733 [inline]\n ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573\n ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627\n __sys_sendmsg+0x16e/0x220 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n\nClose: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00108,"ranking_epss":0.29095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2617f60c3613ef105b8db2d514d2cac2a1836f7d","https://git.kernel.org/stable/c/60606efbf52582c0ab93e99789fddced6b47297a","https://git.kernel.org/stable/c/7e6040853f5b5f067a18c52286e676bc298fe6a2","https://git.kernel.org/stable/c/b679fe84cd5cc6f3481b7131fd28676191ad2615","https://git.kernel.org/stable/c/eeacfbab984200dcdcd68fcf4c6e91e2c6b38792","https://git.kernel.org/stable/c/fc88dee89d7b63eeb17699393eb659aadf9d9b7c","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2025-04-16T15:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-22042","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add bounds check for create lease context\n\nAdd missing bounds check for create lease context.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00091,"ranking_epss":0.25872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/60b7207893a8a06c78441934931a08fdad63f18e","https://git.kernel.org/stable/c/629dd37acc336ad778979361c351e782053ea284","https://git.kernel.org/stable/c/800c482c9ef5910f05e3a713943c67cc6c1d4939","https://git.kernel.org/stable/c/9a1b6ea955e6c7b29939a6d98701202f9d9644ec","https://git.kernel.org/stable/c/a41cd52f00907a040ca22c73d4805bb79b0d0972","https://git.kernel.org/stable/c/bab703ed8472aa9d109c5f8c1863921533363dae","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-04-16T15:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-13861","summary":"A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10 allows local users arbitrary code execution as root. Redhat-based systems using RPM packages are not affected.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0003,"ranking_epss":0.08632,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.sophos.com/en-us/security-advisories/sophos-sa-20250411-taegis-agent-lpe"],"published_time":"2025-04-11T13:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-32728","summary":"In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"epss":0.00274,"ranking_epss":0.50759,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig","https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367","https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html","https://www.openssh.com/txt/release-10.0","https://www.openssh.com/txt/release-7.4","https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html","https://security.netapp.com/advisory/ntap-20250425-0002/"],"published_time":"2025-04-10T02:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-29769","summary":"libvips is a demand-driven, horizontally threaded image processing library.  The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as \"multiband\". There aren't many ways to create a \"multiband\" input, but it is possible with a well-crafted TIFF image. If a \"multiband\" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00099,"ranking_epss":0.27212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71f2","https://github.com/libvips/libvips/pull/4392","https://github.com/libvips/libvips/pull/4394","https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm","https://issues.oss-fuzz.com/issues/396460413","https://lists.debian.org/debian-lts-announce/2025/04/msg00044.html"],"published_time":"2025-04-07T20:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-3155","summary":"A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"epss":0.00669,"ranking_epss":0.71258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2025:4450","https://access.redhat.com/errata/RHSA-2025:4451","https://access.redhat.com/errata/RHSA-2025:4455","https://access.redhat.com/errata/RHSA-2025:4456","https://access.redhat.com/errata/RHSA-2025:4457","https://access.redhat.com/errata/RHSA-2025:4505","https://access.redhat.com/errata/RHSA-2025:4532","https://access.redhat.com/errata/RHSA-2025:7430","https://access.redhat.com/errata/RHSA-2025:7569","https://access.redhat.com/security/cve/CVE-2025-3155","https://bugzilla.redhat.com/show_bug.cgi?id=2357091","http://www.openwall.com/lists/oss-security/2025/04/04/1","https://lists.debian.org/debian-lts-announce/2025/05/msg00036.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00037.html","https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2"],"published_time":"2025-04-03T14:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-21950","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl\n\nIn the \"pmcmd_ioctl\" function, three memory objects allocated by\nkmalloc are initialized by \"hcall_get_cpu_state\", which are then\ncopied to user space. The initializer is indeed implemented in\n\"acrn_hypercall2\" (arch/x86/include/asm/acrn.h). There is a risk of\ninformation leakage due to uninitialized bytes.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00056,"ranking_epss":0.17692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b8f7a2caa7f9cdfd135e3f78eb9d7e36fb95083","https://git.kernel.org/stable/c/4e15cf870d2c748e45d45ffc4d5b1dc1b7d50120","https://git.kernel.org/stable/c/524f29d78c9bdeb49f31f5b0376a07d2fc5cf563","https://git.kernel.org/stable/c/819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb","https://git.kernel.org/stable/c/a4c21b878f0e237f45209a324c903ea7fb05247d","https://git.kernel.org/stable/c/d7e5031fe3f161c8eb5e84db1540bc4373ed861b","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-04-01T16:15:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52935","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix ->anon_vma race\n\nIf an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an ->anon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing ->anon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the ->anon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(&vma->anon_vma->root->rwsem)\". \nIt can also lead to use-after-free access.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00028,"ranking_epss":0.07864,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b","https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95","https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c","https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128","https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-03-27T17:15:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-40635","summary":"containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"epss":0.00014,"ranking_epss":0.02604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da","https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20","https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a","https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg","https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html"],"published_time":"2025-03-17T22:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52927","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00043,"ranking_epss":0.13156,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec","https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f","https://seadragnol.github.io/posts/CVE-2023-52927/","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2025-03-14T15:15:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-24201","summary":"An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"epss":0.00098,"ranking_epss":0.27125,"kev":true,"propose_action":"Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.","ransomware_campaign":"Unknown","references":["https://support.apple.com/en-us/122281","https://support.apple.com/en-us/122283","https://support.apple.com/en-us/122284","https://support.apple.com/en-us/122285","https://support.apple.com/en-us/122345","https://support.apple.com/en-us/122346","https://support.apple.com/en-us/122372","https://support.apple.com/en-us/122376","http://seclists.org/fulldisclosure/2025/Apr/16","http://seclists.org/fulldisclosure/2025/Apr/7","http://seclists.org/fulldisclosure/2025/Jun/19","http://seclists.org/fulldisclosure/2025/Mar/2","http://seclists.org/fulldisclosure/2025/Mar/3","http://seclists.org/fulldisclosure/2025/Mar/4","http://seclists.org/fulldisclosure/2025/Mar/5","http://seclists.org/fulldisclosure/2025/Oct/1","http://seclists.org/fulldisclosure/2025/Oct/31","https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201","https://github.com/cisagov/vulnrichment/issues/194","https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24201"],"published_time":"2025-03-11T18:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-27363","summary":"An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.64976,"ranking_epss":0.98459,"kev":true,"propose_action":"FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://www.facebook.com/security/advisories/cve-2025-27363","http://www.openwall.com/lists/oss-security/2025/03/13/1","http://www.openwall.com/lists/oss-security/2025/03/13/11","http://www.openwall.com/lists/oss-security/2025/03/13/12","http://www.openwall.com/lists/oss-security/2025/03/13/2","http://www.openwall.com/lists/oss-security/2025/03/13/3","http://www.openwall.com/lists/oss-security/2025/03/13/8","http://www.openwall.com/lists/oss-security/2025/03/14/1","http://www.openwall.com/lists/oss-security/2025/03/14/2","http://www.openwall.com/lists/oss-security/2025/03/14/3","http://www.openwall.com/lists/oss-security/2025/03/14/4","http://www.openwall.com/lists/oss-security/2025/05/06/3","https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html","https://source.android.com/docs/security/bulletin/2025-05-01","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363"],"published_time":"2025-03-11T14:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-24813","summary":"Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads\n- attacker knowledge of the names of security sensitive files being uploaded\n- the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to       perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- application was using Tomcat's file based session persistence with the default storage location\n- application included a library that may be leveraged in a deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.94165,"ranking_epss":0.99916,"kev":true,"propose_action":"Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.","ransomware_campaign":"Unknown","references":["https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq","http://www.openwall.com/lists/oss-security/2025/03/10/5","https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html","https://security.netapp.com/advisory/ntap-20250321-0001/","https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce","https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce","https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability","https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability","https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"],"published_time":"2025-03-10T17:15:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-26699","summary":"An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"epss":0.01596,"ranking_epss":0.81624,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2025/mar/06/security-releases/","http://www.openwall.com/lists/oss-security/2025/03/06/12","https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"],"published_time":"2025-03-06T19:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-58054","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: max96712: fix kernel oops when removing module\n\nThe following kernel oops is thrown when trying to remove the max96712\nmodule:\n\nUnable to handle kernel paging request at virtual address 00007375746174db\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000\n[00007375746174db] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan\n    snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2\n    imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev\n    snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils\n    max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse\n    [last unloaded: imx8_isi]\nCPU: 0 UID: 0 PID: 754 Comm: rmmod\n\t    Tainted: G         C    6.12.0-rc6-06364-g327fec852c31 #17\nTainted: [C]=CRAP\nHardware name: NXP i.MX95 19X19 board (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : led_put+0x1c/0x40\nlr : v4l2_subdev_put_privacy_led+0x48/0x58\nsp : ffff80008699bbb0\nx29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8\nx20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000\nx11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1\nx2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473\nCall trace:\n led_put+0x1c/0x40\n v4l2_subdev_put_privacy_led+0x48/0x58\n v4l2_async_unregister_subdev+0x2c/0x1a4\n max96712_remove+0x1c/0x38 [max96712]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x4c/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n max96712_i2c_driver_exit+0x18/0x1d0 [max96712]\n __arm64_sys_delete_module+0x1a4/0x290\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xd8\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\nCode: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)\n---[ end trace 0000000000000000 ]---\n\nThis happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()\nis called again and the data is overwritten to point to sd, instead of\npriv. So, in remove(), the wrong pointer is passed to\nv4l2_async_unregister_subdev(), leading to a crash.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00031,"ranking_epss":0.08976,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1556b9149b81cc549c13f5e56e81e89404d8a666","https://git.kernel.org/stable/c/278a98f6d8a7bbe1110433b057333536e4490edf","https://git.kernel.org/stable/c/3311c5395e7322298b659b8addc704b39fb3a59c","https://git.kernel.org/stable/c/dfde3d63afbaae664c4d36e53cfb4045d5374561","https://git.kernel.org/stable/c/ee1b5046d5cd892a0754ab982aeaaad3702083a5","https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"],"published_time":"2025-03-06T16:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-27516","summary":"Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00214,"ranking_epss":0.43936,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403","https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7","https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html","https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html"],"published_time":"2025-03-05T21:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-1080","summary":"LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments.\nThis issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00069,"ranking_epss":0.21383,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080","https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html"],"published_time":"2025-03-04T20:15:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-26466","summary":"A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.60426,"ranking_epss":0.98269,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2025-26466","https://bugzilla.redhat.com/show_bug.cgi?id=2345043","https://seclists.org/oss-sec/2025/q1/144","https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt","http://seclists.org/fulldisclosure/2025/Feb/18","http://seclists.org/fulldisclosure/2025/May/7","http://seclists.org/fulldisclosure/2025/May/8","https://bugzilla.suse.com/show_bug.cgi?id=1237041","https://security-tracker.debian.org/tracker/CVE-2025-26466","https://security.netapp.com/advisory/ntap-20250228-0002/","https://ubuntu.com/security/CVE-2025-26466","https://www.openwall.com/lists/oss-security/2025/02/18/1","https://www.openwall.com/lists/oss-security/2025/02/18/4","https://www.vicarius.io/vsociety/posts/cve-2025-26466-detection-script-memory-consumption-vulnerability-in-openssh","https://www.vicarius.io/vsociety/posts/cve-2025-26466-mitigation-script-memory-consumption-vulnerability-in-openssh","https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"],"published_time":"2025-02-28T22:15:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-55581","summary":"When AdaCore Ada Web Server 25.0.0 is linked with GnuTLS, the default behaviour of AWS.Client is vulnerable to a man-in-the-middle attack because of lack of verification of an HTTPS server's certificate (unless the using program specifies a TLS configuration).","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"epss":0.00121,"ranking_epss":0.31252,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.adacore.com/corp/security-advisories/SEC.AWS-0056-v1.pdf","https://lists.debian.org/debian-lts-announce/2025/03/msg00007.html","https://docs.adacore.com/corp/security-advisories/SEC.AWS-0056-v1.pdf"],"published_time":"2025-02-26T22:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-49063","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[  718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[  718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[  718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S      W IOE     5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[  718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[  718.223418] Call Trace:\n[  718.227139]\n[  718.230783]  dump_stack_lvl+0x33/0x42\n[  718.234431]  print_address_description.constprop.9+0x21/0x170\n[  718.238177]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.241885]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.245539]  kasan_report.cold.18+0x7f/0x11b\n[  718.249197]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.252852]  free_irq_cpu_rmap+0x53/0x80\n[  718.256471]  ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[  718.260174]  ice_remove_arfs+0x5f/0x70 [ice]\n[  718.263810]  ice_rebuild_arfs+0x3b/0x70 [ice]\n[  718.267419]  ice_rebuild+0x39c/0xb60 [ice]\n[  718.270974]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[  718.274472]  ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[  718.278033]  ? delay_tsc+0x4a/0xb0\n[  718.281513]  ? preempt_count_sub+0x14/0xc0\n[  718.284984]  ? delay_tsc+0x8f/0xb0\n[  718.288463]  ice_do_reset+0x92/0xf0 [ice]\n[  718.292014]  ice_pci_err_resume+0x91/0xf0 [ice]\n[  718.295561]  pci_reset_function+0x53/0x80\n<...>\n[  718.393035] Allocated by task 690:\n[  718.433497] Freed by task 20834:\n[  718.495688] Last potentially related work creation:\n[  718.568966] The buggy address belongs to the object at ffff8881bd127e00\n                which belongs to the cache kmalloc-96 of size 96\n[  718.574085] The buggy address is located 0 bytes inside of\n                96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[  718.579265] The buggy address belongs to the page:\n[  718.598905] Memory state around the buggy address:\n[  718.601809]  ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.604796]  ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[  718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.610811]                    ^\n[  718.613819]  ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[  718.617107]  ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00039,"ranking_epss":0.1186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/618df75f2e30c7838a3e010ca32cd4893ec9fe33","https://git.kernel.org/stable/c/ba2f6ec28733fb6b24ed086e676df3df4c138f3f","https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3","https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93","https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"],"published_time":"2025-02-26T07:00:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-0838","summary":"There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00134,"ranking_epss":0.33158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1","https://lists.debian.org/debian-lts-announce/2025/04/msg00012.html"],"published_time":"2025-02-21T15:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-25472","summary":"A buffer overflow in DCMTK git master v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DCM file.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00262,"ranking_epss":0.49534,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=410ffe2019b9db6a8f4036daac742a6f5e4d36c2","https://lists.debian.org/debian-lts-announce/2025/06/msg00025.html"],"published_time":"2025-02-18T23:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-25474","summary":"DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow via the component /dcmimgle/diinpxt.h.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.0025,"ranking_epss":0.48209,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d205bcd307164c99e0d4bbf412110372658d847","https://lists.debian.org/debian-lts-announce/2025/06/msg00025.html"],"published_time":"2025-02-18T23:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-25475","summary":"A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00241,"ranking_epss":0.4731,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=bffa3e9116abb7038b432443f16b1bd390e80245","https://github.com/DCMTK/dcmtk/commit/bffa3e9116abb7038b432443f16b1bd390e80245","https://lists.debian.org/debian-lts-announce/2025/06/msg00025.html"],"published_time":"2025-02-18T23:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-22921","summary":"FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00126,"ranking_epss":0.31959,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://trac.ffmpeg.org/ticket/11393","https://lists.debian.org/debian-lts-announce/2025/02/msg00037.html"],"published_time":"2025-02-18T22:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-26465","summary":"A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"epss":0.73977,"ranking_epss":0.98815,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2025:16823","https://access.redhat.com/errata/RHSA-2025:3837","https://access.redhat.com/errata/RHSA-2025:6993","https://access.redhat.com/errata/RHSA-2025:8385","https://access.redhat.com/security/cve/CVE-2025-26465","https://access.redhat.com/solutions/7109879","https://bugzilla.redhat.com/show_bug.cgi?id=2344780","https://seclists.org/oss-sec/2025/q1/144","http://seclists.org/fulldisclosure/2025/Feb/18","http://seclists.org/fulldisclosure/2025/May/7","http://seclists.org/fulldisclosure/2025/May/8","https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466","https://bugzilla.suse.com/show_bug.cgi?id=1237040","https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig","https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html","https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html","https://security-tracker.debian.org/tracker/CVE-2025-26465","https://security.netapp.com/advisory/ntap-20250228-0003/","https://ubuntu.com/security/CVE-2025-26465","https://www.openssh.com/releasenotes.html#9.9p2","https://www.openwall.com/lists/oss-security/2025/02/18/1","https://www.openwall.com/lists/oss-security/2025/02/18/4","https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/","https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh","https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh","https://seclists.org/oss-sec/2025/q1/144"],"published_time":"2025-02-18T19:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-23419","summary":"When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when  TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key  are used and/or the  SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache  are used in the default server and the default server is performing client certificate authentication.  \n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"epss":0.0383,"ranking_epss":0.88105,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://my.f5.com/manage/s/article/K000149173","http://www.openwall.com/lists/oss-security/2025/02/05/8","https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html"],"published_time":"2025-02-05T18:15:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-0781","summary":"An attacker can bypass the sandboxing of Nasal scripts and arbitrarily write to any file path that the user has permission to modify at the operating-system level.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"epss":0.00042,"ranking_epss":0.12733,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.com/flightgear/flightgear/-/commit/ad37afce28083fad7f79467b3ffdead753584358","https://gitlab.com/flightgear/flightgear/-/issues/3025","https://gitlab.com/flightgear/simgear/-/commit/5bb023647114267141a7610e8f1ca7d6f4f5a5a8","https://lists.debian.org/debian-lts-announce/2025/01/msg00028.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00029.html"],"published_time":"2025-01-28T17:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-21502","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and  21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"epss":0.002,"ranking_epss":0.42064,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpujan2025.html","http://www.openwall.com/lists/oss-security/2025/01/25/6","https://lists.debian.org/debian-lts-announce/2025/01/msg00031.html","https://lists.debian.org/debian-lts-announce/2025/02/msg00004.html","https://security.netapp.com/advisory/ntap-20250124-0009/"],"published_time":"2025-01-21T21:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-21490","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and  9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"epss":0.0045,"ranking_epss":0.63593,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.oracle.com/security-alerts/cpujan2025.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00000.html","https://security.netapp.com/advisory/ntap-20250131-0004/"],"published_time":"2025-01-21T21:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-50349","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.01141,"ranking_epss":0.7838,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8","https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577","https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr","https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html"],"published_time":"2025-01-14T19:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52006","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.01025,"ranking_epss":0.77216,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g","https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060","https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q","https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp","https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html"],"published_time":"2025-01-14T19:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-56374","summary":"An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)","cvss":5.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.8,"epss":0.00084,"ranking_epss":0.24686,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.djangoproject.com/en/dev/releases/security/","https://groups.google.com/g/django-announce","https://www.djangoproject.com/weblog/2025/jan/14/security-releases/","http://www.openwall.com/lists/oss-security/2025/01/14/2","https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html"],"published_time":"2025-01-14T19:15:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-27539","summary":"There is a denial of service vulnerability in the header parsing component of Rack.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00328,"ranking_epss":0.55793,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466","https://github.com/advisories/GHSA-c6qg-cjj8-47qp","https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c","https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff","https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html","https://security.netapp.com/advisory/ntap-20231208-0016/","https://www.debian.org/security/2023/dsa-5530"],"published_time":"2025-01-09T01:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-12426","summary":"Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\n\n\n\n\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\n\n\nThis issue affects LibreOffice: from 24.8 before < 24.8.4.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00516,"ranking_epss":0.66637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426","https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"],"published_time":"2025-01-07T13:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-12425","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal.\n\n\n\n\nAn attacker can write to arbitrary locations, albeit suffixed with \".ttf\", by supplying a file in a format that supports embedded font files.\n\n\nThis issue affects LibreOffice: from 24.8 before < 24.8.4.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"epss":0.00407,"ranking_epss":0.61095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425","https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"],"published_time":"2025-01-07T12:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46981","summary":"Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.7574,"ranking_epss":0.98897,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/redis/redis/releases/tag/6.2.17","https://github.com/redis/redis/releases/tag/7.2.7","https://github.com/redis/redis/releases/tag/7.4.2","https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c","https://lists.debian.org/debian-lts-announce/2025/01/msg00018.html","https://www.vicarius.io/vsociety/posts/cve-2024-46981-detect-redis-vulnerability","https://www.vicarius.io/vsociety/posts/cve-2024-46981-mitigate-redis-vulnerability"],"published_time":"2025-01-06T22:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-56705","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: Add check for rgby_data memory allocation failure\n\nIn ia_css_3a_statistics_allocate(), there is no check on the allocation\nresult of the rgby_data memory. If rgby_data is not successfully\nallocated, it may trigger the assert(host_stats->rgby_data) assertion in\nia_css_s3a_hmem_decode(). Adding a check to fix this potential issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":3e-05,"ranking_epss":0.00111,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02a97d9d7ff605fa4a1f908d1bd3ad8573234b61","https://git.kernel.org/stable/c/0c24b82bc4d12c6a58ceacbf2598cd4df63abf9a","https://git.kernel.org/stable/c/0c25ab93f2878cab07d37ca5afd302283201e5af","https://git.kernel.org/stable/c/4676e50444046b498555b849e6080a5c78cdda9b","https://git.kernel.org/stable/c/51b8dc5163d2ff2bf04019f8bf7e3bd0e75bb654","https://git.kernel.org/stable/c/74aa783682c4d78c69d87898e40c78df1fec204e","https://git.kernel.org/stable/c/8066badaf7463194473fb4be19dbe50b11969aa0","https://git.kernel.org/stable/c/ed61c59139509f76d3592683c90dc3fdc6e23cd6","https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"],"published_time":"2024-12-28T10:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-56644","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: release expired exception dst cached in socket\n\nDst objects get leaked in ip6_negative_advice() when this function is\nexecuted for an expired IPv6 route located in the exception table. There\nare several conditions that must be fulfilled for the leak to occur:\n* an ICMPv6 packet indicating a change of the MTU for the path is received,\n  resulting in an exception dst being created\n* a TCP connection that uses the exception dst for routing packets must\n  start timing out so that TCP begins retransmissions\n* after the exception dst expires, the FIB6 garbage collector must not run\n  before TCP executes ip6_negative_advice() for the expired exception dst\n\nWhen TCP executes ip6_negative_advice() for an exception dst that has\nexpired and if no other socket holds a reference to the exception dst, the\nrefcount of the exception dst is 2, which corresponds to the increment\nmade by dst_init() and the increment made by the TCP socket for which the\nconnection is timing out. The refcount made by the socket is never\nreleased. The refcount of the dst is decremented in sk_dst_reset() but\nthat decrement is counteracted by a dst_hold() intentionally placed just\nbefore the sk_dst_reset() in ip6_negative_advice(). After\nip6_negative_advice() has finished, there is no other object tied to the\ndst. The socket lost its reference stored in sk_dst_cache and the dst is\nno longer in the exception table. The exception dst becomes a leaked\nobject.\n\nAs a result of this dst leak, an unbalanced refcount is reported for the\nloopback device of a net namespace being destroyed under kernels that do\nnot contain e5f80fcf869a (\"ipv6: give an IPv6 dev to blackhole_netdev\"):\nunregister_netdevice: waiting for lo to become free. Usage count = 2\n\nFix the dst leak by removing the dst_hold() in ip6_negative_advice(). The\npatch that introduced the dst_hold() in ip6_negative_advice() was\n92f1655aa2b22 (\"net: fix __dst_negative_advice() race\"). But 92f1655aa2b22\nmerely refactored the code with regards to the dst refcount so the issue\nwas present even before 92f1655aa2b22. The bug was introduced in\n54c1a859efd9f (\"ipv6: Don't drop cache route entry unless timer actually\nexpired.\") where the expired cached route is deleted and the sk_dst_cache\nmember of the socket is set to NULL by calling dst_negative_advice() but\nthe refcount belonging to the socket is left unbalanced.\n\nThe IPv4 version - ipv4_negative_advice() - is not affected by this bug.\nWhen the TCP connection times out ipv4_negative_advice() merely resets the\nsk_dst_cache of the socket while decrementing the refcount of the\nexception dst.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.0067,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b8903e6c881f72c6849d4952de742c656eb5ab9","https://git.kernel.org/stable/c/3301ab7d5aeb0fe270f73a3d4810c9d1b6a9f045","https://git.kernel.org/stable/c/535add1e9f274502209cb997801208bbe1ae6c6f","https://git.kernel.org/stable/c/8b591bd522b71c42a82898290e35d32b482047e4","https://git.kernel.org/stable/c/a95808252e8acc0123bacd2dff8b9af10bc145b7","https://git.kernel.org/stable/c/b90d061345bb8cd51fece561a800bae1c95448a6","https://git.kernel.org/stable/c/f43d12fd0fa8ee5b9caf8a3927e10d06431764d2","https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"],"published_time":"2024-12-27T15:15:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-53197","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices\n\nA bogus device can provide a bNumConfigurations value that exceeds the\ninitial value used in usb_get_configuration for allocating dev->config.\n\nThis can lead to out-of-bounds accesses later, e.g. in\nusb_destroy_configuration.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.01771,"ranking_epss":0.826,"kev":true,"propose_action":"Linux Kernel contains an out-of-bounds access vulnerability in the USB-audio driver that allows an attacker with physical access to the system to use a malicious USB device to potentially manipulate system memory, escalate privileges, or execute arbitrary code.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/0b4ea4bfe16566b84645ded1403756a2dc4e0f19","https://git.kernel.org/stable/c/379d3b9799d9da953391e973b934764f01e03960","https://git.kernel.org/stable/c/62dc01c83fa71e10446ee4c31e0e3d5d1291e865","https://git.kernel.org/stable/c/920a369a9f014f10ec282fd298d0666129379f1b","https://git.kernel.org/stable/c/9887d859cd60727432a01564e8f91302d361b72b","https://git.kernel.org/stable/c/9b8460a2a7ce478e0b625af7c56d444dc24190f7","https://git.kernel.org/stable/c/b521b53ac6eb04e41c03f46f7fe452e4d8e9bcca","https://git.kernel.org/stable/c/b8f8b81dabe52b413fe9e062e8a852c48dd0680d","https://git.kernel.org/stable/c/b909df18ce2a998afef81d58bbd1a05dc0788c40","https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53197"],"published_time":"2024-12-27T14:15:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-53150","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out of bounds reads when finding clock sources\n\nThe current USB-audio driver code doesn't check bLength of each\ndescriptor at traversing for clock descriptors.  That is, when a\ndevice provides a bogus descriptor with a shorter bLength, the driver\nmight hit out-of-bounds reads.\n\nFor addressing it, this patch adds sanity checks to the validator\nfunctions for the clock descriptor traversal.  When the descriptor\nlength is shorter than expected, it's skipped in the loop.\n\nFor the clock source and clock multiplier descriptors, we can just\ncheck bLength against the sizeof() of each descriptor type.\nOTOH, the clock selector descriptor of UAC2 and UAC3 has an array\nof bNrInPins elements and two more fields at its tail, hence those\nhave to be checked in addition to the sizeof() check.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.01119,"ranking_epss":0.78182,"kev":true,"propose_action":"Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f","https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b","https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77","https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6","https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd","https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9","https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9","https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d","https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53150"],"published_time":"2024-12-24T12:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-47606","summary":"GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.00196,"ranking_epss":0.41556,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032.patch","https://gstreamer.freedesktop.org/security/sa-2024-0014.html","https://securitylab.github.com/advisories/GHSL-2024-166_Gstreamer/","https://lists.debian.org/debian-lts-announce/2024/12/msg00016.html","https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html","https://security.netapp.com/advisory/ntap-20250418-0003/"],"published_time":"2024-12-12T02:03:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46901","summary":"Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository.\n\nAll versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue.\n\nRepositories served via other access methods are not affected.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"epss":0.05806,"ranking_epss":0.90478,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://subversion.apache.org/security/CVE-2024-46901-advisory.txt","https://lists.debian.org/debian-lts-announce/2025/04/msg00023.html"],"published_time":"2024-12-09T10:15:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-53566","summary":"An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0005,"ranking_epss":0.15594,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/hyp164D1/e7c0f44ffb38c00320aa1a6d98bee616","https://github.com/asterisk/asterisk/blob/22/main/manager.c#L2556","https://lists.debian.org/debian-lts-announce/2025/02/msg00003.html"],"published_time":"2024-12-02T18:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-53104","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format\n\nThis can lead to out of bounds writes since frames of this type were not\ntaken into account when calculating the size of the frames buffer in\nuvc_parse_streaming.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.13942,"ranking_epss":0.9429,"kev":true,"propose_action":"Linux kernel contains an out-of-bounds write vulnerability in the uvc_parse_streaming component of the USB Video Class (UVC) driver that could allow for physical escalation of privilege.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/1ee9d9122801eb688783acd07791f2906b87cb4f","https://git.kernel.org/stable/c/467d84dc78c9abf6b217ada22b3fdba336262e29","https://git.kernel.org/stable/c/575a562f7a3ec2d54ff77ab6810e3fbceef2a91d","https://git.kernel.org/stable/c/622ad10aae5f5e03b7927ea95f7f32812f692bb5","https://git.kernel.org/stable/c/684022f81f128338fe3587ec967459669a1204ae","https://git.kernel.org/stable/c/95edf13a48e75dc2cc5b0bc57bf90d6948a22fe8","https://git.kernel.org/stable/c/beced2cb09b58c1243733f374c560a55382003d6","https://git.kernel.org/stable/c/ecf2b43018da9579842c774b7f35dbe11b5c38dd","https://git.kernel.org/stable/c/faff5bbb2762c44ec7426037b3000e77a11d6773","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104"],"published_time":"2024-12-02T08:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-44308","summary":"The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.01547,"ranking_epss":0.81343,"kev":true,"propose_action":"Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://support.apple.com/en-us/121752","https://support.apple.com/en-us/121753","https://support.apple.com/en-us/121754","https://support.apple.com/en-us/121755","https://support.apple.com/en-us/121756","http://seclists.org/fulldisclosure/2024/Nov/16","https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44308"],"published_time":"2024-11-20T00:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-44309","summary":"A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.01158,"ranking_epss":0.78526,"kev":true,"propose_action":"Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.","ransomware_campaign":"Unknown","references":["https://support.apple.com/en-us/121752","https://support.apple.com/en-us/121753","https://support.apple.com/en-us/121754","https://support.apple.com/en-us/121755","https://support.apple.com/en-us/121756","http://seclists.org/fulldisclosure/2024/Nov/16","https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309"],"published_time":"2024-11-20T00:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-10224","summary":"Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00315,"ranking_epss":0.546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rschupp/Module-ScanDeps/security/advisories/GHSA-g597-359q-v529","https://www.cve.org/CVERecord?id=CVE-2024-10224","https://www.qualys.com/2024/11/19/needrestart/needrestart.txt","http://seclists.org/fulldisclosure/2024/Nov/15","http://seclists.org/fulldisclosure/2024/Nov/17","https://lists.debian.org/debian-lts-announce/2024/11/msg00015.html","https://www.openwall.com/lists/oss-security/2024/11/19/1"],"published_time":"2024-11-19T18:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-50302","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: zero-initialize the report buffer\n\nSince the report buffer is used by all kinds of drivers in various ways, let's\nzero-initialize it during allocation to make sure that it can't be ever used\nto leak kernel memory via specially-crafted report.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.01318,"ranking_epss":0.79822,"kev":true,"propose_action":"The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/05ade5d4337867929e7ef664e7ac8e0c734f1aaf","https://git.kernel.org/stable/c/177f25d1292c7e16e1199b39c85480f7f8815552","https://git.kernel.org/stable/c/1884ab3d22536a5c14b17c78c2ce76d1734e8b0b","https://git.kernel.org/stable/c/3f9e88f2672c4635960570ee9741778d4135ecf5","https://git.kernel.org/stable/c/492015e6249fbcd42138b49de3c588d826dd9648","https://git.kernel.org/stable/c/9d9f5c75c0c7f31766ec27d90f7a6ac673193191","https://git.kernel.org/stable/c/d7dc68d82ab3fcfc3f65322465da3d7031d4ab46","https://git.kernel.org/stable/c/e7ea60184e1e88a3c9e437b3265cbb6439aa7e26","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50302"],"published_time":"2024-11-19T02:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52316","summary":"Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.01353,"ranking_epss":0.80071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928","http://www.openwall.com/lists/oss-security/2024/11/18/2","https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html","https://security.netapp.com/advisory/ntap-20250124-0003/"],"published_time":"2024-11-18T12:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-10978","summary":"Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended.  An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature.  The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker.  If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION.  The attacker does not control which incorrect user ID applies.  Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"epss":0.00613,"ranking_epss":0.69786,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.postgresql.org/support/security/CVE-2024-10978/","https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html","https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html","https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org"],"published_time":"2024-11-14T13:15:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52301","summary":"Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.65712,"ranking_epss":0.98492,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h","https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html"],"published_time":"2024-11-12T20:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-49369","summary":"Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.17901,"ranking_epss":0.9512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c","https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8","https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe","https://github.com/Icinga/icinga2/commit/869a7d6f0fe38c748e67bacc1fbdd42c933030f6","https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a820831","https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv","https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3","https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html"],"published_time":"2024-11-12T17:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-52533","summary":"gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.03091,"ranking_epss":0.86738,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/glib/-/issues/3461","https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.1","https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home","http://www.openwall.com/lists/oss-security/2024/11/12/11","https://lists.debian.org/debian-lts-announce/2024/11/msg00020.html","https://security.netapp.com/advisory/ntap-20241206-0009/"],"published_time":"2024-11-11T23:15:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46952","summary":"An issue was discovered in pdf/pdf_xref.c in Artifex Ghostscript before 10.04.0. There is a buffer overflow during handling of a PDF XRef stream (related to W array values).","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00071,"ranking_epss":0.21829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.ghostscript.com/show_bug.cgi?id=708001","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b1f0827c30f59a2dcbc8a39e42cace7a1de35f7f","https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html"],"published_time":"2024-11-10T22:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46953","summary":"An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00117,"ranking_epss":0.30728,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.ghostscript.com/show_bug.cgi?id=707793","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec4cff12951022b192dda3c00","https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html","https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/","https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html"],"published_time":"2024-11-10T22:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46955","summary":"An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00047,"ranking_epss":0.14728,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.ghostscript.com/show_bug.cgi?id=707990","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=85bd9d2f4b792fe67aef22f1a4117457461b8ba6","https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html","https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/","https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html"],"published_time":"2024-11-10T22:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46956","summary":"An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00327,"ranking_epss":0.55608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.ghostscript.com/show_bug.cgi?id=707895","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3ed26c24327de714bf2c3ed6ca","https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html","https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/","https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html"],"published_time":"2024-11-10T22:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46951","summary":"An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00138,"ranking_epss":0.34027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.ghostscript.com/show_bug.cgi?id=707991","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1362880673408a6fbe8719b4f8","https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html","https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/","https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html"],"published_time":"2024-11-10T21:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-50602","summary":"An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.00127,"ranking_epss":0.32074,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/libexpat/libexpat/pull/915","https://lists.debian.org/debian-lts-announce/2025/04/msg00040.html","https://security.netapp.com/advisory/ntap-20250404-0008/"],"published_time":"2024-10-27T05:15:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-47685","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()\n\nsyzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending\ngarbage on the four reserved tcp bits (th->res1)\n\nUse skb_put_zero() to clear the whole TCP header,\nas done in nf_reject_ip_tcphdr_put()\n\nBUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n  nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n  nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n  nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n  nf_hook include/linux/netfilter.h:269 [inline]\n  NF_HOOK include/linux/netfilter.h:312 [inline]\n  ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775\n  process_backlog+0x4ad/0xa50 net/core/dev.c:6108\n  __napi_poll+0xe7/0x980 net/core/dev.c:6772\n  napi_poll net/core/dev.c:6841 [inline]\n  net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963\n  handle_softirqs+0x1ce/0x800 kernel/softirq.c:554\n  __do_softirq+0x14/0x1a kernel/softirq.c:588\n  do_softirq+0x9a/0x100 kernel/softirq.c:455\n  __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]\n  __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450\n  dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n  neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565\n  neigh_output include/net/neighbour.h:542 [inline]\n  ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141\n  __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n  ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226\n  NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n  ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247\n  dst_output include/net/dst.h:450 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366\n  inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135\n  __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466\n  tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\n  tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143\n  tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333\n  __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679\n  inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750\n  __sys_connect_file net/socket.c:2061 [inline]\n  __sys_connect+0x606/0x690 net/socket.c:2078\n  __do_sys_connect net/socket.c:2088 [inline]\n  __se_sys_connect net/socket.c:2085 [inline]\n  __x64_sys_connect+0x91/0xe0 net/socket.c:2085\n  x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n  nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249\n  nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n  nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n  nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n  nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n  nf_hook include/linux/netfilter.h:269 [inline]\n  NF_HOOK include/linux/netfilter.h:312 [inline]\n  ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core\n---truncated---","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.00077,"ranking_epss":0.23062,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922","https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93","https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82e","https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2","https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7","https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4","https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2","https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5","https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"],"published_time":"2024-10-21T12:15:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-41311","summary":"In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.00197,"ranking_epss":0.41784,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/flyyee/79f1b224069842ee320115cafa5c35c0","https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36","https://github.com/strukturag/libheif/issues/1226","https://github.com/strukturag/libheif/pull/1227","https://lists.debian.org/debian-lts-announce/2024/10/msg00025.html"],"published_time":"2024-10-15T21:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-9680","summary":"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"epss":0.31347,"ranking_epss":0.96755,"kev":true,"propose_action":"Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.","ransomware_campaign":"Known","references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1923344","https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039","https://www.mozilla.org/security/advisories/mfsa2024-51/","https://www.mozilla.org/security/advisories/mfsa2024-52/","https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992","https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html","https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680"],"published_time":"2024-10-09T13:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-8508","summary":"NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00228,"ranking_epss":0.45527,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt","http://www.openwall.com/lists/oss-security/2024/10/04/5","https://lists.debian.org/debian-lts-announce/2024/11/msg00009.html"],"published_time":"2024-10-03T17:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-47175","summary":"CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"epss":0.33659,"ranking_epss":0.96918,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8","https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47","https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5","https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6","https://www.cups.org","https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I","http://www.openwall.com/lists/oss-security/2024/09/27/3","https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477","https://lists.debian.org/debian-lts-announce/2024/09/msg00047.html","https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0016","https://security.netapp.com/advisory/ntap-20241011-0001/"],"published_time":"2024-09-26T22:15:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-46544","summary":"Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.\n\nThis issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.\n\nUsers are recommended to upgrade to version 1.2.50, which fixes the issue.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.00039,"ranking_epss":0.1186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d","http://www.openwall.com/lists/oss-security/2024/09/23/1","https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html"],"published_time":"2024-09-23T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-8096","summary":"When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine.  If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00515,"ranking_epss":0.66562,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://curl.se/docs/CVE-2024-8096.html","https://curl.se/docs/CVE-2024-8096.json","https://hackerone.com/reports/2669852","http://www.openwall.com/lists/oss-security/2024/09/11/1","https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html","https://security.netapp.com/advisory/ntap-20241011-0005/"],"published_time":"2024-09-11T10:15:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-44940","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3db4395332e7050ef9ddeb3052e6b5019f2a2a59","https://git.kernel.org/stable/c/440ab7f97261bc28501636a13998e1b1946d2e79","https://git.kernel.org/stable/c/5a2e37bc648a2503bf6d687aed27b9f4455d82eb","https://git.kernel.org/stable/c/a925a200299a6dfc7c172f54da6f374edc930053","https://git.kernel.org/stable/c/b1453a5616c7bd8acd90633ceba4e59105ba3b51","https://git.kernel.org/stable/c/dd89a81d850fa9a65f67b4527c0e420d15bf836c","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"],"published_time":"2024-08-26T12:15:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-43839","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n   is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00024,"ranking_epss":0.06493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1","https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3","https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef","https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43","https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76","https://git.kernel.org/stable/c/c9741a03dc8e491e57b95fba0058ab46b7e506da","https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09fa200ff5","https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540","https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-08-17T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42314","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix extent map use-after-free when adding pages to compressed bio\n\nAt add_ra_bio_pages() we are accessing the extent map to calculate\n'add_size' after we dropped our reference on the extent map, resulting\nin a use-after-free. Fix this by computing 'add_size' before dropping our\nextent map reference.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00027,"ranking_epss":0.07395,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8e7860543a94784d744c7ce34b78a2e11beefa5c","https://git.kernel.org/stable/c/b7859ff398b6b656e1689daa860eb34837b4bb89","https://git.kernel.org/stable/c/c1cc3326e27b0bd7a2806b40bc48e49afaf951e7","https://git.kernel.org/stable/c/c205565e0f2f439f278a4a94ee97b67ef7b56ae8","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-08-17T09:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42302","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred.  To do so, it polls the\nconfig space of the first child device on the secondary bus.  If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device.  Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume.  Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently.  (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase.  And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event.  Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently.  The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n  BUG: unable to handle page fault for address: 00000000091400c0\n  CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n  RIP: pci_bus_read_config_dword+0x17/0x50\n  pci_dev_wait()\n  pci_bridge_wait_for_secondary_bus()\n  dpc_reset_link()\n  pcie_do_recovery()\n  dpc_handler()","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00025,"ranking_epss":0.06806,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed","https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7","https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f","https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62","https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d","https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da","https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-08-17T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42472","summary":"Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality.\n\nWhen `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access.\n\nHowever, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox.\n\nPartial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code.\n\nFor the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson \"wrap\" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"epss":0.06541,"ranking_epss":0.91084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c","https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5","https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72","https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a","https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75","https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97","https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788","https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19","https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87","http://www.openwall.com/lists/oss-security/2024/08/14/6","https://lists.debian.org/debian-lts-announce/2025/03/msg00025.html"],"published_time":"2024-08-15T19:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-6706","summary":"Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.00189,"ranking_epss":0.40737,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt","http://seclists.org/fulldisclosure/2024/Aug/3","http://www.openwall.com/lists/oss-security/2024/08/08/6"],"published_time":"2024-08-07T23:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-6707","summary":"Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00203,"ranking_epss":0.42457,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt","http://seclists.org/fulldisclosure/2024/Aug/4","http://www.openwall.com/lists/oss-security/2024/08/08/7"],"published_time":"2024-08-07T23:15:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42159","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Sanitise num_phys\n\nInformation is stored in mr_sas_port->phy_mask, values larger then size of\nthis field shouldn't be allowed.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06059,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3668651def2c1622904e58b0280ee93121f2b10b","https://git.kernel.org/stable/c/586b41060113ae43032ec6c4a16d518cef5da6e0","https://git.kernel.org/stable/c/b869ec89d2ee923d46608b76e54c006680c9b4df","https://git.kernel.org/stable/c/c8707901b53a48106d7501bdbd0350cefaefa4cf","https://git.kernel.org/stable/c/3668651def2c1622904e58b0280ee93121f2b10b","https://git.kernel.org/stable/c/586b41060113ae43032ec6c4a16d518cef5da6e0","https://git.kernel.org/stable/c/b869ec89d2ee923d46608b76e54c006680c9b4df","https://git.kernel.org/stable/c/c8707901b53a48106d7501bdbd0350cefaefa4cf","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-30T08:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42160","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e","https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77","https://git.kernel.org/stable/c/6e5b601706ce05d94338cad598736d96bb8096c8","https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d","https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b","https://git.kernel.org/stable/c/44958ca9e400f57bd0478115519ffc350fcee61e","https://git.kernel.org/stable/c/4ed886b187f47447ad559619c48c086f432d2b77","https://git.kernel.org/stable/c/bc84dd2c33e0c10fd90d60f0cfc0bfb504d4692d","https://git.kernel.org/stable/c/ecb641f424d6d1f055d149a15b892edcc92c504b","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-30T08:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-42136","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[  366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[  366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[  366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[  366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[  366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  366.027518] Call Trace:\n[  366.027523]  <TASK>\n[  366.027533]  dump_stack_lvl+0x93/0xd0\n[  366.027899]  handle_overflow+0x171/0x1b0\n[  366.038787] ata1.00: invalid multi_count 32 ignored\n[  366.043924]  cdrom_ioctl+0x2c3f/0x2d10\n[  366.063932]  ? __pm_runtime_resume+0xe6/0x130\n[  366.071923]  sr_block_ioctl+0x15d/0x1d0\n[  366.074624]  ? __pfx_sr_block_ioctl+0x10/0x10\n[  366.077642]  blkdev_ioctl+0x419/0x500\n[  366.080231]  ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b","https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3","https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c","https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf","https://git.kernel.org/stable/c/0c97527e916054acc4a46ffb02842988acb2e92b","https://git.kernel.org/stable/c/3ee21e14c8c329168a0b66bab00ecd18f5d0dee3","https://git.kernel.org/stable/c/e809bc112712da8f7e15822674c6562da6cdf24c","https://git.kernel.org/stable/c/efb905aeb44b0e99c0e6b07865b1885ae0471ebf","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-30T08:15:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-41096","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/MSI: Fix UAF in msi_capability_init\n\nKFENCE reports the following UAF:\n\n BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488\n\n Use-after-free read at 0x0000000024629571 (in kfence-#12):\n  __pci_enable_msi_range+0x2c0/0x488\n  pci_alloc_irq_vectors_affinity+0xec/0x14c\n  pci_alloc_irq_vectors+0x18/0x28\n\n kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128\n\n allocated by task 81 on cpu 7 at 10.808142s:\n  __kmem_cache_alloc_node+0x1f0/0x2bc\n  kmalloc_trace+0x44/0x138\n  msi_alloc_desc+0x3c/0x9c\n  msi_domain_insert_msi_desc+0x30/0x78\n  msi_setup_msi_desc+0x13c/0x184\n  __pci_enable_msi_range+0x258/0x488\n  pci_alloc_irq_vectors_affinity+0xec/0x14c\n  pci_alloc_irq_vectors+0x18/0x28\n\n freed by task 81 on cpu 7 at 10.811436s:\n  msi_domain_free_descs+0xd4/0x10c\n  msi_domain_free_locked.part.0+0xc0/0x1d8\n  msi_domain_alloc_irqs_all_locked+0xb4/0xbc\n  pci_msi_setup_msi_irqs+0x30/0x4c\n  __pci_enable_msi_range+0x2a8/0x488\n  pci_alloc_irq_vectors_affinity+0xec/0x14c\n  pci_alloc_irq_vectors+0x18/0x28\n\nDescriptor allocation done in:\n__pci_enable_msi_range\n    msi_capability_init\n        msi_setup_msi_desc\n            msi_insert_msi_desc\n                msi_domain_insert_msi_desc\n                    msi_alloc_desc\n                        ...\n\nFreed in case of failure in __msi_domain_alloc_locked()\n__pci_enable_msi_range\n    msi_capability_init\n        pci_msi_setup_msi_irqs\n            msi_domain_alloc_irqs_all_locked\n                msi_domain_alloc_locked\n                    __msi_domain_alloc_locked => fails\n                    msi_domain_free_locked\n                        ...\n\nThat failure propagates back to pci_msi_setup_msi_irqs() in\nmsi_capability_init() which accesses the descriptor for unmasking in the\nerror exit path.\n\nCure it by copying the descriptor and using the copy for the error exit path\nunmask operation.\n\n[ tglx: Massaged change log ]","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.02809,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ae40b2d0a5de6b045504098e365d4fdff5bbeba","https://git.kernel.org/stable/c/45fc8d20e0768ab0a0ad054081d0f68aa3c83976","https://git.kernel.org/stable/c/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1","https://git.kernel.org/stable/c/ff1121d2214b794dc1772081f27bdd90721a84bc","https://git.kernel.org/stable/c/45fc8d20e0768ab0a0ad054081d0f68aa3c83976","https://git.kernel.org/stable/c/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1","https://git.kernel.org/stable/c/ff1121d2214b794dc1772081f27bdd90721a84bc","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-29T16:15:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-41073","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00022,"ranking_epss":0.05863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b","https://git.kernel.org/stable/c/882574942a9be8b9d70d13462ddacc80c4b385ba","https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa","https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057","https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad","https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b","https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b","https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa","https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057","https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad","https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-07-29T15:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-41000","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[   62.982337] ------------[ cut here ]------------\n[   62.985692] cgroup: Invalid name\n[   62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[   62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[   62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[   62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[   62.999369] random: crng reseeded on system resumption\n[   63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[   63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[   63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   63.000682] Call Trace:\n[   63.000686]  <TASK>\n[   63.000731]  dump_stack_lvl+0x93/0xd0\n[   63.000919]  __get_user_pages+0x903/0xd30\n[   63.001030]  __gup_longterm_locked+0x153e/0x1ba0\n[   63.001041]  ? _raw_read_unlock_irqrestore+0x17/0x50\n[   63.001072]  ? try_get_folio+0x29c/0x2d0\n[   63.001083]  internal_get_user_pages_fast+0x1119/0x1530\n[   63.001109]  iov_iter_extract_pages+0x23b/0x580\n[   63.001206]  bio_iov_iter_get_pages+0x4de/0x1220\n[   63.001235]  iomap_dio_bio_iter+0x9b6/0x1410\n[   63.001297]  __iomap_dio_rw+0xab4/0x1810\n[   63.001316]  iomap_dio_rw+0x45/0xa0\n[   63.001328]  ext4_file_write_iter+0xdde/0x1390\n[   63.001372]  vfs_write+0x599/0xbd0\n[   63.001394]  ksys_write+0xc8/0x190\n[   63.001403]  do_syscall_64+0xd4/0x1b0\n[   63.001421]  ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[   63.001479]  entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[   63.001535] RIP: 0033:0x7f7fd3ebf539\n[   63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[   63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[   63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[   63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[   63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[   63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[   63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[   63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00021,"ranking_epss":0.05718,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66","https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e","https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24","https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9","https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9","https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e","https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66","https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e","https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24","https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9","https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9","https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-12T13:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-39494","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.0151,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b31e28fbd773aefb6164687e0767319b8199829","https://git.kernel.org/stable/c/480afcbeb7aaaa22677d3dd48ec590b441eaac1a","https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4","https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c","https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de","https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c","https://git.kernel.org/stable/c/edf287bc610b18d7a9c0c0c1cb2e97b9348c71bb","https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4","https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c","https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de","https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-07-12T13:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-39496","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.03493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9","https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6","https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43","https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752","https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9","https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6","https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43","https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-07-12T13:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-6387","summary":"A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.42417,"ranking_epss":0.97438,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2024:4312","https://access.redhat.com/errata/RHSA-2024:4340","https://access.redhat.com/errata/RHSA-2024:4389","https://access.redhat.com/errata/RHSA-2024:4469","https://access.redhat.com/errata/RHSA-2024:4474","https://access.redhat.com/errata/RHSA-2024:4479","https://access.redhat.com/errata/RHSA-2024:4484","https://access.redhat.com/security/cve/CVE-2024-6387","https://bugzilla.redhat.com/show_bug.cgi?id=2294604","https://santandersecurityresearch.github.io/blog/sshing_the_masses.html","https://www.openssh.com/txt/release-9.8","https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt","http://seclists.org/fulldisclosure/2024/Jul/18","http://seclists.org/fulldisclosure/2024/Jul/19","http://seclists.org/fulldisclosure/2024/Jul/20","http://www.openwall.com/lists/oss-security/2024/07/01/12","http://www.openwall.com/lists/oss-security/2024/07/01/13","http://www.openwall.com/lists/oss-security/2024/07/02/1","http://www.openwall.com/lists/oss-security/2024/07/03/1","http://www.openwall.com/lists/oss-security/2024/07/03/11","http://www.openwall.com/lists/oss-security/2024/07/03/2","http://www.openwall.com/lists/oss-security/2024/07/03/3","http://www.openwall.com/lists/oss-security/2024/07/03/4","http://www.openwall.com/lists/oss-security/2024/07/03/5","http://www.openwall.com/lists/oss-security/2024/07/04/1","http://www.openwall.com/lists/oss-security/2024/07/04/2","http://www.openwall.com/lists/oss-security/2024/07/08/2","http://www.openwall.com/lists/oss-security/2024/07/08/3","http://www.openwall.com/lists/oss-security/2024/07/09/2","http://www.openwall.com/lists/oss-security/2024/07/09/5","http://www.openwall.com/lists/oss-security/2024/07/10/1","http://www.openwall.com/lists/oss-security/2024/07/10/2","http://www.openwall.com/lists/oss-security/2024/07/10/3","http://www.openwall.com/lists/oss-security/2024/07/10/4","http://www.openwall.com/lists/oss-security/2024/07/10/6","http://www.openwall.com/lists/oss-security/2024/07/11/1","http://www.openwall.com/lists/oss-security/2024/07/11/3","http://www.openwall.com/lists/oss-security/2024/07/23/4","http://www.openwall.com/lists/oss-security/2024/07/23/6","http://www.openwall.com/lists/oss-security/2024/07/28/2","http://www.openwall.com/lists/oss-security/2024/07/28/3","https://access.redhat.com/errata/RHSA-2024:4312","https://access.redhat.com/errata/RHSA-2024:4340","https://access.redhat.com/errata/RHSA-2024:4389","https://access.redhat.com/errata/RHSA-2024:4469","https://access.redhat.com/errata/RHSA-2024:4474","https://access.redhat.com/errata/RHSA-2024:4479","https://access.redhat.com/errata/RHSA-2024:4484","https://access.redhat.com/security/cve/CVE-2024-6387","https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/","https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/","https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server","https://bugzilla.redhat.com/show_bug.cgi?id=2294604","https://explore.alas.aws.amazon.com/CVE-2024-6387.html","https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132","https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc","https://github.com/AlmaLinux/updates/issues/629","https://github.com/Azure/AKS/issues/4379","https://github.com/PowerShell/Win32-OpenSSH/discussions/2248","https://github.com/PowerShell/Win32-OpenSSH/issues/2249","https://github.com/microsoft/azurelinux/issues/9555","https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09","https://github.com/oracle/oracle-linux/issues/149","https://github.com/rapier1/hpn-ssh/issues/87","https://github.com/zgzhang/cve-2024-6387-poc","https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/","https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html","https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html","https://news.ycombinator.com/item?id=40843778","https://packetstorm.news/files/id/190587/","https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010","https://santandersecurityresearch.github.io/blog/sshing_the_masses.html","https://security-tracker.debian.org/tracker/CVE-2024-6387","https://security.netapp.com/advisory/ntap-20240701-0001/","https://sig-security.rocky.page/issues/CVE-2024-6387/","https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/","https://support.apple.com/kb/HT214118","https://support.apple.com/kb/HT214119","https://support.apple.com/kb/HT214120","https://ubuntu.com/security/CVE-2024-6387","https://ubuntu.com/security/notices/USN-6859-1","https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do","https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100","https://www.exploit-db.com/exploits/52269","https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc","https://www.openssh.com/txt/release-9.8","https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt","https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html","https://www.suse.com/security/cve/CVE-2024-6387.html","https://www.theregister.com/2024/07/01/regresshion_openssh/","https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387"],"published_time":"2024-07-01T13:15:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-37371","summary":"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.02606,"ranking_epss":0.85568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","https://web.mit.edu/kerberos/www/advisories/","https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","https://security.netapp.com/advisory/ntap-20241108-0009/","https://security.netapp.com/advisory/ntap-20250124-0010/","https://web.mit.edu/kerberos/www/advisories/"],"published_time":"2024-06-28T23:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-38588","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n  Read of size 8 at addr ffff888141d40010 by task insmod/424\n  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+\n  [...]\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x68/0xa0\n   print_report+0xcf/0x610\n   kasan_report+0xb5/0xe0\n   ftrace_location+0x90/0x120\n   register_kprobe+0x14b/0xa40\n   kprobe_init+0x2d/0xff0 [kprobe_example]\n   do_one_initcall+0x8f/0x2d0\n   do_init_module+0x13a/0x3c0\n   load_module+0x3082/0x33d0\n   init_module_from_file+0xd2/0x130\n   __x64_sys_finit_module+0x306/0x440\n   do_syscall_64+0x68/0x140\n   entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n           CPU1                       |      CPU2\n  register_kprobes() {                | delete_module() {\n    check_kprobe_address_safe() {     |\n      arch_check_ftrace_location() {  |\n        ftrace_location() {           |\n          lookup_rec() // USE!        |   ftrace_release_mod() // Free!\n\nTo fix this issue:\n  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n  2. Use ftrace_location_range() instead of lookup_rec() in\n     ftrace_location();\n  3. Call synchronize_rcu() before freeing any ftrace pages both in\n     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1880a324af1c95940a7c954b6b937e86844a33bd","https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b","https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6","https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461","https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831","https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada","https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d","https://git.kernel.org/stable/c/eea46baf145150910ba134f75a67106ba2222c1b","https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b","https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6","https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461","https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831","https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada","https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d","https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"],"published_time":"2024-06-19T14:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-37891","summary":" urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"epss":0.00263,"ranking_epss":0.49674,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e","https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf","https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e","https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf","https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html","https://security.netapp.com/advisory/ntap-20240822-0003/","https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891"],"published_time":"2024-06-17T20:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35235","summary":"OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"epss":0.03102,"ranking_epss":0.86756,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/06/11/1","http://www.openwall.com/lists/oss-security/2024/06/12/4","http://www.openwall.com/lists/oss-security/2024/06/12/5","https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21","https://github.com/OpenPrinting/cups/blob/aba917003c8de55e5bf85010f0ecf1f1ddd1408e/cups/http-addr.c#L229-L240","https://github.com/OpenPrinting/cups/commit/ff1f8a623e090dee8a8aadf12a6a4b25efac143d","https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f","https://lists.debian.org/debian-lts-announce/2024/06/msg00001.html","http://www.openwall.com/lists/oss-security/2024/06/11/1","http://www.openwall.com/lists/oss-security/2024/06/12/4","http://www.openwall.com/lists/oss-security/2024/06/12/5","http://www.openwall.com/lists/oss-security/2024/11/08/3","https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21","https://github.com/OpenPrinting/cups/blob/aba917003c8de55e5bf85010f0ecf1f1ddd1408e/cups/http-addr.c#L229-L240","https://github.com/OpenPrinting/cups/commit/ff1f8a623e090dee8a8aadf12a6a4b25efac143d","https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f","https://lists.debian.org/debian-lts-announce/2024/06/msg00001.html"],"published_time":"2024-06-11T15:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-5696","summary":"By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"epss":0.02069,"ranking_epss":0.83888,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1896555","https://lists.debian.org/debian-lts-announce/2024/06/msg00000.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00010.html","https://www.mozilla.org/security/advisories/mfsa2024-25/","https://www.mozilla.org/security/advisories/mfsa2024-26/","https://www.mozilla.org/security/advisories/mfsa2024-28/","https://bugzilla.mozilla.org/show_bug.cgi?id=1896555","https://lists.debian.org/debian-lts-announce/2024/06/msg00000.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00010.html","https://www.mozilla.org/security/advisories/mfsa2024-25/","https://www.mozilla.org/security/advisories/mfsa2024-26/","https://www.mozilla.org/security/advisories/mfsa2024-28/"],"published_time":"2024-06-11T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-5690","summary":"By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"epss":0.03717,"ranking_epss":0.87931,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1883693","https://lists.debian.org/debian-lts-announce/2024/06/msg00000.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00010.html","https://www.mozilla.org/security/advisories/mfsa2024-25/","https://www.mozilla.org/security/advisories/mfsa2024-26/","https://www.mozilla.org/security/advisories/mfsa2024-28/","https://bugzilla.mozilla.org/show_bug.cgi?id=1883693","https://lists.debian.org/debian-lts-announce/2024/06/msg00000.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00010.html","https://www.mozilla.org/security/advisories/mfsa2024-25/","https://www.mozilla.org/security/advisories/mfsa2024-26/","https://www.mozilla.org/security/advisories/mfsa2024-28/"],"published_time":"2024-06-11T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36971","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00491,"ranking_epss":0.65567,"kev":true,"propose_action":"Android contains an unspecified vulnerability in the kernel that allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.","ransomware_campaign":"Unknown","references":["https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13","https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6","https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508","https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4","https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e","https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc","https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72","https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf","https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13","https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6","https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508","https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4","https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e","https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc","https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72","https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36971"],"published_time":"2024-06-10T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-37383","summary":"Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.64519,"ranking_epss":0.98441,"kev":true,"propose_action":"RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.","ransomware_campaign":"Unknown","references":["https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242","https://github.com/roundcube/roundcubemail/releases/tag/1.5.7","https://github.com/roundcube/roundcubemail/releases/tag/1.6.7","https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html","https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242","https://github.com/roundcube/roundcubemail/releases/tag/1.5.7","https://github.com/roundcube/roundcubemail/releases/tag/1.6.7","https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383"],"published_time":"2024-06-07T04:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-37384","summary":"Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.00437,"ranking_epss":0.63014,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7","https://github.com/roundcube/roundcubemail/releases/tag/1.5.7","https://github.com/roundcube/roundcubemail/releases/tag/1.6.7","https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html","https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7","https://github.com/roundcube/roundcubemail/releases/tag/1.5.7","https://github.com/roundcube/roundcubemail/releases/tag/1.6.7","https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html"],"published_time":"2024-06-07T04:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-5629","summary":"An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00094,"ranking_epss":0.26414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jira.mongodb.org/browse/PYTHON-4305","https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html","https://jira.mongodb.org/browse/PYTHON-4305","https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00032.html"],"published_time":"2024-06-05T15:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-5197","summary":"There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.00325,"ranking_epss":0.5551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://g-issues.chromium.org/issues/332382766","https://lists.debian.org/debian-lts-announce/2024/06/msg00005.html","https://g-issues.chromium.org/issues/332382766","https://lists.debian.org/debian-lts-announce/2024/06/msg00005.html"],"published_time":"2024-06-03T14:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36960","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00012,"ranking_epss":0.01774,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b","https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f","https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36","https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22","https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c","https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0","https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9","https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77","https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b","https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f","https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36","https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22","https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c","https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0","https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9","https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-06-03T08:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36964","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.04113,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02","https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c","https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32","https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8","https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b","https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96","https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3","https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d","https://git.kernel.org/stable/c/157d468e34fdd3cb1ddc07c2be32fb3b02826b02","https://git.kernel.org/stable/c/5a605930e19f451294bd838754f7d66c976a8a2c","https://git.kernel.org/stable/c/ad4f65328661392de74e3608bb736fedf3b67e32","https://git.kernel.org/stable/c/ca9b5c81f0c918c63d73d962ed8a8e231f840bc8","https://git.kernel.org/stable/c/cd25e15e57e68a6b18dc9323047fe9c68b99290b","https://git.kernel.org/stable/c/df1962a199783ecd66734d563caf0fedecf08f96","https://git.kernel.org/stable/c/e55c601af3b1223a84f9f27f9cdbd2af5e203bf3","https://git.kernel.org/stable/c/e90bc596a74bb905e0a45bf346038c3f9d1e868d","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-06-03T08:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36950","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"epss":0.00016,"ranking_epss":0.03409,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec","https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420","https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0","https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d","https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9","https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61","https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130","https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c","https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec","https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420","https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0","https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d","https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9","https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61","https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130","https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T16:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36953","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.0231,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487","https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f","https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80","https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728","https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb","https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104","https://git.kernel.org/stable/c/01981276d64e542c177b243f7c979fee855d5487","https://git.kernel.org/stable/c/17db92da8be5dd3bf63c01f4109fe47db64fc66f","https://git.kernel.org/stable/c/3a5b0378ac6776c7c31b18e0f3c1389bd6005e80","https://git.kernel.org/stable/c/4404465a1bee3607ad90a4c5f9e16dfd75b85728","https://git.kernel.org/stable/c/6ddb4f372fc63210034b903d96ebbeb3c7195adb","https://git.kernel.org/stable/c/8d6a1c8e3de36cb0f5e866f1a582b00939e23104","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"],"published_time":"2024-05-30T16:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36954","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00027,"ranking_epss":0.07497,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6","https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae","https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565","https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c","https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574","https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d","https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd","https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e","https://git.kernel.org/stable/c/01cd1b7b685751ee422d00d050292a3d277652d6","https://git.kernel.org/stable/c/2f87fd9476cf9725d774e6dcb7d17859c6a6d1ae","https://git.kernel.org/stable/c/3210d34fda4caff212cb53729e6bd46de604d565","https://git.kernel.org/stable/c/42c8471b0566c7539e7dd584b4d0ebd3cec8cb2c","https://git.kernel.org/stable/c/614c5a5ae45a921595952117b2e2bd4d4bf9b574","https://git.kernel.org/stable/c/97bf6f81b29a8efaf5d0983251a7450e5794370d","https://git.kernel.org/stable/c/adbce6d20da6254c86425a8d4359b221b5ccbccd","https://git.kernel.org/stable/c/d03a82f4f8144befdc10518e732e2a60b34c870e","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T16:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36957","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0003,"ranking_epss":0.08473,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7","https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67","https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e","https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f","https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878","https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19","https://git.kernel.org/stable/c/0a0285cee11c7dcc2657bcd456e469958a5009e7","https://git.kernel.org/stable/c/8f11fe3ea3fc261640cfc8a5addd838000407c67","https://git.kernel.org/stable/c/bcdac70adceb44373da204c3c297f2a98e13216e","https://git.kernel.org/stable/c/ec697fbd38cbe2eef0948b58673b146caa95402f","https://git.kernel.org/stable/c/f299ee709fb45036454ca11e90cb2810fe771878","https://git.kernel.org/stable/c/fc3e0076c1f82fe981d321e3a7bad4cbee542c19","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"],"published_time":"2024-05-30T16:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36940","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0002,"ranking_epss":0.0517,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068","https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca","https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79","https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c","https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d","https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e","https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd","https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba","https://git.kernel.org/stable/c/288bc4aa75f150d6f1ee82dd43c6da1b438b6068","https://git.kernel.org/stable/c/41f88ef8ba387a12f4a2b8c400b6c9e8e54b2cca","https://git.kernel.org/stable/c/5038a66dad0199de60e5671603ea6623eb9e5c79","https://git.kernel.org/stable/c/558c8039fdf596a584a92c171cbf3298919c448c","https://git.kernel.org/stable/c/735f4c6b6771eafe336404c157ca683ad72a040d","https://git.kernel.org/stable/c/ac7d65795827dc0cf7662384ed27caf4066bd72e","https://git.kernel.org/stable/c/cdaa171473d98962ae86f2a663d398fda2fbeefd","https://git.kernel.org/stable/c/f9f1e321d53e4c5b666b66e5b43da29841fb55ba","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T16:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36941","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d","https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a","https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307","https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7","https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457","https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4","https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f","https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383","https://git.kernel.org/stable/c/244822c09b4f9aedfb5977f03c0deeb39da8ec7d","https://git.kernel.org/stable/c/327382dc0f16b268950b96e0052595efd80f7b0a","https://git.kernel.org/stable/c/5a730a161ac2290d46d49be76b2b1aee8d2eb307","https://git.kernel.org/stable/c/801ea33ae82d6a9d954074fbcf8ea9d18f1543a7","https://git.kernel.org/stable/c/97792d0611ae2e6fe3ccefb0a94a1d802317c457","https://git.kernel.org/stable/c/ad12c74e953b68ad85c78adc6408ed8435c64af4","https://git.kernel.org/stable/c/b0db4caa10f2e4e811cf88744fbf0d074b67ec1f","https://git.kernel.org/stable/c/f92772a642485394db5c9a17bd0ee73fc6902383","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T16:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36946","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00027,"ranking_epss":0.07426,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4","https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe","https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137","https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7","https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7","https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a","https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00","https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b","https://git.kernel.org/stable/c/4ff334cade9dae50e4be387f71e94fae634aa9b4","https://git.kernel.org/stable/c/728a83160f98ee6b60df0d890141b9b7240182fe","https://git.kernel.org/stable/c/9a77226440008cf04ba68faf641a2d50f4998137","https://git.kernel.org/stable/c/d8cac8568618dcb8a51af3db1103e8d4cc4aeea7","https://git.kernel.org/stable/c/dc6beac059f0331de97155a89d84058d4a9e49c7","https://git.kernel.org/stable/c/ec1f71c05caeba0f814df77e0f511d8b4618623a","https://git.kernel.org/stable/c/ee9e39a6cb3ca2a3d35b4ae25547ee3526a44d00","https://git.kernel.org/stable/c/f085e02f0a32f6dfcfabc6535c9c4a1707cef86b","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20241004-0002/"],"published_time":"2024-05-30T16:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36929","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":9e-05,"ranking_epss":0.0091,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62","https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec","https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533","https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6","https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681","https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1","https://git.kernel.org/stable/c/989bf6fd1e1d058e73a364dce1a0c53d33373f62","https://git.kernel.org/stable/c/aea5e2669c2863fdd8679c40ee310b3bcaa85aec","https://git.kernel.org/stable/c/c7af99cc21923a9650533c9d77265c8dd683a533","https://git.kernel.org/stable/c/cfe34d86ef9765c388f145039006bb79b6c81ac6","https://git.kernel.org/stable/c/d091e579b864fa790dd6a0cd537a22c383126681","https://git.kernel.org/stable/c/faa83a7797f06cefed86731ba4baa3b4dfdc06c1","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://security.netapp.com/advisory/ntap-20240905-0010/"],"published_time":"2024-05-30T16:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36933","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n  ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS.  As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n  1. reset skb->network_header\n  2. save the original skb->{mac_heaeder,mac_len} in a local variable\n  3. pull the NSH header\n  4. resets skb->mac_header\n  5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n  6. set ntohs(ETH_P_NSH) to skb->protocol\n  7. push the NSH header\n  8. restore skb->mac_header\n  9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n  (a)\n  After 6 & 7, skb->data points to the NSH header, so the outer header\n  (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n  Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n  skb_pull() in the first nsh_gso_segment() will make skb->data point\n  to the middle of the outer NSH or Ethernet header because the Ethernet\n  header is not pulled by the second nsh_gso_segment().\n\n  (b)\n  While restoring skb->{mac_header,network_header} in 8 & 9,\n  nsh_gso_segment() does not assume that the data in the linear\n  buffer is shifted.\n\n  However, udp6_ufo_fragment() could shift the data and change\n  skb->mac_header accordingly as demonstrated by syzbot.\n\n  If this happens, even the restored skb->mac_header points to\n  the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.01012,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a","https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2","https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c","https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79","https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a","https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340","https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9","https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216","https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a","https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2","https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c","https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79","https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a","https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340","https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9","https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20240912-0006/"],"published_time":"2024-05-30T16:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36934","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01457,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32","https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9","https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35","https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4","https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd","https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f","https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147","https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91","https://git.kernel.org/stable/c/06cb37e2ba6441888f24566a997481d4197b4e32","https://git.kernel.org/stable/c/0f560240b4cc25d3de527deb257cdf072c0102a9","https://git.kernel.org/stable/c/1518b2b498a0109eb6b15755169d3b6607356b35","https://git.kernel.org/stable/c/6f0f19b79c085cc891c418b768f26f7004bd51a4","https://git.kernel.org/stable/c/80578ec10335bc15ac35fd1703c22aab34e39fdd","https://git.kernel.org/stable/c/8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f","https://git.kernel.org/stable/c/bd502ba81cd1d515deddad7dbc6b812b14b97147","https://git.kernel.org/stable/c/e19478763154674c084defc62ae0d64d79657f91","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20240912-0007/"],"published_time":"2024-05-30T16:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36939","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS:  00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n </TASK>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00017,"ranking_epss":0.03911,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8","https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c","https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65","https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3","https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f","https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba","https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021","https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8","https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c","https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65","https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3","https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f","https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba","https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"],"published_time":"2024-05-30T16:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36919","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01443,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936","https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3","https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312","https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb","https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3","https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9","https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256","https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342","https://git.kernel.org/stable/c/1150606d47d711d5bfdf329a1a96ed7027085936","https://git.kernel.org/stable/c/468f3e3c15076338367b0945b041105b67cf31e3","https://git.kernel.org/stable/c/93aa5ccc44781bdfef1bf0bc4c2c292d45251312","https://git.kernel.org/stable/c/acd370c1fb86b7302c1cbb354a7c1cd9953768eb","https://git.kernel.org/stable/c/ad498539dda0816aadef384ec117bfea304c75c3","https://git.kernel.org/stable/c/c214ed2a4dda35b308b0b28eed804d7ae66401f9","https://git.kernel.org/stable/c/c885ab23206b1f1ba0731ffe7c9455c6a91db256","https://git.kernel.org/stable/c/ea50941cd8c9f0b12f38b73d3b1bfeca660dd342","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20240905-0009/"],"published_time":"2024-05-30T16:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36905","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01294,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4","https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270","https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1","https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485","https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f","https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf","https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214","https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4","https://www.openwall.com/lists/oss-security/2024/10/29/1","http://www.openwall.com/lists/oss-security/2024/10/29/1","http://www.openwall.com/lists/oss-security/2024/10/30/1","http://www.openwall.com/lists/oss-security/2024/11/12/4","http://www.openwall.com/lists/oss-security/2024/11/12/5","http://www.openwall.com/lists/oss-security/2024/11/12/6","https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4","https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270","https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1","https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485","https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f","https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf","https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214","https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20240905-0005/","https://access.redhat.com/security/cve/cve-2024-36905","https://alas.aws.amazon.com/cve/html/CVE-2024-36905.html","https://github.com/cisagov/vulnrichment/issues/130","https://www.openwall.com/lists/oss-security/2024/11/12/4"],"published_time":"2024-05-30T16:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36913","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.00046,"ranking_epss":0.14126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a","https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6","https://git.kernel.org/stable/c/7f2afcbfe4f6b6047b5f68db5067b7321e5be125","https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f","https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a","https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6","https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f","https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"],"published_time":"2024-05-30T16:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36916","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[  186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S          E    N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00025,"ranking_epss":0.06644,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b","https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5","https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1","https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d","https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86","https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca","https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b","https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5","https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1","https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d","https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86","https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://security.netapp.com/advisory/ntap-20240905-0006/"],"published_time":"2024-05-30T16:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36904","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS:  00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n </TASK>","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00262,"ranking_epss":0.49512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446","https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3","https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34","https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8","https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc","https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc","https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9","https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e","https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446","https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3","https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34","https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8","https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc","https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc","https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9","https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20240905-0004/"],"published_time":"2024-05-30T16:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36886","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n <IRQ>\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00124,"ranking_epss":0.31681,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b","https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14","https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1","https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684","https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40","https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90","https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd","https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682","https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b","https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14","https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1","https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684","https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40","https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90","https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd","https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20241018-0002/"],"published_time":"2024-05-30T16:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36889","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Modules linked in:\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  Workqueue: events mptcp_worker\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n  \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n  \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n   kthread+0x121/0x170 kernel/kthread.c:388\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n   </TASK>\n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.0099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012","https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe","https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4","https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f","https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193","https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386","https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012","https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe","https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4","https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f","https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193","https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"],"published_time":"2024-05-30T16:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36883","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":7e-05,"ranking_epss":0.00501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7","https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42","https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3","https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f","https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030","https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6","https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd","https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab","https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7","https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42","https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3","https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f","https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030","https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6","https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd","https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://security.netapp.com/advisory/ntap-20241018-0001/"],"published_time":"2024-05-30T16:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52882","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.01023,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a","https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069","https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff","https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90","https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175","https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019","https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66","https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a","https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069","https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd4493731ff","https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90","https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175","https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019","https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://security.netapp.com/advisory/ntap-20240912-0010/"],"published_time":"2024-05-30T16:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36020","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02229,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6","https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0","https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba","https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31","https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a","https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c","https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d","https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8","https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6","https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0","https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba","https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31","https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a","https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c","https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d","https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T15:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36017","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00019,"ranking_epss":0.05061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489","https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b","https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8","https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169","https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de","https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7","https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a","https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e","https://git.kernel.org/stable/c/1aec77b2bb2ed1db0f5efc61c4c1ca3813307489","https://git.kernel.org/stable/c/206003c748b88890a910ef7142d18f77be57550b","https://git.kernel.org/stable/c/4a4b9757789a1551d2df130df23bfb3545bfa7e8","https://git.kernel.org/stable/c/5e7ef2d88666a0212db8c38e6703864b9ce70169","https://git.kernel.org/stable/c/6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de","https://git.kernel.org/stable/c/6e4c7193954f4faab92f6e8d88bc5565317b44e7","https://git.kernel.org/stable/c/8ac69ff2d0d5be9734c4402de932aa3dc8549c1a","https://git.kernel.org/stable/c/f3c1bf3054f96ddeab0621d920445bada769b40e","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-30T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52880","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02316,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167","https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a","https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88","https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58","https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed","https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa","https://git.kernel.org/stable/c/2b85977977cbd120591b23c2450e90a5806a7167","https://git.kernel.org/stable/c/2d154a54c58f9c8375bfbea9f7e51ba3bfb2e43a","https://git.kernel.org/stable/c/67c37756898a5a6b2941a13ae7260c89b54e0d88","https://git.kernel.org/stable/c/7a529c9023a197ab3bf09bb95df32a3813f7ba58","https://git.kernel.org/stable/c/7d303dee473ba3529d75b63491e9963342107bed","https://git.kernel.org/stable/c/ada28eb4b9561aab93942f3224a2e41d76fe57fa","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-24T16:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4453","summary":"GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.\n. Was ZDI-CAN-23896.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.03337,"ranking_epss":0.87252,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5","https://lists.debian.org/debian-lts-announce/2024/05/msg00019.html","https://www.zerodayinitiative.com/advisories/ZDI-24-467/","https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5","https://lists.debian.org/debian-lts-announce/2024/05/msg00019.html","https://www.zerodayinitiative.com/advisories/ZDI-24-467/"],"published_time":"2024-05-22T20:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2021-47489","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix even more out of bound writes from debugfs\n\nCVE-2021-42327 was fixed by:\n\ncommit f23750b5b3d98653b31d4469592935ef6364ad67\nAuthor: Thelford Williams <tdwilliamsiv@gmail.com>\nDate:   Wed Oct 13 16:04:13 2021 -0400\n\n    drm/amdgpu: fix out of bounds write\n\nbut amdgpu_dm_debugfs.c contains more of the same issue so fix the\nremaining ones.\n\nv2:\n\t* Add missing fix in dp_max_bpc_write (Harry Wentland)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00023,"ranking_epss":0.06175,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1336b886b162fdc84708096ea152a61c0e1fc09c","https://git.kernel.org/stable/c/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5","https://git.kernel.org/stable/c/9eb4bdd554fc31a5ef6bf645a20ff21618ce45a9","https://git.kernel.org/stable/c/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5","https://git.kernel.org/stable/c/9eb4bdd554fc31a5ef6bf645a20ff21618ce45a9","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-05-22T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52812","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04144,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a","https://git.kernel.org/stable/c/2f2d48b6247ae3001f83c98730b3cce475cb2927","https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec","https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670","https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a","https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec","https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670","https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"],"published_time":"2024-05-21T16:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52757","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock.  If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0                                CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread()            cifs_debug_data_proc_show()\n release_mid()\n  spin_lock(&server->mid_lock);\n                                     spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t      spin_lock(&server->mid_lock)\n  __release_mid()\n   smb2_find_smb_tcon()\n    spin_lock(&cifs_tcp_ses_lock) *deadlock*","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00011,"ranking_epss":0.01422,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/99f476e27aad5964ab13777d84fda67d1356dec1","https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29","https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf","https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26","https://git.kernel.org/stable/c/ce49569079a9d4cad26c0f1d4653382fd9a5ca7a","https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7","https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29","https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf","https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26","https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-05-21T16:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52752","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n  [ 816.251274] general protection fault, probably for non-canonical\n  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n  ...\n  [  816.260138] Call Trace:\n  [  816.260329]  <TASK>\n  [  816.260499]  ? die_addr+0x36/0x90\n  [  816.260762]  ? exc_general_protection+0x1b3/0x410\n  [  816.261126]  ? asm_exc_general_protection+0x26/0x30\n  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]\n  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]\n  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n  [  816.262689]  ? seq_read_iter+0x379/0x470\n  [  816.262995]  seq_read_iter+0x118/0x470\n  [  816.263291]  proc_reg_read_iter+0x53/0x90\n  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f\n  [  816.263945]  vfs_read+0x201/0x350\n  [  816.264211]  ksys_read+0x75/0x100\n  [  816.264472]  do_syscall_64+0x3f/0x90\n  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n  [  816.265135] RIP: 0033:0x7fd5e669d381","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.03659,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a","https://git.kernel.org/stable/c/2abdf136784b7edaec7ffe0f4b461b63f9c4c4de","https://git.kernel.org/stable/c/336a066990bb3962c46daf574ace596bda9303ce","https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7","https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09","https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62","https://git.kernel.org/stable/c/0ab6f842452ce2cae04209d4671ac6289d0aef8a","https://git.kernel.org/stable/c/558817597d5fbd7af31f891b67b0fd20f0d047b7","https://git.kernel.org/stable/c/89929ea46f9cc11ba66d2c64713aa5d5dc723b09","https://git.kernel.org/stable/c/d328c09ee9f15ee5a26431f5aad7c9239fa85e62","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-05-21T16:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2021-47247","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\n\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\n\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260]  dump_stack+0xbb/0x107\n [23827.477906]  print_address_description.constprop.0+0x18/0x140\n [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905]  kasan_report.cold+0x7c/0xd8\n [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744]  kasan_check_range+0x145/0x1a0\n [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486]  ? read_word_at_a_time+0xe/0x20\n [23827.498250]  ? strscpy+0xa0/0x2a0\n [23827.498889]  process_one_work+0x8ac/0x14e0\n [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359]  ? rwlock_bug.part.0+0x90/0x90\n [23827.502116]  worker_thread+0x53b/0x1220\n [23827.502831]  ? process_one_work+0x14e0/0x14e0\n [23827.503627]  kthread+0x328/0x3f0\n [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065]  ? __kthread_bind_mask+0x90/0x90\n [23827.505912]  ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694]  kasan_save_stack+0x1b/0x40\n [23827.508476]  __kasan_kmalloc+0x7c/0x90\n [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298]  tc_setup_cb_add+0x1d5/0x420\n [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821]  tc_new_tfilter+0x89a/0x2070\n [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300]  netlink_rcv_skb+0x11d/0x340\n [23827.518021]  netlink_unicast+0x42b/0x700\n [23827.518742]  netlink_sendmsg+0x743/0xc20\n [23827.519467]  sock_sendmsg+0xb2/0xe0\n [23827.520131]  ____sys_sendmsg+0x590/0x770\n [23827.520851]  ___sys_sendmsg+0xd8/0x160\n [23827.521552]  __sys_sendmsg+0xb7/0x140\n [23827.522238]  do_syscall_64+0x3a/0x70\n [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780]  kasan_save_stack+0x1b/0x40\n [23827.525488]  kasan_set_track+0x1c/0x30\n [23827.526187]  kasan_set_free_info+0x20/0x30\n [23827.526968]  __kasan_slab_free+0xed/0x130\n [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317]  kfree_rcu_work+0x55f/0xb70\n [23827.530024]  process_one_work+0x8ac/0x14e0\n [23827.530770]  worker_thread+0x53b/0x1220\n [23827.531480]  kthread+0x328/0x3f0\n [23827.532114]  ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007]  kasan_save_stack+0x1b/0x40\n [23827.534710]  kasan_record_aux_stack+0xab/0xc0\n [23827.535492]  kvfree_call_rcu+0x31/0x7b0\n [23827.536206]  mlx5e_tc_del\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00013,"ranking_epss":0.01993,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d1e7a7964ce6abb28883a3906bbc20fe0009f03","https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93","https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3","https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93","https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-05-21T15:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36004","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[  +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[  +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[  +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[  +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[  +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[  +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[  +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[  +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[  +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[  +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[  +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[  +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[  +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[  +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[  +0.000001] FS:  0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[  +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[  +0.000001] PKRU: 55555554\n[  +0.000001] Call Trace:\n[  +0.000001]  <TASK>\n[  +0.000002]  ? __warn+0x80/0x130\n[  +0.000003]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? report_bug+0x195/0x1a0\n[  +0.000005]  ? handle_bug+0x3c/0x70\n[  +0.000003]  ? exc_invalid_op+0x14/0x70\n[  +0.000002]  ? asm_exc_invalid_op+0x16/0x20\n[  +0.000006]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  __flush_workqueue+0x126/0x3f0\n[  +0.000015]  ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[  +0.000056]  __ib_unregister_device+0x6a/0xb0 [ib_core]\n[  +0.000023]  ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[  +0.000020]  i40iw_close+0x4b/0x90 [irdma]\n[  +0.000022]  i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[  +0.000035]  i40e_service_task+0x126/0x190 [i40e]\n[  +0.000024]  process_one_work+0x174/0x340\n[  +0.000003]  worker_th\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01763,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c","https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939","https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e","https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c","https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd","https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0","https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22","https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f","https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c","https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939","https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e","https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c","https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd","https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0","https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22","https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-20T10:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36005","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS:  0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006]  <TASK>\n[524854.859013]  ? __warn+0x9f/0x1a0\n[524854.859027]  ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044]  ? report_bug+0x1b1/0x1e0\n[524854.859060]  ? handle_bug+0x3c/0x70\n[524854.859071]  ? exc_invalid_op+0x17/0x40\n[524854.859083]  ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100]  ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116]  ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135]  nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461]  ? packet_notifier+0xb3/0x360\n[524854.859476]  ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489]  ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661]  notifier_call_chain+0x7d/0x140\n[524854.859677]  unregister_netdevice_many_notify+0x5e1/0xae0","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02104,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9","https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2","https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816","https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2","https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a","https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b","https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9","https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2","https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816","https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2","https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a","https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36006","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530","https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a","https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154","https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0","https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40","https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97","https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79","https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530","https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a","https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154","https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0","https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40","https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97","https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-36007","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G        W          6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n </TASK>","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573","https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596","https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d","https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952","https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b","https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916","https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861","https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573","https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596","https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d","https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952","https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b","https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916","https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35988","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03246,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6","https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be","https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b","https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948","https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa","https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2","https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6","https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be","https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b","https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948","https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa","https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35996","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpu: Re-enable CPU mitigations by default for !X86 architectures\n\nRename x86's to CPU_MITIGATIONS, define it in generic code, and force it\non for all architectures exception x86.  A recent commit to turn\nmitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta\nmissed that \"cpu_mitigations\" is completely generic, whereas\nSPECULATION_MITIGATIONS is x86-specific.\n\nRename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it\nselect CPU_MITIGATIONS, as having two configs for the same thing is\nunnecessary and confusing.  This will also allow x86 to use the knob to\nmanage mitigations that aren't strictly related to speculative\nexecution.\n\nUse another Kconfig to communicate to common code that CPU_MITIGATIONS\nis already defined instead of having x86's menu depend on the common\nCPU_MITIGATIONS.  This allows keeping a single point of contact for all\nof x86's mitigations, and it's not clear that other architectures *want*\nto allow disabling mitigations at compile-time.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00037,"ranking_epss":0.10997,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/36b32816fbab267611f073223f1b0b816ec5920f","https://git.kernel.org/stable/c/38f17d1fbb5bfb56ca1419e2d06376d57a9396f9","https://git.kernel.org/stable/c/8292f4f8dd1b005d0688d726261004f816ef730a","https://git.kernel.org/stable/c/af6d6a923b40bf6471e44067ac61cc5814b48e7f","https://git.kernel.org/stable/c/fd8547ebc187037cc69441a15c1441aeaab80f49","https://git.kernel.org/stable/c/fe42754b94a42d08cf9501790afc25c4f6a5f631","https://git.kernel.org/stable/c/36b32816fbab267611f073223f1b0b816ec5920f","https://git.kernel.org/stable/c/38f17d1fbb5bfb56ca1419e2d06376d57a9396f9","https://git.kernel.org/stable/c/8292f4f8dd1b005d0688d726261004f816ef730a","https://git.kernel.org/stable/c/af6d6a923b40bf6471e44067ac61cc5814b48e7f","https://git.kernel.org/stable/c/fd8547ebc187037cc69441a15c1441aeaab80f49","https://git.kernel.org/stable/c/fe42754b94a42d08cf9501790afc25c4f6a5f631","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35973","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00729,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915","https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e","https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852","https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79","https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536","https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670","https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c","https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef","https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915","https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e","https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852","https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79","https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536","https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670","https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c","https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-20T10:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35958","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n  or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0003,"ranking_epss":0.08436,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1","https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7","https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0","https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde","https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d","https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2","https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1","https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7","https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0","https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde","https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d","https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35960","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n   again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.01748,"ranking_epss":0.82489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423","https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f","https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801","https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0","https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64","https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453","https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d","https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2","https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423","https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f","https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801","https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0","https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64","https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453","https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d","https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-20T10:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35962","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: complete validation of user input\n\nIn my recent commit, I missed that do_replace() handlers\nuse copy_from_sockptr() (which I fixed), followed\nby unsafe copy_from_sockptr_offset() calls.\n\nIn all functions, we can perform the @optlen validation\nbefore even calling xt_alloc_table_info() with the following\ncheck:\n\nif ((u64)optlen < (u64)tmp.size + sizeof(tmp))\n        return -EINVAL;","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00597,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/562b7245131f6e9f1d280c8b5a8750f03edfc05c","https://git.kernel.org/stable/c/65acf6e0501ac8880a4f73980d01b5d27648b956","https://git.kernel.org/stable/c/89242d9584c342cb83311b598d9e6b82572eadf8","https://git.kernel.org/stable/c/97dab36e57c64106e1c8ebd66cbf0d2d1e52d6b7","https://git.kernel.org/stable/c/c760089aa98289b4b88a7ff5a62dd92845adf223","https://git.kernel.org/stable/c/cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05","https://git.kernel.org/stable/c/562b7245131f6e9f1d280c8b5a8750f03edfc05c","https://git.kernel.org/stable/c/65acf6e0501ac8880a4f73980d01b5d27648b956","https://git.kernel.org/stable/c/89242d9584c342cb83311b598d9e6b82572eadf8","https://git.kernel.org/stable/c/97dab36e57c64106e1c8ebd66cbf0d2d1e52d6b7","https://git.kernel.org/stable/c/c760089aa98289b4b88a7ff5a62dd92845adf223","https://git.kernel.org/stable/c/cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35967","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":7e-05,"ranking_epss":0.00608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2c2dc87cdebef3fe3b9d7a711a984c70e376e32e","https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7","https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01","https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c","https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315","https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce","https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7","https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01","https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c","https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315","https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35969","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n   reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n   (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[   41.506330] refcount_t: addition on 0; use-after-free.\n[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[   41.507413] Modules linked in: veth bridge stp llc\n[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   41.516799] Call Trace:\n[   41.517037]  <TASK>\n[   41.517249]  ? __warn+0x7b/0x120\n[   41.517535]  ? refcount_warn_saturate+0xa5/0x130\n[   41.517923]  ? report_bug+0x164/0x190\n[   41.518240]  ? handle_bug+0x3d/0x70\n[   41.518541]  ? exc_invalid_op+0x17/0x70\n[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20\n[   41.521325]  ? refcount_warn_saturate+0xa5/0x130\n[   41.521708]  ipv6_get_ifaddr+0xda/0xe0\n[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0\n[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0\n[   41.523102]  ? netlink_unicast+0x30f/0x390\n[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[   41.523832]  netlink_rcv_skb+0x53/0x100\n[   41.524157]  netlink_unicast+0x23b/0x390\n[   41.524484]  netlink_sendmsg+0x1f2/0x440\n[   41.524826]  __sys_sendto+0x1d8/0x1f0\n[   41.525145]  __x64_sys_sendto+0x1f/0x30\n[   41.525467]  do_syscall_64+0xa5/0x1b0\n[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[   41.526213] RIP: 0033:0x7fbc4cfcea9a\n[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[   41.527942] RSP: 002b:00007f\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652","https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70","https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb","https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83","https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129","https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1","https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903","https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb","https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652","https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70","https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb","https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83","https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129","https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1","https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903","https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-20T10:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35950","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00686,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984","https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055","https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea","https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0","https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e","https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764","https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949","https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984","https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055","https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea","https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0","https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e","https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764","https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-20T10:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35955","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00336,"ranking_epss":0.56447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e","https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8","https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0","https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d","https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808","https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412","https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33","https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f","https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e","https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8","https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0","https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d","https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808","https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412","https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33","https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-20T10:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35947","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009.  Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05526,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c","https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081","https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38","https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b","https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0","https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab","https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc","https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561","https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c","https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081","https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38","https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b","https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0","https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab","https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc","https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"],"published_time":"2024-05-19T12:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35944","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36         struct datagram_entry *entry;\n 37         struct work_struct work;\n 38         bool in_dg_host_queue;\n 39         /* msg and msg_payload must be together. */\n 40         struct vmci_datagram msg;\n 41         u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02229,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74","https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec","https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f","https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100","https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73","https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051","https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b","https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75","https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74","https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec","https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f","https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100","https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73","https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051","https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b","https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35930","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02167,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf","https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b","https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f","https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7","https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a","https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8","https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8","https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f","https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf","https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b","https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f","https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7","https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a","https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8","https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8","https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35933","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03407,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e","https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912","https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645","https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b","https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28","https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e","https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b","https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9","https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912","https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645","https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990","https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35934","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n  #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n  #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03246,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0","https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7","https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec","https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4","https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2","https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23","https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0","https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7","https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec","https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4","https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2","https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35935","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"epss":0.00019,"ranking_epss":0.04826,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229","https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5","https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a","https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501","https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9","https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c","https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3","https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183","https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229","https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5","https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a","https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501","https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9","https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c","https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3","https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35936","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d","https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da","https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2","https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9","https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99","https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385","https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89","https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7","https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d","https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da","https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2","https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9","https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99","https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385","https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89","https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35940","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05421,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb","https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682","https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc","https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8","https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041","https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70","https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb","https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682","https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc","https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8","https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041","https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T11:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35922","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05376,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4","https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f","https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33","https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029","https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971","https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270","https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0","https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126","https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4","https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f","https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33","https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029","https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971","https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270","https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0","https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35925","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02229,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8","https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854","https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe","https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7","https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02","https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68","https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c","https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14","https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8","https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854","https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe","https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7","https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02","https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68","https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c","https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52699","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00083,"ranking_epss":0.24476,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76","https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f","https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09","https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1","https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac","https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3","https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e","https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927","https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76","https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f","https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09","https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1","https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac","https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3","https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e","https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T11:15:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35902","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n  - rds_get_mr()\n  - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n  (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n  where trans_private is assigned as per the previous point in this analysis.\n\n  The only implementation of get_mr that I could locate is rds_ib_get_mr()\n  which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n  rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n  Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n  this patch does seem to address a possible bug","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05376,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b","https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a","https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d","https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9","https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196","https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14","https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c","https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029","https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b","https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a","https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d","https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9","https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196","https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14","https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c","https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35905","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00029,"ranking_epss":0.08299,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103","https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69","https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69","https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1","https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d","https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8","https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103","https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69","https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69","https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1","https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d","https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35910","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.","cvss":5.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.8,"epss":0.0002,"ranking_epss":0.05461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada","https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4","https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f","https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a","https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de","https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50","https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87","https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810","https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada","https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4","https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f","https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a","https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de","https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50","https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87","https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35915","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff","https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240","https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c","https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a","https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a","https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16","https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7","https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f","https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff","https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240","https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c","https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a","https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a","https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16","https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7","https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35893","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02229,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366","https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5","https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924","https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c","https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14","https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd","https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec","https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077","https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366","https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5","https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924","https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c","https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14","https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd","https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec","https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35895","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(&htab->buckets[i].lock);\n                               local_irq_disable();\n                               lock(&host->lock);\n                               lock(&htab->buckets[i].lock);\n  <Interrupt>\n    lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.01019,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86","https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd","https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5","https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec","https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75","https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058","https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48","https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86","https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd","https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5","https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec","https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75","https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058","https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35896","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n  do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n  nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n </TASK>\n\nAllocated by task 7238:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:4069 [inline]\n  __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n  kmalloc_noprof include/linux/slab.h:664 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00012,"ranking_epss":0.01465,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc","https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6","https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5","https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b","https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018","https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525","https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc","https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6","https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5","https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b","https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018","https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://security.netapp.com/advisory/ntap-20250321-0004/"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35897","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01763,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518","https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4","https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb","https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927","https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827","https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78","https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362","https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc","https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518","https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4","https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb","https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927","https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827","https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78","https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362","https://git.kernel.org/stable/c/e75faf01e22ec7dc671640fa0e0968964fafd2fc","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35898","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.00993,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304","https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8","https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007","https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df","https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331","https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b","https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77","https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859","https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304","https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8","https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007","https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df","https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331","https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b","https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77","https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35899","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991]  <TASK>\n[ 1360.547998]  dump_stack_lvl+0x53/0x70\n[ 1360.548014]  print_report+0xc4/0x610\n[ 1360.548026]  ? __virt_addr_valid+0xba/0x160\n[ 1360.548040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176]  kasan_report+0xae/0xe0\n[ 1360.548189]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312]  nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577]  ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591]  process_one_work+0x2f1/0x670\n[ 1360.548610]  worker_thread+0x4d3/0x760\n[ 1360.548627]  ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640]  kthread+0x16b/0x1b0\n[ 1360.548653]  ? __pfx_kthread+0x10/0x10\n[ 1360.548665]  ret_from_fork+0x2f/0x50\n[ 1360.548679]  ? __pfx_kthread+0x10/0x10\n[ 1360.548690]  ret_from_fork_asm+0x1a/0x30\n[ 1360.548707]  </TASK>\n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726]  kasan_save_stack+0x20/0x40\n[ 1360.548739]  kasan_save_track+0x14/0x30\n[ 1360.548750]  __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760]  __kmalloc_node+0x1f1/0x450\n[ 1360.548771]  nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883]  nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909]  nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927]  netlink_unicast+0x367/0x4f0\n[ 1360.548935]  netlink_sendmsg+0x34b/0x610\n[ 1360.548944]  ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953]  ___sys_sendmsg+0xc9/0x120\n[ 1360.548961]  __sys_sendmsg+0xbe/0x140\n[ 1360.548971]  do_syscall_64+0x55/0x120\n[ 1360.548982]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999]  kasan_save_stack+0x20/0x40\n[ 1360.549009]  kasan_save_track+0x14/0x30\n[ 1360.549019]  kasan_save_free_info+0x3b/0x60\n[ 1360.549028]  poison_slab_object+0x100/0x180\n[ 1360.549036]  __kasan_slab_free+0x14/0x30\n[ 1360.549042]  kfree+0xb6/0x260\n[ 1360.549049]  __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131]  nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221]  ops_exit_list+0x50/0xa0\n[ 1360.549229]  free_exit_list+0x101/0x140\n[ 1360.549236]  unregister_pernet_operations+0x107/0x160\n[ 1360.549245]  unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254]  nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345]  __do_sys_delete_module+0x253/0x370\n[ 1360.549352]  do_syscall_64+0x55/0x120\n[ 1360.549360]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349           list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350                   list_del(&flowtable->list);\n11351                   nft_use_dec(&table->use);\n11352                   nf_tables_flowtable_destroy(flowtable);\n11353           }\n11354           list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355                   list_del(&set->list);\n11356                   nft_use_dec(&table->use);\n11357                   if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358                           nft_map_deactivat\n---truncated---","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":9e-05,"ranking_epss":0.00868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2","https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7","https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31","https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e","https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6","https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86","https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49","https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2","https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7","https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31","https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e","https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6","https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86","https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35900","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n  add table x\n  add chain x y { type filter hook input priority 0; }\n  add table x { flags dormant; }\n  add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[  127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50                                                                     1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[  127.322519] Call Trace:\n[  127.322521]  <TASK>\n[  127.322524]  ? __warn+0x9f/0x1a0\n[  127.322531]  ? __nf_unregister_net_hook+0x21a/0x260\n[  127.322537]  ? report_bug+0x1b1/0x1e0\n[  127.322545]  ? handle_bug+0x3c/0x70\n[  127.322552]  ? exc_invalid_op+0x17/0x40\n[  127.322556]  ? asm_exc_invalid_op+0x1a/0x20\n[  127.322563]  ? kasan_save_free_info+0x3b/0x60\n[  127.322570]  ? __nf_unregister_net_hook+0x6a/0x260\n[  127.322577]  ? __nf_unregister_net_hook+0x21a/0x260\n[  127.322583]  ? __nf_unregister_net_hook+0x6a/0x260\n[  127.322590]  ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[  127.322655]  nft_table_disable+0x75/0xf0 [nf_tables]\n[  127.322717]  nf_tables_commit+0x2571/0x2620 [nf_tables]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00016,"ranking_epss":0.03407,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab","https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7","https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8","https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830","https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b","https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb","https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769","https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a","https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab","https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7","https://git.kernel.org/stable/c/6d12f21f8bbe23fde25b77c2bf5973c136b8bef8","https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830","https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b","https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb","https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769","https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35879","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n  1) of_platform_depopulate()\n  2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n  ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a","https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c","https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951","https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82","https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84","https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c","https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a","https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c","https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951","https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82","https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84","https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35884","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n    RIP: 0010:skb_segment+0xd2a/0xf70\n    __udp_gso_segment+0xaa/0x560","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02504,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19","https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8","https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4","https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f","https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd","https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670","https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19","https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8","https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4","https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f","https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd","https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35886","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\n\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.02805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2","https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778","https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061","https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe","https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985","https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae","https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776","https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6","https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2","https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778","https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061","https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe","https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985","https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae","https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776","https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35888","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n    because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n  pskb_may_pull include/linux/skbuff.h:2756 [inline]\n  ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n  gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:460 [inline]\n  ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n  netif_receive_skb_internal net/core/dev.c:5738 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n  tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  tun_alloc_skb drivers/net/tun.c:1525 [inline]\n  tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00517,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac","https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446","https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0","https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d","https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d","https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85","https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5","https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7","https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac","https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446","https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0","https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d","https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d","https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85","https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5","https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35866","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00013,"ranking_epss":0.02006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682","https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113","https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045","https://git.kernel.org/stable/c/d798fd98e3563027c5162259ead517057d6fa794","https://git.kernel.org/stable/c/f4a60d360d9114b5085701a3702a0102b0d6d846","https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682","https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113","https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045","https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"],"published_time":"2024-05-19T09:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35867","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65","https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49","https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7","https://git.kernel.org/stable/c/838ec01ea8d3deb5d123e8ed9022e8162dc3f503","https://git.kernel.org/stable/c/bb6570085826291dc392005f9fec16ea5da3c8ad","https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39","http://www.openwall.com/lists/oss-security/2024/05/29/2","http://www.openwall.com/lists/oss-security/2024/05/30/1","http://www.openwall.com/lists/oss-security/2024/05/30/2","https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65","https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49","https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7","https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-05-19T09:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35871","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n   register state for PID 1 and other user processes started by the kernel has\n   sp = user stack, gp = kernel __global_pointer$, all other integer registers\n   zeroed by the memset in the patch comment.\n\n   This is a bug in its own right, but I'm unwilling to bet that it is the only\n   way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n   before it execs, but ptrace requires SIGSTOP to be delivered which can only\n   happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n   user_mode_helpers before the exec completes, but gp is not one of the\n   registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n   addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n   are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n   LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n   not attempted to determine which forms of tracing allow access to user\n   registers without already allowing access to kernel registers.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00013,"ranking_epss":0.01958,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4","https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5","https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8","https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9","https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef","https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84","https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4","https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5","https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8","https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9","https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef","https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-19T09:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35877","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include <stdio.h>\n #include <sys/mman.h>\n #include <unistd.h>\n #include <liburing.h>\n\n int main(void)\n {\n         struct io_uring_params p = {};\n         int ring_fd;\n         size_t size;\n         char *map;\n\n         ring_fd = io_uring_setup(1, &p);\n         if (ring_fd < 0) {\n                 perror(\"io_uring_setup\");\n                 return 1;\n         }\n         size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n         /* Map the submission queue ring MAP_PRIVATE */\n         map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n                    ring_fd, IORING_OFF_SQ_RING);\n         if (map == MAP_FAILED) {\n                 perror(\"mmap\");\n                 return 1;\n         }\n\n         /* We have at least one page. Let's COW it. */\n         *map = 0;\n         pause();\n         return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00617,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221","https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173","https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6","https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec","https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a","https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f","https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4","https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b","https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221","https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173","https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6","https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec","https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a","https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f","https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4","https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-19T09:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35853","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G        W          6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"epss":0.00188,"ranking_epss":0.40704,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf","https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e","https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1","https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977","https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d","https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76","https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76","https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf","https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e","https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1","https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977","https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d","https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76","https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T15:15:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35854","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G        W          6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00194,"ranking_epss":0.41367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049","https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121","https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519","https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887","https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1","https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1","https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388","https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049","https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121","https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519","https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887","https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1","https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1","https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T15:15:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35845","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.00269,"ranking_epss":0.50384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641","https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c","https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7","https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a","https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea","https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209","https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9","https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641","https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c","https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7","https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a","https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea","https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209","https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T15:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35847","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00021,"ranking_epss":0.0568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792","https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137","https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438","https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52","https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662","https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91","https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9","https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae","https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792","https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137","https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438","https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52","https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662","https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91","https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9","https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35848","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00016,"ranking_epss":0.03492,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a","https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676","https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc","https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6","https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da","https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2","https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a","https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676","https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc","https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6","https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da","https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"],"published_time":"2024-05-17T15:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35849","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00014,"ranking_epss":0.0273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf","https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6","https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc","https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772","https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86","https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6","https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d","https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54","https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf","https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6","https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc","https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772","https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86","https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6","https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d","https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52690","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00033,"ranking_epss":0.09472,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b","https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19","https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742","https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13","https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9","https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2","https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7","https://git.kernel.org/stable/c/1eefa93faf69188540b08b024794fa90b1d82e8b","https://git.kernel.org/stable/c/2a82c4439b903639e0a1f21990cd399fb0a49c19","https://git.kernel.org/stable/c/9a260f2dd827bbc82cc60eb4f4d8c22707d80742","https://git.kernel.org/stable/c/a9c05cbb6644a2103c75b6906e9dafb9981ebd13","https://git.kernel.org/stable/c/dd8422ff271c22058560832fc3006324ded895a9","https://git.kernel.org/stable/c/ed8d023cfa97b559db58c0e1afdd2eec7a83d8f2","https://git.kernel.org/stable/c/f84c1446daa552e9699da8d1f8375eac0f65edc7","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"],"published_time":"2024-05-17T15:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52691","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00011,"ranking_epss":0.0125,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706","https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334","https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30","https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4","https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0","https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a","https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2","https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9","https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706","https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334","https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30","https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4","https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0","https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a","https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2","https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52693","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05279,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3","https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95","https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c","https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af","https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8","https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f","https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f","https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099","https://git.kernel.org/stable/c/1e3a2b9b4039bb4d136dca59fb31e06465e056f3","https://git.kernel.org/stable/c/2124c5bc22948fc4d09a23db4a8acdccc7d21e95","https://git.kernel.org/stable/c/39af144b6d01d9b40f52e5d773e653957e6c379c","https://git.kernel.org/stable/c/3a370502a5681986f9828e43be75ce26c6ab24af","https://git.kernel.org/stable/c/556f02699d33c1f40b1b31bd25828ce08fa165d8","https://git.kernel.org/stable/c/72884ce4e10417b1233b614bf134da852df0f15f","https://git.kernel.org/stable/c/c4e1a0ef0b4782854c9b77a333ca912b392bed2f","https://git.kernel.org/stable/c/ccd45faf4973746c4f30ea41eec864e5cf191099","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52694","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5","https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205","https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1","https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2","https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114","https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1","https://git.kernel.org/stable/c/08ccff6ece35f08e8107e975903c370d849089e5","https://git.kernel.org/stable/c/53926e2a39629702f7f809d614b3ca89c2478205","https://git.kernel.org/stable/c/81f1bd85960b7a089a91e679ff7cd2524390bbf1","https://git.kernel.org/stable/c/a8657406e12aa10412134622c58977ac657f16d2","https://git.kernel.org/stable/c/ce3e112e7ae854249d8755906acc5f27e1542114","https://git.kernel.org/stable/c/e00ec5901954d85b39b5f10f94e60ab9af463eb1","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"],"published_time":"2024-05-17T15:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52696","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00282,"ranking_epss":0.51559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664","https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219","https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc","https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1","https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab","https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d","https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0","https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664","https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219","https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc","https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1","https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab","https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d","https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"],"published_time":"2024-05-17T15:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52679","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00011,"ranking_epss":0.0125,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db","https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21","https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b","https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2","https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8","https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd","https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7","https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea","https://git.kernel.org/stable/c/26b4d702c44f9e5cf3c5c001ae619a4a001889db","https://git.kernel.org/stable/c/4541004084527ce9e95a818ebbc4e6b293ffca21","https://git.kernel.org/stable/c/4dde83569832f9377362e50f7748463340c5db6b","https://git.kernel.org/stable/c/a0a061151a6200c13149dbcdb6c065203c8425d2","https://git.kernel.org/stable/c/b64d09a4e8596f76d27f4b4a90a1cf6baf6a82f8","https://git.kernel.org/stable/c/b9d760dae5b10e73369b769073525acd7b3be2bd","https://git.kernel.org/stable/c/cafa992134124e785609a406da4ff2b54052aff7","https://git.kernel.org/stable/c/d5f490343c77e6708b6c4aa7dbbfbcbb9546adea","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52683","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.0214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782","https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee","https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad","https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de","https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae","https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1","https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4","https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63","https://git.kernel.org/stable/c/56d2eeda87995245300836ee4dbd13b002311782","https://git.kernel.org/stable/c/647d1d50c31e60ef9ccb9756a8fdf863329f7aee","https://git.kernel.org/stable/c/6c38e791bde07d6ca2a0a619ff9b6837e0d5f9ad","https://git.kernel.org/stable/c/72222dfd76a79d9666ab3117fcdd44ca8cd0c4de","https://git.kernel.org/stable/c/b7aab9d906e2e252a7783f872406033ec49b6dae","https://git.kernel.org/stable/c/c1814a4ffd016ce5392c6767d22ef3aa2f0d4bd1","https://git.kernel.org/stable/c/d1ac288b2742aa4af746c5613bac71760fadd1c4","https://git.kernel.org/stable/c/f39c3d578c7d09a18ceaf56750fc7f20b02ada63","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T15:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52686","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02105,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4","https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050","https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9","https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877","https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7","https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42","https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf","https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031","https://git.kernel.org/stable/c/8422d179cf46889c15ceff9ede48c5bfa4e7f0b4","https://git.kernel.org/stable/c/8649829a1dd25199bbf557b2621cedb4bf9b3050","https://git.kernel.org/stable/c/9a523e1da6d88c2034f946adfa4f74b236c95ca9","https://git.kernel.org/stable/c/a14c55eb461d630b836f80591d8caf1f74e62877","https://git.kernel.org/stable/c/c0b111ea786ddcc8be0682612830796ece9436c7","https://git.kernel.org/stable/c/e08c2e275fa1874de945b87093f925997722ee42","https://git.kernel.org/stable/c/e6ad05e3ae9c84c5a71d7bb2d44dc845ae7990cf","https://git.kernel.org/stable/c/e93d7cf4c1ddbcd846739e7ad849f955a4f18031","https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"],"published_time":"2024-05-17T15:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35835","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00158,"ranking_epss":0.3669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7","https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b","https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb","https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b","https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7","https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056","https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5","https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629","https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7","https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b","https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb","https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b","https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7","https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056","https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5","https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35837","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00026,"ranking_epss":0.07204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f","https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b","https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38","https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa","https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec","https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4","https://git.kernel.org/stable/c/83f99138bf3b396f761600ab488054396fb5768f","https://git.kernel.org/stable/c/938729484cfa535e9987ed0f86f29a2ae3a8188b","https://git.kernel.org/stable/c/9f538b415db862e74b8c5d3abbccfc1b2b6caa38","https://git.kernel.org/stable/c/af47faa6d3328406038b731794e7cf508c71affa","https://git.kernel.org/stable/c/cec65f09c47d8c2d67f2bcad6cf05c490628d1ec","https://git.kernel.org/stable/c/dc77f6ab5c3759df60ff87ed24f4d45df0f3b4c4","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35829","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix a memleak in lima_heap_alloc\n\nWhen lima_vm_map_bo fails, the resources need to be deallocated, or\nthere will be memleaks.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.0561,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea","https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab","https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f","https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7","https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd","https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed","https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf","https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea","https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab","https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f","https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7","https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd","https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed","https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35830","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tc358743: register v4l2 async device only after successful setup\n\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05261,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17c2650de14842c25c569cbb2126c421489a3a24","https://git.kernel.org/stable/c/4f1490a5d7a0472ee5d9f36547bc4ba46be755c7","https://git.kernel.org/stable/c/610f20e5cf35ca9c0992693cae0dd8643ce932e7","https://git.kernel.org/stable/c/87399f1ff92203d65f1febf5919429f4bb613a02","https://git.kernel.org/stable/c/8ba8db9786b55047df5ad3db3e01dd886687a77d","https://git.kernel.org/stable/c/b8505a1aee8f1edc9d16d72ae09c93de086e2a1a","https://git.kernel.org/stable/c/c915c46a25c3efb084c4f5e69a053d7f7a635496","https://git.kernel.org/stable/c/daf21394f9898fb9f0698c3e50de08132d2164e6","https://git.kernel.org/stable/c/edbb3226c985469a2f8eb69885055c9f5550f468","https://git.kernel.org/stable/c/17c2650de14842c25c569cbb2126c421489a3a24","https://git.kernel.org/stable/c/4f1490a5d7a0472ee5d9f36547bc4ba46be755c7","https://git.kernel.org/stable/c/610f20e5cf35ca9c0992693cae0dd8643ce932e7","https://git.kernel.org/stable/c/87399f1ff92203d65f1febf5919429f4bb613a02","https://git.kernel.org/stable/c/8ba8db9786b55047df5ad3db3e01dd886687a77d","https://git.kernel.org/stable/c/b8505a1aee8f1edc9d16d72ae09c93de086e2a1a","https://git.kernel.org/stable/c/c915c46a25c3efb084c4f5e69a053d7f7a635496","https://git.kernel.org/stable/c/daf21394f9898fb9f0698c3e50de08132d2164e6","https://git.kernel.org/stable/c/edbb3226c985469a2f8eb69885055c9f5550f468","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35833","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00025,"ranking_epss":0.06715,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3","https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24","https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8","https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59","https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714","https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6","https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802","https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3","https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24","https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8","https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59","https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714","https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6","https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35825","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c","https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7","https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b","https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f","https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c","https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779","https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03","https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70","https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c","https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7","https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b","https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f","https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c","https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779","https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03","https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35828","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\n\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05205,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4d99d267da3415db2124029cb5a6d2d955ca43f9","https://git.kernel.org/stable/c/5f0e4aede01cb01fa633171f0533affd25328c3a","https://git.kernel.org/stable/c/8e243ac649c10922a6b4855170eaefe4c5b3faab","https://git.kernel.org/stable/c/96481624fb5a6319079fb5059e46dbce43a90186","https://git.kernel.org/stable/c/bea9573c795acec5614d4ac2dcc7b3b684cea5bf","https://git.kernel.org/stable/c/d219724d4b0ddb8ec7dfeaed5989f23edabaf591","https://git.kernel.org/stable/c/da10f6b7918abd5b4bc5c9cb66f0fc6763ac48f3","https://git.kernel.org/stable/c/e888c4461e109f7b93c3522afcbbaa5a8fdf29d2","https://git.kernel.org/stable/c/f0dd27314c7afe34794c2aa19dd6f2d30eb23bc7","https://git.kernel.org/stable/c/4d99d267da3415db2124029cb5a6d2d955ca43f9","https://git.kernel.org/stable/c/5f0e4aede01cb01fa633171f0533affd25328c3a","https://git.kernel.org/stable/c/8e243ac649c10922a6b4855170eaefe4c5b3faab","https://git.kernel.org/stable/c/96481624fb5a6319079fb5059e46dbce43a90186","https://git.kernel.org/stable/c/bea9573c795acec5614d4ac2dcc7b3b684cea5bf","https://git.kernel.org/stable/c/d219724d4b0ddb8ec7dfeaed5989f23edabaf591","https://git.kernel.org/stable/c/da10f6b7918abd5b4bc5c9cb66f0fc6763ac48f3","https://git.kernel.org/stable/c/e888c4461e109f7b93c3522afcbbaa5a8fdf29d2","https://git.kernel.org/stable/c/f0dd27314c7afe34794c2aa19dd6f2d30eb23bc7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35821","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data.  Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00115,"ranking_epss":0.30222,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3","https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566","https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e","https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e","https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f","https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310","https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f","https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3","https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f","https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3","https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566","https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e","https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e","https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f","https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310","https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f","https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3","https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35822","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.0621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e","https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8","https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252","https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c","https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a","https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c","https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290","https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf","https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf","https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e","https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8","https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252","https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c","https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a","https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c","https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290","https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf","https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35823","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00271,"ranking_epss":0.50531,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f","https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d","https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90","https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1","https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda","https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51","https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d","https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a","https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f","https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d","https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90","https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1","https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda","https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51","https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d","https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35815","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3","https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7","https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50","https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596","https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2","https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a","https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410","https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e","https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3","https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7","https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50","https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596","https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2","https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a","https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410","https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35819","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.0621,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02","https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1","https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa","https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e","https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506","https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14","https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df","https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc","https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59","https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02","https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1","https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa","https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e","https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506","https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14","https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df","https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc","https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35811","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00787,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb","https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744","https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78","https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a","https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169","https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a","https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731","https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1","https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa","https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb","https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744","https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78","https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a","https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169","https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a","https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731","https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1","https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35813","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.02136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56","https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6","https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2","https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304","https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28","https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55","https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68","https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014","https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56","https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6","https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2","https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304","https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28","https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55","https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68","https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35806","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0001,"ranking_epss":0.01086,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397","https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f","https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3","https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a","https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03","https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd","https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9","https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec","https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430","https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397","https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f","https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3","https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a","https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03","https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd","https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9","https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec","https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35807","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n  dev=/dev/<some_dev> # should be >= 16 GiB\n  mkdir -p /corruption\n  /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n  mount -t ext4 $dev /corruption\n\n  dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n  sha1sum /corruption/test\n  # 79d2658b39dcfd77274e435b0934028adafaab11  /corruption/test\n\n  /sbin/resize2fs $dev $((2*2**21))\n  # drop page cache to force reload the block from disk\n  echo 1 > /proc/sys/vm/drop_caches\n\n  sha1sum /corruption/test\n  # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3  /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6","https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5","https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd","https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1","https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc","https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c","https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a","https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c","https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df","https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6","https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5","https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd","https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1","https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc","https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c","https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a","https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c","https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35809","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":6e-05,"ranking_epss":0.00329,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1","https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970","https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674","https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b","https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6","https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf","https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491","https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5","https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989","https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1","https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970","https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674","https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b","https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6","https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf","https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491","https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5","https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35805","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7","https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1","https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683","https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc","https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c","https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2","https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e","https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366","https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7","https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1","https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683","https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc","https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c","https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2","https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e","https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35796","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11","https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3","https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a","https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e","https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48","https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8","https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1","https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11","https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3","https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a","https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e","https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48","https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8","https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52670","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n  comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n  hex dump (first 32 bytes):\n    72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00  rpmsg_ns........\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n    [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n    [<00000000228a60c3>] kstrndup+0x4c/0x90\n    [<0000000077158695>] driver_set_override+0xd0/0x164\n    [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n    [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n    [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n    [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n    [<00000000443331cc>] really_probe+0xbc/0x2dc\n    [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n    [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n    [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n    [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n    [<000000003b929a36>] __device_attach+0x9c/0x19c\n    [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n    [<000000003c999637>] bus_probe_device+0xa0/0xac","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00648,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08","https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6","https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a","https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30","https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43","https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687","https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d","https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346","https://git.kernel.org/stable/c/229ce47cbfdc7d3a9415eb676abbfb77d676cb08","https://git.kernel.org/stable/c/2d27a7b19cb354c6d04bcdc9239e261ff29858d6","https://git.kernel.org/stable/c/4e6cef3fae5c164968118a13f3fe293700adc81a","https://git.kernel.org/stable/c/69ca89d80f2c8a1f5af429b955637beea7eead30","https://git.kernel.org/stable/c/9a416d624e5fb7246ea97c11fbfea7e0e27abf43","https://git.kernel.org/stable/c/d5362c37e1f8a40096452fc201c30e705750e687","https://git.kernel.org/stable/c/dd50fe18c234bd5ff22f658f4d414e8fa8cd6a5d","https://git.kernel.org/stable/c/f4bb1d5daf77b1a95a43277268adf0d1430c2346","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T14:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52672","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues]","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.0061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8","https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9","https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24","https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55","https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f","https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8","https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9","https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24","https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55","https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f","https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52669","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left.  Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00016,"ranking_epss":0.03584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285","https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79","https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b","https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e","https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23","https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874","https://git.kernel.org/stable/c/a7f580cdb42ec3d53bbb7c4e4335a98423703285","https://git.kernel.org/stable/c/cd51e26a3b89706beec64f2d8296cfb1c34e0c79","https://git.kernel.org/stable/c/d07f951903fa9922c375b8ab1ce81b18a0034e3b","https://git.kernel.org/stable/c/d68ac38895e84446848b7647ab9458d54cacba3e","https://git.kernel.org/stable/c/dbc9a791a70ea47be9f2acf251700fe254a2ab23","https://git.kernel.org/stable/c/e78f1a43e72daf77705ad5b9946de66fc708b874","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T14:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27436","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Stop parsing channels bits when all channels are found.\n\nIf a usb audio device sets more bits than the amount of channels\nit could write outside of the map array.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00148,"ranking_epss":0.35399,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72","https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827","https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6","https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a","https://git.kernel.org/stable/c/6d88b289fb0a8d055cb79d1c46a56aba7809d96d","https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f","https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064","https://git.kernel.org/stable/c/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7","https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35cde517a9","https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72","https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827","https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6","https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a","https://git.kernel.org/stable/c/6d88b289fb0a8d055cb79d1c46a56aba7809d96d","https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f","https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064","https://git.kernel.org/stable/c/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7","https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35cde517a9","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T13:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35785","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[   15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[   15.406913] Mem abort info:\n[   15.409722]   ESR = 0x0000000096000005\n[   15.413490]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   15.418814]   SET = 0, FnV = 0\n[   15.421878]   EA = 0, S1PTW = 0\n[   15.425031]   FSC = 0x05: level 1 translation fault\n[   15.429922] Data abort info:\n[   15.432813]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[   15.438310]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[   15.443372]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[   15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[   15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[   15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":0.00026,"ranking_epss":0.07279,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7","https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee","https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac","https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4","https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3","https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95","https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7","https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee","https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac","https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4","https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3","https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T13:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35789","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00048,"ranking_epss":0.14895,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc","https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685","https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7","https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b","https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931","https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f","https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb","https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e","https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921","https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc","https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685","https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7","https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b","https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931","https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f","https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb","https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e","https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T13:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-35791","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated.  I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00028,"ranking_epss":0.07777,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4","https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d","https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865","https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807","https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7","https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a","https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4","https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d","https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865","https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807","https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7","https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T13:15:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27431","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\n\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\n\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03246,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5","https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95","https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297","https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6","https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b","https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a","https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5","https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95","https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297","https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6","https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b","https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T12:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27416","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST\n\nIf we received HCI_EV_IO_CAPA_REQUEST while\nHCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote\ndoes support SSP since otherwise this event shouldn't be generated.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05376,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/30a5e812f78e3d1cced90e1ed750bf027599205f","https://git.kernel.org/stable/c/79820a7e1e057120c49be07cbe10643d0706b259","https://git.kernel.org/stable/c/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865","https://git.kernel.org/stable/c/8e2758cc25891d2b76717aaf89b40ed215de188c","https://git.kernel.org/stable/c/afec8f772296dd8e5a2a6f83bbf99db1b9ca877f","https://git.kernel.org/stable/c/c3df637266df29edee85e94cab5fd7041e5753ba","https://git.kernel.org/stable/c/df193568d61234c81de7ed4d540c01975de60277","https://git.kernel.org/stable/c/fba268ac36ab19f9763ff90d276cde0ce6cd5f31","https://git.kernel.org/stable/c/30a5e812f78e3d1cced90e1ed750bf027599205f","https://git.kernel.org/stable/c/79820a7e1e057120c49be07cbe10643d0706b259","https://git.kernel.org/stable/c/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865","https://git.kernel.org/stable/c/8e2758cc25891d2b76717aaf89b40ed215de188c","https://git.kernel.org/stable/c/afec8f772296dd8e5a2a6f83bbf99db1b9ca877f","https://git.kernel.org/stable/c/c3df637266df29edee85e94cab5fd7041e5753ba","https://git.kernel.org/stable/c/df193568d61234c81de7ed4d540c01975de60277","https://git.kernel.org/stable/c/fba268ac36ab19f9763ff90d276cde0ce6cd5f31","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27417","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\n\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01786,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10bfd453da64a057bcfd1a49fb6b271c48653cdb","https://git.kernel.org/stable/c/1b0998fdd85776775d975d0024bca227597e836a","https://git.kernel.org/stable/c/33a1b6bfef6def2068c8703403759024ce17053e","https://git.kernel.org/stable/c/44112bc5c74e64f28f5a9127dc34066c7a09bd0f","https://git.kernel.org/stable/c/810fa7d5e5202fcfb22720304b755f1bdfd4c174","https://git.kernel.org/stable/c/8a54834c03c30e549c33d5da0975f3e1454ec906","https://git.kernel.org/stable/c/9d4ffb5b9d879a75e4f7460e8b10e756b4dfb132","https://git.kernel.org/stable/c/10bfd453da64a057bcfd1a49fb6b271c48653cdb","https://git.kernel.org/stable/c/1b0998fdd85776775d975d0024bca227597e836a","https://git.kernel.org/stable/c/33a1b6bfef6def2068c8703403759024ce17053e","https://git.kernel.org/stable/c/44112bc5c74e64f28f5a9127dc34066c7a09bd0f","https://git.kernel.org/stable/c/810fa7d5e5202fcfb22720304b755f1bdfd4c174","https://git.kernel.org/stable/c/8a54834c03c30e549c33d5da0975f3e1454ec906","https://git.kernel.org/stable/c/9d4ffb5b9d879a75e4f7460e8b10e756b4dfb132","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T12:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27419","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_net_busy_read\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00012,"ranking_epss":0.01719,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0866afaff19d8460308b022345ed116a12b1d0e1","https://git.kernel.org/stable/c/16d71319e29d5825ab53f263b59fdd8dc2d60ad4","https://git.kernel.org/stable/c/34cab94f7473e7b09f5205d4583fb5096cb63b5b","https://git.kernel.org/stable/c/43464808669ba9d23996f0b6d875450191687caf","https://git.kernel.org/stable/c/bbf950a6e96a91cf8cf0c71117b94ed3fafc9dd3","https://git.kernel.org/stable/c/d380ce70058a4ccddc3e5f5c2063165dc07672c6","https://git.kernel.org/stable/c/d623fd5298d95b65d27ef5a618ebf39541074856","https://git.kernel.org/stable/c/f9055fa2b2931261d5f89948ee5bc315b6a22d4a","https://git.kernel.org/stable/c/0866afaff19d8460308b022345ed116a12b1d0e1","https://git.kernel.org/stable/c/16d71319e29d5825ab53f263b59fdd8dc2d60ad4","https://git.kernel.org/stable/c/34cab94f7473e7b09f5205d4583fb5096cb63b5b","https://git.kernel.org/stable/c/43464808669ba9d23996f0b6d875450191687caf","https://git.kernel.org/stable/c/bbf950a6e96a91cf8cf0c71117b94ed3fafc9dd3","https://git.kernel.org/stable/c/d380ce70058a4ccddc3e5f5c2063165dc07672c6","https://git.kernel.org/stable/c/d623fd5298d95b65d27ef5a618ebf39541074856","https://git.kernel.org/stable/c/f9055fa2b2931261d5f89948ee5bc315b6a22d4a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27412","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx-i2c: Do not free non existing IRQ\n\nThe bq27xxx i2c-client may not have an IRQ, in which case\nclient->irq will be 0. bq27xxx_battery_i2c_probe() already has\nan if (client->irq) check wrapping the request_threaded_irq().\n\nBut bq27xxx_battery_i2c_remove() unconditionally calls\nfree_irq(client->irq) leading to:\n\n[  190.310742] ------------[ cut here ]------------\n[  190.310843] Trying to free already-free IRQ 0\n[  190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310\n\nFollowed by a backtrace when unbinding the driver. Add\nan if (client->irq) to bq27xxx_battery_i2c_remove() mirroring\nprobe() to fix this.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.05376,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/083686474e7c97b0f8b66df37fcb64e432e8b771","https://git.kernel.org/stable/c/2df70149e73e79783bcbc7db4fa51ecef0e2022c","https://git.kernel.org/stable/c/7394abc8926adee6a817bab10797e0adc898af77","https://git.kernel.org/stable/c/cefe18e9ec84f8fe3e198ccebb815cc996eb9797","https://git.kernel.org/stable/c/d4d813c0a14d6bf52d810a55db06a2e7e3d98eaa","https://git.kernel.org/stable/c/d7acc4a569f5f4513120c85ea2b9f04909b7490f","https://git.kernel.org/stable/c/e601ae81910ce6a3797876e190a2d8ef6cf828bc","https://git.kernel.org/stable/c/fbca8bae1ba79d443a58781b45e92a73a24ac8f8","https://git.kernel.org/stable/c/083686474e7c97b0f8b66df37fcb64e432e8b771","https://git.kernel.org/stable/c/2df70149e73e79783bcbc7db4fa51ecef0e2022c","https://git.kernel.org/stable/c/7394abc8926adee6a817bab10797e0adc898af77","https://git.kernel.org/stable/c/cefe18e9ec84f8fe3e198ccebb815cc996eb9797","https://git.kernel.org/stable/c/d4d813c0a14d6bf52d810a55db06a2e7e3d98eaa","https://git.kernel.org/stable/c/d7acc4a569f5f4513120c85ea2b9f04909b7490f","https://git.kernel.org/stable/c/e601ae81910ce6a3797876e190a2d8ef6cf828bc","https://git.kernel.org/stable/c/fbca8bae1ba79d443a58781b45e92a73a24ac8f8","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27413","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect allocation size\n\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\n\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n  295 |         cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n      |                        ^\n\nUse the correct type instead here.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00024,"ranking_epss":0.06359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b","https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66dfde68492","https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050","https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64","https://git.kernel.org/stable/c/62a5dcd9bd3097e9813de62fa6f22815e84a0172","https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd","https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f","https://git.kernel.org/stable/c/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e","https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b","https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66dfde68492","https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050","https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64","https://git.kernel.org/stable/c/62a5dcd9bd3097e9813de62fa6f22815e84a0172","https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd","https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f","https://git.kernel.org/stable/c/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27414","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back\n\nIn the commit d73ef2d69c0d (\"rtnetlink: let rtnl_bridge_setlink checks\nIFLA_BRIDGE_MODE length\"), an adjustment was made to the old loop logic\nin the function `rtnl_bridge_setlink` to enable the loop to also check\nthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustment\nremoved the `break` statement and led to an error logic of the flags\nwriting back at the end of this function.\n\nif (have_flags)\n    memcpy(nla_data(attr), &flags, sizeof(flags));\n    // attr should point to IFLA_BRIDGE_FLAGS NLA !!!\n\nBefore the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.\nHowever, this is not necessarily true fow now as the updated loop will let\nthe attr point to the last NLA, even an invalid NLA which could cause\noverflow writes.\n\nThis patch introduces a new variable `br_flag` to save the NLA pointer\nthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned\nerror logic.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/167d8642daa6a44b51de17f8ff0f584e1e762db7","https://git.kernel.org/stable/c/743ad091fb46e622f1b690385bb15e3cd3daf874","https://git.kernel.org/stable/c/831bc2728fb48a8957a824cba8c264b30dca1425","https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef02c5125","https://git.kernel.org/stable/c/a1227b27fcccc99dc44f912b479e01a17e2d7d31","https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f","https://git.kernel.org/stable/c/f2261eb994aa5757c1da046b78e3229a3ece0ad9","https://git.kernel.org/stable/c/167d8642daa6a44b51de17f8ff0f584e1e762db7","https://git.kernel.org/stable/c/743ad091fb46e622f1b690385bb15e3cd3daf874","https://git.kernel.org/stable/c/831bc2728fb48a8957a824cba8c264b30dca1425","https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef02c5125","https://git.kernel.org/stable/c/a1227b27fcccc99dc44f912b479e01a17e2d7d31","https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f","https://git.kernel.org/stable/c/f2261eb994aa5757c1da046b78e3229a3ece0ad9","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-17T12:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27410","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt's currently possible to change the mesh ID when the\ninterface isn't yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev->u union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere's no userspace that's going to do this, so just\ndisallow changes in iftype when setting mesh ID.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01763,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df","https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2","https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838","https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e","https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995","https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9","https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df","https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2","https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980","https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838","https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d","https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27405","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\n\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\n\nAdding a few custom traces showed the following:\n[002] d..1  7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1  7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\n\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\n\nSame is case with packets of size 2048:\n[002] d..1  7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1  7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\n\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\n\n Transfer 2959 - Bytes Transferred(1025)  Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n       Data(1024 bytes)\n       Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n       Data(1 byte)\n       Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\n\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00148,"ranking_epss":0.35305,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/059285e04ebb273d32323fbad5431c5b94f77e48","https://git.kernel.org/stable/c/2b7ec68869d50ea998908af43b643bca7e54577e","https://git.kernel.org/stable/c/2cb66b62a5d64ccf09b0591ab86fb085fa491fc5","https://git.kernel.org/stable/c/35b604a37ec70d68b19dafd10bbacf1db505c9ca","https://git.kernel.org/stable/c/57ca0e16f393bb21d69734e536e383a3a4c665fd","https://git.kernel.org/stable/c/76c51146820c5dac629f21deafab0a7039bc3ccd","https://git.kernel.org/stable/c/a31cf46d108dabce3df80b3e5c07661e24912151","https://git.kernel.org/stable/c/c7f43900bc723203d7554d299a2ce844054fab8e","https://git.kernel.org/stable/c/059285e04ebb273d32323fbad5431c5b94f77e48","https://git.kernel.org/stable/c/2b7ec68869d50ea998908af43b643bca7e54577e","https://git.kernel.org/stable/c/2cb66b62a5d64ccf09b0591ab86fb085fa491fc5","https://git.kernel.org/stable/c/35b604a37ec70d68b19dafd10bbacf1db505c9ca","https://git.kernel.org/stable/c/57ca0e16f393bb21d69734e536e383a3a4c665fd","https://git.kernel.org/stable/c/76c51146820c5dac629f21deafab0a7039bc3ccd","https://git.kernel.org/stable/c/a31cf46d108dabce3df80b3e5c07661e24912151","https://git.kernel.org/stable/c/c7f43900bc723203d7554d299a2ce844054fab8e","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-17T12:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3044","summary":"Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.02355,"ranking_epss":0.84852,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/","https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044","https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/","https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044"],"published_time":"2024-05-14T21:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-32465","summary":"Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"epss":0.00155,"ranking_epss":0.36301,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/05/14/2","https://git-scm.com/docs/git#_security","https://git-scm.com/docs/git-clone","https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7","https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","http://www.openwall.com/lists/oss-security/2024/05/14/2","https://git-scm.com/docs/git#_security","https://git-scm.com/docs/git-clone","https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7","https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"],"published_time":"2024-05-14T20:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-32021","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.","cvss":3.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.9,"epss":0.00021,"ranking_epss":0.05519,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/05/14/2","https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","http://www.openwall.com/lists/oss-security/2024/05/14/2","https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"],"published_time":"2024-05-14T20:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-32004","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.02631,"ranking_epss":0.85623,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/05/14/2","https://git-scm.com/docs/git-clone","https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8","https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","http://www.openwall.com/lists/oss-security/2024/05/14/2","https://git-scm.com/docs/git-clone","https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8","https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389","https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"],"published_time":"2024-05-14T19:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4777","summary":"Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.00656,"ranking_epss":0.70961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/buglist.cgi?bug_id=1878199%2C1893340","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/","https://bugzilla.mozilla.org/buglist.cgi?bug_id=1878199%2C1893340","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/"],"published_time":"2024-05-14T18:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4768","summary":"A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"epss":0.00706,"ranking_epss":0.72113,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1886082","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/","https://bugzilla.mozilla.org/show_bug.cgi?id=1886082","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/"],"published_time":"2024-05-14T18:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4769","summary":"When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses.  This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.0083,"ranking_epss":0.74488,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1886108","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/","https://bugzilla.mozilla.org/show_bug.cgi?id=1886108","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/"],"published_time":"2024-05-14T18:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4767","summary":"If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"epss":0.00872,"ranking_epss":0.75176,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1878577","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/","https://bugzilla.mozilla.org/show_bug.cgi?id=1878577","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/"],"published_time":"2024-05-14T18:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-4367","summary":"A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"epss":0.34613,"ranking_epss":0.96984,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1893645","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/","http://seclists.org/fulldisclosure/2024/Aug/30","https://bugzilla.mozilla.org/show_bug.cgi?id=1893645","https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/","https://github.com/gogs/gogs/issues/7928","https://github.com/mozilla/pdf.js/releases/tag/v4.2.67","https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html","https://www.exploit-db.com/exploits/52273","https://www.mozilla.org/security/advisories/mfsa2024-21/","https://www.mozilla.org/security/advisories/mfsa2024-22/","https://www.mozilla.org/security/advisories/mfsa2024-23/"],"published_time":"2024-05-14T18:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27401","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"epss":8e-05,"ranking_epss":0.00657,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa","https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98","https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f","https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c","https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285","https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b","https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239","https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb","https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa","https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98","https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f","https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c","https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285","https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b","https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239","https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"],"published_time":"2024-05-14T15:12:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27398","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  <TASK>\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  </TASK>\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0071,"ranking_epss":0.7218,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2","https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249","https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014","https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53","https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546","https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178","https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5","https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93","http://www.openwall.com/lists/oss-security/2024/11/29/1","http://www.openwall.com/lists/oss-security/2024/11/30/1","http://www.openwall.com/lists/oss-security/2024/11/30/2","https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2","https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249","https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014","https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53","https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546","https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178","https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5","https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/","https://security.netapp.com/advisory/ntap-20240912-0012/"],"published_time":"2024-05-14T15:12:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27399","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[  472.074580] ==================================================================\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[  472.075308]\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.075308] Workqueue: events l2cap_chan_timeout\n[  472.075308] Call Trace:\n[  472.075308]  <TASK>\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\n[  472.075308]  print_report+0x101/0x250\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_report+0x139/0x170\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\n[  472.075308]  mutex_lock+0x68/0xc0\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\n[  472.075308]  process_one_work+0x5d2/0xe00\n[  472.075308]  worker_thread+0xe1d/0x1660\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  kthread+0x2b7/0x350\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork+0x4d/0x80\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork_asm+0x11/0x20\n[  472.075308]  </TASK>\n[  472.075308] ==================================================================\n[  472.094860] Disabling lock debugging due to kernel taint\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  472.096136] #PF: supervisor write access in kernel mode\n[  472.096136] #PF: error_code(0x0002) - not-present page\n[  472.096136] PGD 0 P4D 0\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.096136] Workqueue: events l2cap_chan_timeout\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[  472.096136] Call Trace:\n[  472.096136]  <TASK>\n[  472.096136]  ? __die_body+0x8d/0xe0\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\n[  472.096136]  ? _printk+0x7a/0xa0\n[  472.096136]  ? mutex_lock+0x68/0xc0\n[  472.096136]  ? add_taint+0x42/0xd0\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  ? mutex_lock+0x88/0xc0\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  l2cap_chan_timeo\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01335,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c","https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9","https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33","https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0","https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c","https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae","https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79","https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4","https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c","https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9","https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33","https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0","https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c","https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae","https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79","https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/","https://security.netapp.com/advisory/ntap-20240926-0001/"],"published_time":"2024-05-14T15:12:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27395","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.02805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994","https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3","https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424","https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2","https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4","https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1","https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137","https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865","https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994","https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3","https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424","https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2","https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4","https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1","https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137","https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-14T15:12:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27396","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58","https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd","https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29","https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6","https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07","https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7","https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474","https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64","https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58","https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd","https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29","https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6","https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07","https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7","https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474","https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-14T15:12:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52656","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: drop any code related to SCM_RIGHTS\n\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01523,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb","https://git.kernel.org/stable/c/6fc19b3d8a45ff0e5d50ec8184cee1d5eac1a8ba","https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89","https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b","https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02","https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3","https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4","https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb","https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89","https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b","https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02","https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3","https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-14T14:23:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-34397","summary":"An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.","cvss":5.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.2,"epss":0.0019,"ranking_epss":0.40881,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/glib/-/issues/3268","https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/","https://security.netapp.com/advisory/ntap-20240531-0008/","https://www.openwall.com/lists/oss-security/2024/05/07/5","https://gitlab.gnome.org/GNOME/glib/-/issues/3268","https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/","https://security.netapp.com/advisory/ntap-20240531-0008/","https://www.openwall.com/lists/oss-security/2024/05/07/5"],"published_time":"2024-05-07T18:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-33599","summary":"nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.00624,"ranking_epss":0.70102,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0011/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005","http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0011/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005"],"published_time":"2024-05-06T20:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-33600","summary":"nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.00225,"ranking_epss":0.4522,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0013/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006","http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0013/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006"],"published_time":"2024-05-06T20:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-33601","summary":"nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"epss":0.00104,"ranking_epss":0.28523,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0014/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007","http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0014/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007"],"published_time":"2024-05-06T20:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-33602","summary":"nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"epss":0.0045,"ranking_epss":0.63607,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0012/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008","http://www.openwall.com/lists/oss-security/2024/07/22/5","https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html","https://security.netapp.com/advisory/ntap-20240524-0012/","https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008"],"published_time":"2024-05-06T20:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-34069","summary":"Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.38929,"ranking_epss":0.97247,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692","https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/","https://security.netapp.com/advisory/ntap-20240614-0004/","https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692","https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985","https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/","https://security.netapp.com/advisory/ntap-20240614-0004/"],"published_time":"2024-05-06T15:15:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-34508","summary":"dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"epss":0.00069,"ranking_epss":0.2136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5","https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://support.dcmtk.org/redmine/issues/1114","https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5","https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html","https://support.dcmtk.org/redmine/issues/1114"],"published_time":"2024-05-05T20:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-34509","summary":"dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.00113,"ranking_epss":0.29949,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5","https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://support.dcmtk.org/redmine/issues/1114","https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5","https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html","https://support.dcmtk.org/redmine/issues/1114"],"published_time":"2024-05-05T20:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27073","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ttpci: fix two memleaks in budget_av_attach\n\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1597cd1a88cfcdc4bf8b1b44cd458fed9a5a5d63","https://git.kernel.org/stable/c/24e51d6eb578b82ff292927f14b9f5ec05a46beb","https://git.kernel.org/stable/c/55ca0c7eae8499bb96f4e5d9b26af95e89c4e6a0","https://git.kernel.org/stable/c/656b8cc123d7635dd399d9f02594f27aa797ac3c","https://git.kernel.org/stable/c/7393c681f9aa05ffe2385e8716989565eed2fe06","https://git.kernel.org/stable/c/910363473e4bf97da3c350e08d915546dd6cc30b","https://git.kernel.org/stable/c/af37aed04997e644f7e1b52b696b62dcae3cc016","https://git.kernel.org/stable/c/d0b07f712bf61e1a3cf23c87c663791c42e50837","https://git.kernel.org/stable/c/1597cd1a88cfcdc4bf8b1b44cd458fed9a5a5d63","https://git.kernel.org/stable/c/24e51d6eb578b82ff292927f14b9f5ec05a46beb","https://git.kernel.org/stable/c/55ca0c7eae8499bb96f4e5d9b26af95e89c4e6a0","https://git.kernel.org/stable/c/656b8cc123d7635dd399d9f02594f27aa797ac3c","https://git.kernel.org/stable/c/7393c681f9aa05ffe2385e8716989565eed2fe06","https://git.kernel.org/stable/c/910363473e4bf97da3c350e08d915546dd6cc30b","https://git.kernel.org/stable/c/af37aed04997e644f7e1b52b696b62dcae3cc016","https://git.kernel.org/stable/c/d0b07f712bf61e1a3cf23c87c663791c42e50837","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27074","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: go7007: fix a memleak in go7007_load_encoder\n\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\n\nsaa7134_go7007_init\n  |-> go7007_boot_encoder\n        |-> go7007_load_encoder\n  |-> kfree(go)\n\ngo is freed and thus bounce is leaked.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00585,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159","https://git.kernel.org/stable/c/7405a0d4442792988e9ae834e7d84f9d163731a4","https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3","https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5","https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073","https://git.kernel.org/stable/c/b9b683844b01d171a72b9c0419a2d760d946ee12","https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96cd78661","https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3","https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975","https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159","https://git.kernel.org/stable/c/7405a0d4442792988e9ae834e7d84f9d163731a4","https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3","https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5","https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073","https://git.kernel.org/stable/c/b9b683844b01d171a72b9c0419a2d760d946ee12","https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96cd78661","https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3","https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27075","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: avoid stack overflow warnings with clang\n\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\n\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\n\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.02676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/107052a8cfeff3a97326277192b4f052e4860a8a","https://git.kernel.org/stable/c/7a4cf27d1f0538f779bf31b8c99eda394e277119","https://git.kernel.org/stable/c/8fad9c5bb00d3a9508d18bbfe832e33a47377730","https://git.kernel.org/stable/c/c073c8cede5abd3836e83d70d72606d11d0759d4","https://git.kernel.org/stable/c/d20b64f156de5d10410963fe238d82a4e7e97a2f","https://git.kernel.org/stable/c/d6b4895197ab5a47cb81c6852d49320b05052960","https://git.kernel.org/stable/c/ed514ecf4f29c80a2f09ae3c877059b401efe893","https://git.kernel.org/stable/c/fa8b472952ef46eb632825051078c21ce0cafe55","https://git.kernel.org/stable/c/fb07104a02e87c06c39914d13ed67fd8f839ca82","https://git.kernel.org/stable/c/107052a8cfeff3a97326277192b4f052e4860a8a","https://git.kernel.org/stable/c/7a4cf27d1f0538f779bf31b8c99eda394e277119","https://git.kernel.org/stable/c/8fad9c5bb00d3a9508d18bbfe832e33a47377730","https://git.kernel.org/stable/c/c073c8cede5abd3836e83d70d72606d11d0759d4","https://git.kernel.org/stable/c/d20b64f156de5d10410963fe238d82a4e7e97a2f","https://git.kernel.org/stable/c/d6b4895197ab5a47cb81c6852d49320b05052960","https://git.kernel.org/stable/c/ed514ecf4f29c80a2f09ae3c877059b401efe893","https://git.kernel.org/stable/c/fa8b472952ef46eb632825051078c21ce0cafe55","https://git.kernel.org/stable/c/fb07104a02e87c06c39914d13ed67fd8f839ca82","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27076","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx: csc/scaler: fix v4l2_ctrl_handler memory leak\n\nFree the memory allocated in v4l2_ctrl_handler_init on release.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/42492b00156c03a79fd4851190aa63045d6a15ce","https://git.kernel.org/stable/c/4797a3dd46f220e6d83daf54d70c5b33db6deb01","https://git.kernel.org/stable/c/5d9fe604bf9b5b09d2215225df55f22a4cbbc684","https://git.kernel.org/stable/c/6c92224721a439d6350db5933a1060768dcd565e","https://git.kernel.org/stable/c/8c2e4efe1278cd2b230cdbf90a6cefbf00acc282","https://git.kernel.org/stable/c/8df9a3c7044b847e9c4dc7e683fd64c6b873f328","https://git.kernel.org/stable/c/b1d0eebaf87cc9ccd05f779ec4a0589f95d6c18b","https://git.kernel.org/stable/c/d164ddc21e986dd9ad614b4b01746e5457aeb24f","https://git.kernel.org/stable/c/42492b00156c03a79fd4851190aa63045d6a15ce","https://git.kernel.org/stable/c/4797a3dd46f220e6d83daf54d70c5b33db6deb01","https://git.kernel.org/stable/c/5d9fe604bf9b5b09d2215225df55f22a4cbbc684","https://git.kernel.org/stable/c/6c92224721a439d6350db5933a1060768dcd565e","https://git.kernel.org/stable/c/8c2e4efe1278cd2b230cdbf90a6cefbf00acc282","https://git.kernel.org/stable/c/8df9a3c7044b847e9c4dc7e683fd64c6b873f328","https://git.kernel.org/stable/c/b1d0eebaf87cc9ccd05f779ec4a0589f95d6c18b","https://git.kernel.org/stable/c/d164ddc21e986dd9ad614b4b01746e5457aeb24f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27077","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\n\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.01974,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0175f2d34c85744f9ad6554f696cf0afb5bd04e4","https://git.kernel.org/stable/c/0c9550b032de48d6a7fa6a4ddc09699d64d9300d","https://git.kernel.org/stable/c/3dd8abb0ed0e0a7c66d6d677c86ccb188cc39333","https://git.kernel.org/stable/c/5dc319cc3c4f7b74f7dfba349aa26f87efb52458","https://git.kernel.org/stable/c/8f94b49a5b5d386c038e355bef6347298aabd211","https://git.kernel.org/stable/c/90029b9c979b60de5cb2b70ade4bbf61d561bc5d","https://git.kernel.org/stable/c/9c23ef30e840fedc66948299509f6c2777c9cf4f","https://git.kernel.org/stable/c/afd2a82fe300032f63f8be5d6cd6981e75f8bbf2","https://git.kernel.org/stable/c/dc866b69cc51af9b8509b4731b8ce2a4950cd0ef","https://git.kernel.org/stable/c/0175f2d34c85744f9ad6554f696cf0afb5bd04e4","https://git.kernel.org/stable/c/0c9550b032de48d6a7fa6a4ddc09699d64d9300d","https://git.kernel.org/stable/c/3dd8abb0ed0e0a7c66d6d677c86ccb188cc39333","https://git.kernel.org/stable/c/5dc319cc3c4f7b74f7dfba349aa26f87efb52458","https://git.kernel.org/stable/c/8f94b49a5b5d386c038e355bef6347298aabd211","https://git.kernel.org/stable/c/90029b9c979b60de5cb2b70ade4bbf61d561bc5d","https://git.kernel.org/stable/c/9c23ef30e840fedc66948299509f6c2777c9cf4f","https://git.kernel.org/stable/c/afd2a82fe300032f63f8be5d6cd6981e75f8bbf2","https://git.kernel.org/stable/c/dc866b69cc51af9b8509b4731b8ce2a4950cd0ef","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27388","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix some memleaks in gssx_dec_option_array\n\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00701,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3cfcfc102a5e57b021b786a755a38935e357797d","https://git.kernel.org/stable/c/5e6013ae2c8d420faea553d363935f65badd32c3","https://git.kernel.org/stable/c/934212a623cbab851848b6de377eb476718c3e4c","https://git.kernel.org/stable/c/9806c2393cd2ab0a8e7bb9ffae02ce20e3112ec4","https://git.kernel.org/stable/c/996997d1fb2126feda550d6adcedcbd94911fc69","https://git.kernel.org/stable/c/b97c37978ca825557d331c9012e0c1ddc0e42364","https://git.kernel.org/stable/c/bb336cd8d5ecb69c430ebe3e7bcff68471d93fa8","https://git.kernel.org/stable/c/bfa9d86d39a0fe4685f90c3529aa9bd62a9d97a8","https://git.kernel.org/stable/c/dd292e884c649f9b1c18af0ec75ca90b390cd044","https://git.kernel.org/stable/c/3cfcfc102a5e57b021b786a755a38935e357797d","https://git.kernel.org/stable/c/5e6013ae2c8d420faea553d363935f65badd32c3","https://git.kernel.org/stable/c/934212a623cbab851848b6de377eb476718c3e4c","https://git.kernel.org/stable/c/9806c2393cd2ab0a8e7bb9ffae02ce20e3112ec4","https://git.kernel.org/stable/c/996997d1fb2126feda550d6adcedcbd94911fc69","https://git.kernel.org/stable/c/b97c37978ca825557d331c9012e0c1ddc0e42364","https://git.kernel.org/stable/c/bb336cd8d5ecb69c430ebe3e7bcff68471d93fa8","https://git.kernel.org/stable/c/bfa9d86d39a0fe4685f90c3529aa9bd62a9d97a8","https://git.kernel.org/stable/c/dd292e884c649f9b1c18af0ec75ca90b390cd044","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27052","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work\n\nThe workqueue might still be running, when the driver is stopped. To\navoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"epss":0.00011,"ranking_epss":0.01413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e45b1361","https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e","https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e","https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a","https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707","https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59","https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4","https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e45b1361","https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e","https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e","https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a","https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707","https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59","https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27053","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix RCU usage in connect path\n\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\n\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\n\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"epss":0.00125,"ranking_epss":0.31908,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f","https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce","https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de","https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2","https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38","https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2","https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7","https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2","https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f","https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce","https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de","https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2","https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38","https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2","https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7","https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27059","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49","https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133","https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636","https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964","https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325","https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34","https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f","https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa","https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49","https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133","https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636","https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964","https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325","https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34","https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f","https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27065","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not compare internal table flags on updates\n\nRestore skipping transaction if table update does not modify flags.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.02805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2531f907d3e40a6173090f10670ae76d117ab27b","https://git.kernel.org/stable/c/3443e57654f90c9a843ab6a6040c10709fd033aa","https://git.kernel.org/stable/c/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139","https://git.kernel.org/stable/c/4d37f12707ee965d338028732575f0b85f6d9e4f","https://git.kernel.org/stable/c/640dbf688ba955e83e03de84fbdda8e570b7cce4","https://git.kernel.org/stable/c/845083249d6a392f3a88804e1669bdb936ee129f","https://git.kernel.org/stable/c/9683cb6c2c6c0f45537bf0b8868b5d38fcb63fc7","https://git.kernel.org/stable/c/df257c435e51651c43b86326d112ddadda76350e","https://git.kernel.org/stable/c/fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005","https://git.kernel.org/stable/c/2531f907d3e40a6173090f10670ae76d117ab27b","https://git.kernel.org/stable/c/3443e57654f90c9a843ab6a6040c10709fd033aa","https://git.kernel.org/stable/c/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139","https://git.kernel.org/stable/c/4d37f12707ee965d338028732575f0b85f6d9e4f","https://git.kernel.org/stable/c/640dbf688ba955e83e03de84fbdda8e570b7cce4","https://git.kernel.org/stable/c/845083249d6a392f3a88804e1669bdb936ee129f","https://git.kernel.org/stable/c/9683cb6c2c6c0f45537bf0b8868b5d38fcb63fc7","https://git.kernel.org/stable/c/df257c435e51651c43b86326d112ddadda76350e","https://git.kernel.org/stable/c/fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27028","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\n\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\n\nAdd a check to trans->tx_buf before using it.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.0018,"ranking_epss":0.39639,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1784053cf10a14c4ebd8a890bad5cfe1bee51713","https://git.kernel.org/stable/c/2342b05ec5342a519e00524a507f7a6ea6791a38","https://git.kernel.org/stable/c/55f8ea6731aa64871ee6aef7dba53ee9f9f3b2f6","https://git.kernel.org/stable/c/62b1f837b15cf3ec2835724bdf8577e47d14c753","https://git.kernel.org/stable/c/766ec94cc57492eab97cbbf1595bd516ab0cb0e4","https://git.kernel.org/stable/c/a20ad45008a7c82f1184dc6dee280096009ece55","https://git.kernel.org/stable/c/bcfcdf19698024565eff427706ebbd8df65abd11","https://git.kernel.org/stable/c/bea82355df9e1c299625405b1947fc9b26b4c6d4","https://git.kernel.org/stable/c/c10fed329c1c104f375a75ed97ea3abef0786d62","https://git.kernel.org/stable/c/1784053cf10a14c4ebd8a890bad5cfe1bee51713","https://git.kernel.org/stable/c/2342b05ec5342a519e00524a507f7a6ea6791a38","https://git.kernel.org/stable/c/55f8ea6731aa64871ee6aef7dba53ee9f9f3b2f6","https://git.kernel.org/stable/c/62b1f837b15cf3ec2835724bdf8577e47d14c753","https://git.kernel.org/stable/c/766ec94cc57492eab97cbbf1595bd516ab0cb0e4","https://git.kernel.org/stable/c/a20ad45008a7c82f1184dc6dee280096009ece55","https://git.kernel.org/stable/c/bcfcdf19698024565eff427706ebbd8df65abd11","https://git.kernel.org/stable/c/bea82355df9e1c299625405b1947fc9b26b4c6d4","https://git.kernel.org/stable/c/c10fed329c1c104f375a75ed97ea3abef0786d62","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27030","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Use separate handlers for interrupts\n\nFor PF to AF interrupt vector and VF to AF vector same\ninterrupt handler is registered which is causing race condition.\nWhen two interrupts are raised to two CPUs at same time\nthen two cores serve same event corrupting the data.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"epss":9e-05,"ranking_epss":0.00897,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29d2550d79a8cbd31e0fbaa5c0e2a2efdc444e44","https://git.kernel.org/stable/c/4fedae8f9eafa2ac8cdaca58e315f52a7e2a8701","https://git.kernel.org/stable/c/50e60de381c342008c0956fd762e1c26408f372c","https://git.kernel.org/stable/c/766c2627acb2d9d1722cce2e24837044d52d888a","https://git.kernel.org/stable/c/772f18ded0e240cc1fa2b7020cc640e3e5c32b70","https://git.kernel.org/stable/c/94cb17e5cf3a3c484063abc0ce4b8a2b2e8c1cb2","https://git.kernel.org/stable/c/ad6759e233db6fcc131055f8e23b4eafbe81053c","https://git.kernel.org/stable/c/dc29dd00705a62c77de75b6d752259b869aac49d","https://git.kernel.org/stable/c/29d2550d79a8cbd31e0fbaa5c0e2a2efdc444e44","https://git.kernel.org/stable/c/4fedae8f9eafa2ac8cdaca58e315f52a7e2a8701","https://git.kernel.org/stable/c/50e60de381c342008c0956fd762e1c26408f372c","https://git.kernel.org/stable/c/766c2627acb2d9d1722cce2e24837044d52d888a","https://git.kernel.org/stable/c/772f18ded0e240cc1fa2b7020cc640e3e5c32b70","https://git.kernel.org/stable/c/94cb17e5cf3a3c484063abc0ce4b8a2b2e8c1cb2","https://git.kernel.org/stable/c/ad6759e233db6fcc131055f8e23b4eafbe81053c","https://git.kernel.org/stable/c/dc29dd00705a62c77de75b6d752259b869aac49d","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27038","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_core_get NULL dereference\n\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\n\nclk_core_get()\n    of_clk_get_hw_from_clkspec()\n        __of_clk_get_hw_from_provider()\n            __clk_get_hw()\n\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw->core.\n\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\n\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\n\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0efb9ef6fb95384ba631d6819e66f10392aabfa2","https://git.kernel.org/stable/c/239174535dba11f7b83de0eaaa27909024f8c185","https://git.kernel.org/stable/c/6f073b24a9e2becd25ac4505a9780a87e621bb51","https://git.kernel.org/stable/c/a5d9b1aa61b401867b9066d54086b3e4ee91f8ed","https://git.kernel.org/stable/c/a8b2b26fdd011ebe36d68a9a321ca45801685959","https://git.kernel.org/stable/c/c554badcae9c45b737a22d23454170c6020b90e6","https://git.kernel.org/stable/c/d7ae7d1265686b55832a445b1db8cdd69738ac07","https://git.kernel.org/stable/c/e97fe4901e0f59a0bfd524578fe3768f8ca42428","https://git.kernel.org/stable/c/0efb9ef6fb95384ba631d6819e66f10392aabfa2","https://git.kernel.org/stable/c/239174535dba11f7b83de0eaaa27909024f8c185","https://git.kernel.org/stable/c/6f073b24a9e2becd25ac4505a9780a87e621bb51","https://git.kernel.org/stable/c/a5d9b1aa61b401867b9066d54086b3e4ee91f8ed","https://git.kernel.org/stable/c/a8b2b26fdd011ebe36d68a9a321ca45801685959","https://git.kernel.org/stable/c/c554badcae9c45b737a22d23454170c6020b90e6","https://git.kernel.org/stable/c/d7ae7d1265686b55832a445b1db8cdd69738ac07","https://git.kernel.org/stable/c/e97fe4901e0f59a0bfd524578fe3768f8ca42428","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27044","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\n\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7","https://git.kernel.org/stable/c/29fde8895b2fcc33f44aea28c644ce2d9b62f9e0","https://git.kernel.org/stable/c/2d9fe7787af01188dc470a649bdbb842d6511fd7","https://git.kernel.org/stable/c/330caa061af53ea6d287d7c43d0703714e510e08","https://git.kernel.org/stable/c/6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb","https://git.kernel.org/stable/c/7874ab3105ca4657102fee1cc14b0af70883c484","https://git.kernel.org/stable/c/9ccfe80d022df7c595f1925afb31de2232900656","https://git.kernel.org/stable/c/e019d87e02f1e539ae48b99187f253847744ca7a","https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7","https://git.kernel.org/stable/c/29fde8895b2fcc33f44aea28c644ce2d9b62f9e0","https://git.kernel.org/stable/c/2d9fe7787af01188dc470a649bdbb842d6511fd7","https://git.kernel.org/stable/c/330caa061af53ea6d287d7c43d0703714e510e08","https://git.kernel.org/stable/c/6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb","https://git.kernel.org/stable/c/7874ab3105ca4657102fee1cc14b0af70883c484","https://git.kernel.org/stable/c/9ccfe80d022df7c595f1925afb31de2232900656","https://git.kernel.org/stable/c/e019d87e02f1e539ae48b99187f253847744ca7a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52650","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\n\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3169eaf1365541fd8e521091010c44fbe14691fc","https://git.kernel.org/stable/c/47a13d0b9d8527518639ab5c39667f69d6203e80","https://git.kernel.org/stable/c/50c0ad785a780c72a2fdaba10b38c645ffb4eae6","https://git.kernel.org/stable/c/52aa507148c4aad41436e2005d742ffcafad9976","https://git.kernel.org/stable/c/92003981a6df5dc84af8a5904f8ee112fa324129","https://git.kernel.org/stable/c/93128052bf832359531c3c0a9e3567b2b8682a2d","https://git.kernel.org/stable/c/afe6fcb9775882230cd29b529203eabd5d2a638d","https://git.kernel.org/stable/c/c5d2342d24ef6e08fc90a529fe3dc59de421a2b9","https://git.kernel.org/stable/c/f05631a8525c3b5e5994ecb1304d2d878956c0f5","https://git.kernel.org/stable/c/3169eaf1365541fd8e521091010c44fbe14691fc","https://git.kernel.org/stable/c/47a13d0b9d8527518639ab5c39667f69d6203e80","https://git.kernel.org/stable/c/50c0ad785a780c72a2fdaba10b38c645ffb4eae6","https://git.kernel.org/stable/c/52aa507148c4aad41436e2005d742ffcafad9976","https://git.kernel.org/stable/c/92003981a6df5dc84af8a5904f8ee112fa324129","https://git.kernel.org/stable/c/93128052bf832359531c3c0a9e3567b2b8682a2d","https://git.kernel.org/stable/c/afe6fcb9775882230cd29b529203eabd5d2a638d","https://git.kernel.org/stable/c/c5d2342d24ef6e08fc90a529fe3dc59de421a2b9","https://git.kernel.org/stable/c/f05631a8525c3b5e5994ecb1304d2d878956c0f5","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27024","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix WARNING in rds_conn_connect_if_down\n\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b505d05280739ce31d5708da840f42df827cb85","https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4","https://git.kernel.org/stable/c/907761307469adecb02461a14120e9a1812a5fb1","https://git.kernel.org/stable/c/997efea2bf3a4adb96c306b9ad6a91442237bf5b","https://git.kernel.org/stable/c/998fd719e6d6468b930ac0c44552ea9ff8b07b80","https://git.kernel.org/stable/c/9dfc15a10dfd44f8ff7f27488651cb5be6af83c2","https://git.kernel.org/stable/c/b562ebe21ed9adcf42242797dd6cb75beef12bf0","https://git.kernel.org/stable/c/c055fc00c07be1f0df7375ab0036cebd1106ed38","https://git.kernel.org/stable/c/2b505d05280739ce31d5708da840f42df827cb85","https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4","https://git.kernel.org/stable/c/907761307469adecb02461a14120e9a1812a5fb1","https://git.kernel.org/stable/c/997efea2bf3a4adb96c306b9ad6a91442237bf5b","https://git.kernel.org/stable/c/998fd719e6d6468b930ac0c44552ea9ff8b07b80","https://git.kernel.org/stable/c/9dfc15a10dfd44f8ff7f27488651cb5be6af83c2","https://git.kernel.org/stable/c/b562ebe21ed9adcf42242797dd6cb75beef12bf0","https://git.kernel.org/stable/c/c055fc00c07be1f0df7375ab0036cebd1106ed38","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T13:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27025","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d","https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e","https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced","https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8","https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797","https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983","https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a","https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf","https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d","https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e","https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced","https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8","https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797","https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983","https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a","https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T13:15:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27008","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00013,"ranking_epss":0.02077,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062","https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5","https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1","https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face","https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042","https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb","https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e","https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04","https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062","https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5","https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1","https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face","https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042","https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb","https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e","https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27000","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00014,"ranking_epss":0.02613,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37","https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a","https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270","https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495","https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026","https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad","https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37","https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86","https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37","https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a","https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270","https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495","https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026","https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad","https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37","https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27001","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.05926,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9","https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696","https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2","https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b","https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b","https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f","https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8","https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54","https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9","https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696","https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2","https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b","https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b","https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f","https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8","https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27004","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n       Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0       state:D stack:    0 pid:    1 ppid:     0 flags:0x00000008\n Call trace:\n  __switch_to+0xf4/0x1f4\n  __schedule+0x418/0xb80\n  schedule+0x5c/0x10c\n  rpm_resume+0xe0/0x52c\n  rpm_resume+0x178/0x52c\n  __pm_runtime_resume+0x58/0x98\n  clk_pm_runtime_get+0x30/0xb0\n  clk_disable_unused_subtree+0x58/0x208\n  clk_disable_unused_subtree+0x38/0x208\n  clk_disable_unused_subtree+0x38/0x208\n  clk_disable_unused_subtree+0x38/0x208\n  clk_disable_unused_subtree+0x38/0x208\n  clk_disable_unused+0x4c/0xe4\n  do_one_initcall+0xcc/0x2d8\n  do_initcall_level+0xa4/0x148\n  do_initcalls+0x5c/0x9c\n  do_basic_setup+0x24/0x30\n  kernel_init_freeable+0xec/0x164\n  kernel_init+0x28/0x120\n  ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n       Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0   state:D stack:    0 pid:    9 ppid:     2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n  __switch_to+0xf4/0x1f4\n  __schedule+0x418/0xb80\n  schedule+0x5c/0x10c\n  schedule_preempt_disabled+0x2c/0x48\n  __mutex_lock+0x238/0x488\n  __mutex_lock_slowpath+0x1c/0x28\n  mutex_lock+0x50/0x74\n  clk_prepare_lock+0x7c/0x9c\n  clk_core_prepare_lock+0x20/0x44\n  clk_prepare+0x24/0x30\n  clk_bulk_prepare+0x40/0xb0\n  mdss_runtime_resume+0x54/0x1c8\n  pm_generic_runtime_resume+0x30/0x44\n  __genpd_runtime_resume+0x68/0x7c\n  genpd_runtime_resume+0x108/0x1f4\n  __rpm_callback+0x84/0x144\n  rpm_callback+0x30/0x88\n  rpm_resume+0x1f4/0x52c\n  rpm_resume+0x178/0x52c\n  __pm_runtime_resume+0x58/0x98\n  __device_attach+0xe0/0x170\n  device_initial_probe+0x1c/0x28\n  bus_probe_device+0x3c/0x9c\n  device_add+0x644/0x814\n  mipi_dsi_device_register_full+0xe4/0x170\n  devm_mipi_dsi_device_register_full+0x28/0x70\n  ti_sn_bridge_probe+0x1dc/0x2c0\n  auxiliary_bus_probe+0x4c/0x94\n  really_probe+0xcc/0x2c8\n  __driver_probe_device+0xa8/0x130\n  driver_probe_device+0x48/0x110\n  __device_attach_driver+0xa4/0xcc\n  bus_for_each_drv+0x8c/0xd8\n  __device_attach+0xf8/0x170\n  device_initial_probe+0x1c/0x28\n  bus_probe_device+0x3c/0x9c\n  deferred_probe_work_func+0x9c/0xd8\n  process_one_work+0x148/0x518\n  worker_thread+0x138/0x350\n  kthread+0x138/0x1e0\n  ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03349,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c","https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba","https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123","https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5","https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034","https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc","https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469","https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c","https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba","https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123","https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5","https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034","https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc","https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26994","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00022,"ranking_epss":0.058,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8","https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76","https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222","https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f","https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595","https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f","https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c","https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1","https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8","https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76","https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222","https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f","https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595","https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f","https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c","https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26997","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: host: Fix dereference issue in DDMA completion flow.\n\nFixed variable dereference issue in DDMA completion flow.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00023,"ranking_epss":0.06233,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/257d313e37d66c3bcc87197fb5b8549129c45dfe","https://git.kernel.org/stable/c/26fde0ea40dda1b08fad3bc0a43f122f6dd8bddf","https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6","https://git.kernel.org/stable/c/75bf5e78b2a27cb1bca6fa826e3ab685015165e1","https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a","https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c","https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816","https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8","https://git.kernel.org/stable/c/257d313e37d66c3bcc87197fb5b8549129c45dfe","https://git.kernel.org/stable/c/26fde0ea40dda1b08fad3bc0a43f122f6dd8bddf","https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6","https://git.kernel.org/stable/c/75bf5e78b2a27cb1bca6fa826e3ab685015165e1","https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a","https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c","https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816","https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26999","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03341,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907","https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7","https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce","https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef","https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928","https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f","https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729","https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3","https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907","https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7","https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce","https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef","https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928","https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f","https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729","https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26988","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.0157,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4","https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a","https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9","https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea","https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8","https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034","https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4","https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a","https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9","https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea","https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8","https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26981","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied.  Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.02852,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243","https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9","https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1","https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611","https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f","https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8","https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0","https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16","https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243","https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9","https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1","https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611","https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f","https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8","https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0","https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26984","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS:  00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00015,"ranking_epss":0.03084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716","https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7","https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52","https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572","https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525","https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039","https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9","https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce","https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716","https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7","https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52","https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572","https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525","https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039","https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9","https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-05-01T06:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26974","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n  BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n  adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00037,"ranking_epss":0.11138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be","https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7","https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f","https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c","https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc","https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81","https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828","https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71","https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7","https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be","https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7","https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f","https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c","https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc","https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81","https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828","https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71","https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26976","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n        __kvm_vcpu_wake_up(vcpu);\n\n        mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":5e-05,"ranking_epss":0.0025,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157","https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750","https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb","https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac","https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98","https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5","https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff","https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b","https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264","https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157","https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750","https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb","https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac","https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98","https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5","https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff","https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b","https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26969","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.01974,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429","https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94","https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe","https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f","https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d","https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566","https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255","https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27","https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9","https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429","https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94","https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe","https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f","https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d","https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566","https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255","https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27","https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26970","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00735,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52","https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb","https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6","https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b","https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d","https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d","https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198","https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52","https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb","https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6","https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b","https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d","https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d","https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26973","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb","https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688","https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63","https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6","https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee","https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375","https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6","https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f","https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c","https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb","https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688","https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63","https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6","https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee","https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375","https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6","https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f","https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26958","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01536,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af","https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab","https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3","https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5","https://git.kernel.org/stable/c/6cd3f13aaa62970b5169d990e936b2e96943bc6a","https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f","https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95","https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605","https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af","https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab","https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3","https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5","https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f","https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95","https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26960","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":5e-05,"ranking_epss":0.00292,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e","https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b","https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e","https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e","https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b","https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e","https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26965","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.03986,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060","https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589","https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362","https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089","https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194","https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95","https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f","https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2","https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96","https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060","https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589","https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362","https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089","https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194","https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95","https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f","https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2","https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26966","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00585,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99","https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9","https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2","https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8","https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38","https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03","https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f","https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d","https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0","https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99","https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9","https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2","https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8","https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38","https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03","https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f","https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d","https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26950","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5","https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068","https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5","https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f","https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996","https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37","https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47","https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5","https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068","https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5","https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f","https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996","https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37","https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26951","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n    echo \"Setting config...\"\n    ip link add dev wg0 type wireguard\n    wg setconf wg0 /big-config\n    (\n            while true; do\n                    echo \"Showing config...\"\n                    wg showconf wg0 > /dev/null\n            done\n    ) &\n    sleep 4\n    wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n    BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n    Read of size 8 at addr ffff88811956ec70 by task wg/59\n    CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n    Call Trace:\n     <TASK>\n     dump_stack_lvl+0x47/0x70\n     print_address_description.constprop.0+0x2c/0x380\n     print_report+0xab/0x250\n     kasan_report+0xba/0xf0\n     __lock_acquire+0x182a/0x1b20\n     lock_acquire+0x191/0x4b0\n     down_read+0x80/0x440\n     get_peer+0x140/0xcb0\n     wg_get_device_dump+0x471/0x1130","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00018,"ranking_epss":0.04582,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04","https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d","https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4","https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87","https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b","https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac","https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a","https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04","https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d","https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4","https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87","https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b","https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac","https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26955","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently.  If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.03986,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c","https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5","https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20","https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07","https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39","https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d","https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183","https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c","https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186","https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c","https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5","https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20","https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07","https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39","https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d","https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183","https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c","https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26956","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot.  Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block().  This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state.  This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above.  Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00013,"ranking_epss":0.02129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84","https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7","https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4","https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e","https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713","https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35","https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb","https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba","https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862","https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84","https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7","https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4","https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e","https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713","https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35","https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb","https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba","https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26957","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8\n    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484","https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c","https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd","https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058","https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55","https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6","https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca","https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d","https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000","https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484","https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c","https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd","https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058","https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55","https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6","https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca","https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d","https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26935","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00517,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac","https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889","https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1","https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee","https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c","https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320","https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84","https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7","https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac","https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889","https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1","https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee","https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c","https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320","https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84","https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26937","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[  166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  166.210781] Dumping ftrace buffer:\n<0>[  166.210795] ---------------------------------\n...\n<0>[  167.302811] drm_fdin-1097      2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[  167.302861] drm_fdin-1097      2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[  167.302928] drm_fdin-1097      2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[  167.302992] drm_fdin-1097      2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[  167.303044] drm_fdin-1097      2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[  167.303095] drm_fdin-1097      2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[  167.303159] kworker/-89       11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[  167.303208] kworker/-89       11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[  167.303272] kworker/-89       11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[  167.303321] kworker/-89       11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[  167.303384] kworker/-89       11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[  167.303434] kworker/-89       11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[  167.303484] kworker/-89       11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[  167.303534]   <idle>-0         5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[  167.303583] kworker/-89       11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[  167.303756] kworker/-89       11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[  167.303806] kworker/-89       11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  167.303811] ---------------------------------\n<4>[  167.304722] ------------[ cut here ]------------\n<2>[  167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[  167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[  167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G        W          6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[  167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[  167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[  16\n---truncated---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":6e-05,"ranking_epss":0.00415,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325","https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895","https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a","https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62","https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c","https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f","https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703","https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3","https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325","https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895","https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a","https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62","https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c","https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f","https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703","https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-05-01T06:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26931","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  __wake_up_common_lock+0x7c/0xc0\n  qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n  ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n  ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n  ? worker_thread+0x1ce/0x390\n  ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n  ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n  ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n  ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull.  The failure to flush causes\nupper layer to start modifying scsi_cmnd.  When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211","https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac","https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d","https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d","https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1","https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a","https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a","https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9","https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150","https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211","https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac","https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d","https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d","https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1","https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a","https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a","https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9","https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-05-01T06:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3096","summary":"In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.01069,"ranking_epss":0.7767,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/04/12/11","https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr","https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html","https://security.netapp.com/advisory/ntap-20240510-0010/","http://www.openwall.com/lists/oss-security/2024/04/12/11","https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr","https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/","https://security.netapp.com/advisory/ntap-20240510-0010/"],"published_time":"2024-04-29T04:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-48655","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Harden accesses to the reset domains\n\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\n\nAdd an internal consistency check before any such domains descriptors\naccesses.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.0005,"ranking_epss":0.15495,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1f08a1b26cfc53b7715abc46857c6023bb1b87de","https://git.kernel.org/stable/c/7184491fc515f391afba23d0e9b690caaea72daf","https://git.kernel.org/stable/c/8e65edf0d37698f7a6cb174608d3ec7976baf49e","https://git.kernel.org/stable/c/e9076ffbcaed5da6c182b144ef9f6e24554af268","https://git.kernel.org/stable/c/f2277d9e2a0d092c13bae7ee82d75432bb8b5108","https://git.kernel.org/stable/c/1f08a1b26cfc53b7715abc46857c6023bb1b87de","https://git.kernel.org/stable/c/7184491fc515f391afba23d0e9b690caaea72daf","https://git.kernel.org/stable/c/8e65edf0d37698f7a6cb174608d3ec7976baf49e","https://git.kernel.org/stable/c/e9076ffbcaed5da6c182b144ef9f6e24554af268","https://git.kernel.org/stable/c/f2277d9e2a0d092c13bae7ee82d75432bb8b5108","https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","https://security.netapp.com/advisory/ntap-20240912-0008/"],"published_time":"2024-04-28T13:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26928","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00017,"ranking_epss":0.04014,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88","https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1","https://git.kernel.org/stable/c/8f8718afd446cd4ea3b62bacc3eec09f8aae85ee","https://git.kernel.org/stable/c/a140224bcf87eb98a87b67ff4c6826c57e47b704","https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d","https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502","https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88","https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1","https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d","https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502","https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"],"published_time":"2024-04-28T12:15:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26923","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00012,"ranking_epss":0.0148,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3","https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f","https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51","https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9","https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423","https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c","https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009","https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51","https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3","https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f","https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51","https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9","https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423","https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c","https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009","https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-25T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26924","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: do not free live element\n\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern.  Quoting Pablo:\n\n  add_elem(\"00000000\") timeout 100 ms\n  ...\n  add_elem(\"0000000X\") timeout 100 ms\n  del_elem(\"0000000X\") <---------------- delete one that was just added\n  ...\n  add_elem(\"00005000\") timeout 100 ms\n\n  1) nft_pipapo_remove() removes element 0000000X\n  Then, KASAN shows a splat.\n\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\n\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\n\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\n\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\n\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\n\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\n\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\n\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\n\nv2: avoid uneeded temporary variable (Stefano)","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.00173,"ranking_epss":0.3867,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487","https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc","https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644","https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46","https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2","https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a","https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487","https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc","https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644","https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46","https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2","https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-04-25T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26925","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01335,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27","https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494","https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428","https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30","https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae","https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1","https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139","https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27","https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494","https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428","https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30","https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae","https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1","https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-25T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26926","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00158,"ranking_epss":0.36694,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc","https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc","https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12","https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c","https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76","https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40","https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15","https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc","https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc","https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12","https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c","https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76","https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40","https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-25T06:15:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-28130","summary":"An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.00141,"ranking_epss":0.34369,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957","https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html","https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html","https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957","https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1957"],"published_time":"2024-04-23T15:15:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26922","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.0126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d","https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284","https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75","https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2","https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa","https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d","https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee","https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9","https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d","https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284","https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75","https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2","https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa","https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d","https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee","https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"],"published_time":"2024-04-23T13:15:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26917","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b","https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21","https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783","https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5","https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0","https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b","https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6","https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb","https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b","https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21","https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783","https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5","https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0","https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b","https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6","https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T16:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26906","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n  BUG: unable to handle page fault for address: ffffffffff600000\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n  Oops: 0000 [#1] PREEMPT SMP PTI\n  CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n  ......\n  Call Trace:\n   <TASK>\n   ? copy_from_kernel_nofault+0x6f/0x110\n   bpf_probe_read_kernel+0x1d/0x50\n   bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n   trace_call_bpf+0xc5/0x1c0\n   perf_call_bpf_enter.isra.0+0x69/0xb0\n   perf_syscall_enter+0x13e/0x200\n   syscall_trace_enter+0x188/0x1c0\n   do_syscall_64+0xb5/0xe0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   </TASK>\n  ......\n  ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault().","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00485,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8","https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58","https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5","https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381","https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b","https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e","https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8","https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58","https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5","https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381","https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b","https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26883","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check on 32-bit arches\n\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\n\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00011,"ranking_epss":0.01441,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0971126c8164abe2004b8536b49690a0d6005b0a","https://git.kernel.org/stable/c/15641007df0f0d35fa28742b25c2a7db9dcd6895","https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b24232f75c1d","https://git.kernel.org/stable/c/43f798b9036491fb014b55dd61c4c5c3193267d0","https://git.kernel.org/stable/c/7070b274c7866a4c5036f8d54fcaf315c64ac33a","https://git.kernel.org/stable/c/7a4b21250bf79eef26543d35bd390448646c536b","https://git.kernel.org/stable/c/ca1f06e72dec41ae4f76e7b1a8a97265447b46ae","https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3","https://git.kernel.org/stable/c/f06899582ccee09bd85d0696290e3eaca9aa042d","https://git.kernel.org/stable/c/0971126c8164abe2004b8536b49690a0d6005b0a","https://git.kernel.org/stable/c/15641007df0f0d35fa28742b25c2a7db9dcd6895","https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b24232f75c1d","https://git.kernel.org/stable/c/43f798b9036491fb014b55dd61c4c5c3193267d0","https://git.kernel.org/stable/c/7070b274c7866a4c5036f8d54fcaf315c64ac33a","https://git.kernel.org/stable/c/7a4b21250bf79eef26543d35bd390448646c536b","https://git.kernel.org/stable/c/ca1f06e72dec41ae4f76e7b1a8a97265447b46ae","https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3","https://git.kernel.org/stable/c/f06899582ccee09bd85d0696290e3eaca9aa042d","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26889","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix possible buffer overflow\n\nstruct hci_dev_info has a fixed size name[8] field so in the event that\nhdev->name is bigger than that strcpy would attempt to write past its\nsize, so this fixes this problem by switching to use strscpy.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01262,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e845867b4e279eff0a19ade253390470e07e8a1","https://git.kernel.org/stable/c/2edce8e9a99dd5e4404259d52e754fdc97fb42c2","https://git.kernel.org/stable/c/54a03e4ac1a41edf8a5087bd59f8241b0de96d3d","https://git.kernel.org/stable/c/6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac","https://git.kernel.org/stable/c/81137162bfaa7278785b24c1fd2e9e74f082e8e4","https://git.kernel.org/stable/c/8c28598a2c29201d2ba7fc37539a7d41c264fb10","https://git.kernel.org/stable/c/a41c8efe659caed0e21422876bbb6b73c15b5244","https://git.kernel.org/stable/c/d47e6c1932cee02954ea588c9f09fd5ecefeadfc","https://git.kernel.org/stable/c/2e845867b4e279eff0a19ade253390470e07e8a1","https://git.kernel.org/stable/c/2edce8e9a99dd5e4404259d52e754fdc97fb42c2","https://git.kernel.org/stable/c/54a03e4ac1a41edf8a5087bd59f8241b0de96d3d","https://git.kernel.org/stable/c/68644bf5ec6baaff40fc39b3529c874bfda709bd","https://git.kernel.org/stable/c/6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac","https://git.kernel.org/stable/c/81137162bfaa7278785b24c1fd2e9e74f082e8e4","https://git.kernel.org/stable/c/8c28598a2c29201d2ba7fc37539a7d41c264fb10","https://git.kernel.org/stable/c/a41c8efe659caed0e21422876bbb6b73c15b5244","https://git.kernel.org/stable/c/d47e6c1932cee02954ea588c9f09fd5ecefeadfc","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26894","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()\n\nAfter unregistering the CPU idle device, the memory associated with\nit is not freed, leading to a memory leak:\n\nunreferenced object 0xffff896282f6c000 (size 1024):\n  comm \"swapper/0\", pid 1, jiffies 4294893170\n  hex dump (first 32 bytes):\n    00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 8836a742):\n    [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340\n    [<ffffffff9972f3b3>] acpi_processor_power_init+0xf3/0x1c0\n    [<ffffffff9972d263>] __acpi_processor_start+0xd3/0xf0\n    [<ffffffff9972d2bc>] acpi_processor_start+0x2c/0x50\n    [<ffffffff99805872>] really_probe+0xe2/0x480\n    [<ffffffff99805c98>] __driver_probe_device+0x78/0x160\n    [<ffffffff99805daf>] driver_probe_device+0x1f/0x90\n    [<ffffffff9980601e>] __driver_attach+0xce/0x1c0\n    [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0\n    [<ffffffff99804822>] bus_add_driver+0x112/0x210\n    [<ffffffff99807245>] driver_register+0x55/0x100\n    [<ffffffff9aee4acb>] acpi_processor_driver_init+0x3b/0xc0\n    [<ffffffff990012d1>] do_one_initcall+0x41/0x300\n    [<ffffffff9ae7c4b0>] kernel_init_freeable+0x320/0x470\n    [<ffffffff99b231f6>] kernel_init+0x16/0x1b0\n    [<ffffffff99042e6d>] ret_from_fork+0x2d/0x50\n\nFix this by freeing the CPU idle device after unregistering it.","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"epss":6e-05,"ranking_epss":0.00437,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1cbaf4c793b0808532f4e7b40bc4be7cec2c78f2","https://git.kernel.org/stable/c/3d48e5be107429ff5d824e7f2a00d1b610d36fbc","https://git.kernel.org/stable/c/8d14a4d0afb49a5b8535d414c782bb334860e73e","https://git.kernel.org/stable/c/c2a30c81bf3cb9033fa9f5305baf7c377075e2e5","https://git.kernel.org/stable/c/cd5c2d0b09d5b6d3f0a7bbabe6761a4997e9dee9","https://git.kernel.org/stable/c/d351bcadab6caa6d8ce7159ff4b77e2da35c09fa","https://git.kernel.org/stable/c/e18afcb7b2a12b635ac10081f943fcf84ddacc51","https://git.kernel.org/stable/c/ea96bf3f80625cddba1391a87613356b1b45716d","https://git.kernel.org/stable/c/fad9bcd4d754cc689c19dc04d2c44b82c1a5d6c8","https://git.kernel.org/stable/c/1cbaf4c793b0808532f4e7b40bc4be7cec2c78f2","https://git.kernel.org/stable/c/3d48e5be107429ff5d824e7f2a00d1b610d36fbc","https://git.kernel.org/stable/c/8d14a4d0afb49a5b8535d414c782bb334860e73e","https://git.kernel.org/stable/c/c2a30c81bf3cb9033fa9f5305baf7c377075e2e5","https://git.kernel.org/stable/c/cd5c2d0b09d5b6d3f0a7bbabe6761a4997e9dee9","https://git.kernel.org/stable/c/d351bcadab6caa6d8ce7159ff4b77e2da35c09fa","https://git.kernel.org/stable/c/e18afcb7b2a12b635ac10081f943fcf84ddacc51","https://git.kernel.org/stable/c/ea96bf3f80625cddba1391a87613356b1b45716d","https://git.kernel.org/stable/c/fad9bcd4d754cc689c19dc04d2c44b82c1a5d6c8","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26895","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n  safely modify the list as we go through each element. For each element,\n  remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n  sure it is safe to free the corresponding vif too (through\n  unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00015,"ranking_epss":0.03262,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9","https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447","https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208","https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb","https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f","https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c","https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1","https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9","https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447","https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208","https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb","https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f","https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c","https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26897","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":5e-05,"ranking_epss":0.00229,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905","https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11","https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b","https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715","https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298","https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2","https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90","https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905","https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11","https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b","https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715","https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298","https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2","https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26862","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -> 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":7e-05,"ranking_epss":0.00615,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37","https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd","https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97","https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0","https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97","https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560","https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234","https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5","https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37","https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd","https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97","https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0","https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97","https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560","https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234","https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26863","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in hsr_get_node()\n\nKMSAN reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\n\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/09e5cdbe2cc88c3c758927644a3eb02fac317209","https://git.kernel.org/stable/c/1ed222ca7396938eb1ab2d034f1ba0d8b00a7122","https://git.kernel.org/stable/c/39cc316fb3bc5e7c9dc5eed314fe510d119c6862","https://git.kernel.org/stable/c/7fb2d4d6bb1c85f7a23aace0ed6c86a95dea792a","https://git.kernel.org/stable/c/889ed056eae7fda85b769a9ab33c093379c45428","https://git.kernel.org/stable/c/97d2148ea435dff4b4e71817c9032eb321bcd37e","https://git.kernel.org/stable/c/a809bbfd0e503351d3051317288a70a4569a4949","https://git.kernel.org/stable/c/ddbec99f58571301679addbc022256970ca3eac6","https://git.kernel.org/stable/c/e3b2bfb8ff1810a537b2aa55ba906a6743ed120c","https://git.kernel.org/stable/c/09e5cdbe2cc88c3c758927644a3eb02fac317209","https://git.kernel.org/stable/c/1ed222ca7396938eb1ab2d034f1ba0d8b00a7122","https://git.kernel.org/stable/c/39cc316fb3bc5e7c9dc5eed314fe510d119c6862","https://git.kernel.org/stable/c/7fb2d4d6bb1c85f7a23aace0ed6c86a95dea792a","https://git.kernel.org/stable/c/889ed056eae7fda85b769a9ab33c093379c45428","https://git.kernel.org/stable/c/97d2148ea435dff4b4e71817c9032eb321bcd37e","https://git.kernel.org/stable/c/a809bbfd0e503351d3051317288a70a4569a4949","https://git.kernel.org/stable/c/ddbec99f58571301679addbc022256970ca3eac6","https://git.kernel.org/stable/c/e3b2bfb8ff1810a537b2aa55ba906a6743ed120c","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26870","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n  [   99.403778] kernel BUG at mm/usercopy.c:102!\n  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n  [   99.415827] Call trace:\n  [   99.415985]  usercopy_abort+0x70/0xa0\n  [   99.416227]  __check_heap_object+0x134/0x158\n  [   99.416505]  check_heap_object+0x150/0x188\n  [   99.416696]  __check_object_size.part.0+0x78/0x168\n  [   99.416886]  __check_object_size+0x28/0x40\n  [   99.417078]  listxattr+0x8c/0x120\n  [   99.417252]  path_listxattr+0x78/0xe0\n  [   99.417476]  __arm64_sys_listxattr+0x28/0x40\n  [   99.417723]  invoke_syscall+0x78/0x100\n  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0\n  [   99.418186]  do_el0_svc+0x24/0x38\n  [   99.418376]  el0_svc+0x3c/0x110\n  [   99.418554]  el0t_64_sync_handler+0x120/0x130\n  [   99.418788]  el0t_64_sync+0x194/0x198\n  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.0176,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb","https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf","https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65","https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b","https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768","https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf","https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a","https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb","https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf","https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65","https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b","https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768","https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf","https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26872","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Do not register event handler until srpt device is fully setup\n\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\n\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\n\nInstead, only register the event handler after srpt device initialization\nis complete.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"epss":0.00012,"ranking_epss":0.0177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090","https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346","https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217","https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5","https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1e2cd456","https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6","https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f","https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090","https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346","https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217","https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5","https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1e2cd456","https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6","https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26874","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip\n\nIt's possible that mtk_crtc->event is NULL in\nmtk_drm_crtc_finish_page_flip().\n\npending_needs_vblank value is set by mtk_crtc->event, but in\nmtk_drm_crtc_atomic_flush(), it's is not guarded by the same\nlock in mtk_drm_finish_page_flip(), thus a race condition happens.\n\nConsider the following case:\n\nCPU1                              CPU2\nstep 1:\nmtk_drm_crtc_atomic_begin()\nmtk_crtc->event is not null,\n                                  step 1:\n                                  mtk_drm_crtc_atomic_flush:\n                                  mtk_drm_crtc_update_config(\n                                      !!mtk_crtc->event)\nstep 2:\nmtk_crtc_ddp_irq ->\nmtk_drm_finish_page_flip:\nlock\nmtk_crtc->event set to null,\npending_needs_vblank set to false\nunlock\n                                  pending_needs_vblank set to true,\n\n                                  step 2:\n                                  mtk_crtc_ddp_irq ->\n                                  mtk_drm_finish_page_flip called again,\n                                  pending_needs_vblank is still true\n                                  //null pointer\n\nInstead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more\nefficient to just check if mtk_crtc->event is null before use.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00013,"ranking_epss":0.02038,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535","https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49","https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710","https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340","https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a","https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e","https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b","https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7","https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731","https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535","https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49","https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710","https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340","https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a","https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e","https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b","https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7","https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26877","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xilinx - call finalize with bh disabled\n\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\n\n    ------------[ cut here ]------------\n    WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n    Modules linked in: cryptodev(O)\n    CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G           O       6.8.0-rc1-yocto-standard #323\n    Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n    pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : crypto_finalize_request+0xa0/0x118\n    lr : crypto_finalize_request+0x104/0x118\n    sp : ffffffc085353ce0\n    x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n    x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n    x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n    x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n    x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n    x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n    x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n    x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n    x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n    x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n    Call trace:\n     crypto_finalize_request+0xa0/0x118\n     crypto_finalize_aead_request+0x18/0x30\n     zynqmp_handle_aes_req+0xcc/0x388\n     crypto_pump_work+0x168/0x2d8\n     kthread_worker_fn+0xfc/0x3a0\n     kthread+0x118/0x138\n     ret_from_fork+0x10/0x20\n    irq event stamp: 40\n    hardirqs last  enabled at (39): [<ffffffc0812416f8>] _raw_spin_unlock_irqrestore+0x70/0xb0\n    hardirqs last disabled at (40): [<ffffffc08122d208>] el1_dbg+0x28/0x90\n    softirqs last  enabled at (36): [<ffffffc080017dec>] kernel_neon_begin+0x8c/0xf0\n    softirqs last disabled at (34): [<ffffffc080017dc0>] kernel_neon_begin+0x60/0xf0\n    ---[ end trace 0000000000000000 ]---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03e6d4e948432a61b35783323b6ab2be071d2619","https://git.kernel.org/stable/c/23bc89fdce71124cd2126fc919c7076e7cb489cf","https://git.kernel.org/stable/c/8a01335aedc50a66d04dd39203c89f4bc8042596","https://git.kernel.org/stable/c/9db89b1fb85557892e6681724b367287de5f9f20","https://git.kernel.org/stable/c/a71f66bd5f7b9b35a8aaa49e29565eca66299399","https://git.kernel.org/stable/c/a853450bf4c752e664abab0b2fad395b7ad7701c","https://git.kernel.org/stable/c/dbf291d8ffffb70f48286176a15c6c54f0bb0743","https://git.kernel.org/stable/c/03e6d4e948432a61b35783323b6ab2be071d2619","https://git.kernel.org/stable/c/23bc89fdce71124cd2126fc919c7076e7cb489cf","https://git.kernel.org/stable/c/8a01335aedc50a66d04dd39203c89f4bc8042596","https://git.kernel.org/stable/c/9db89b1fb85557892e6681724b367287de5f9f20","https://git.kernel.org/stable/c/a71f66bd5f7b9b35a8aaa49e29565eca66299399","https://git.kernel.org/stable/c/a853450bf4c752e664abab0b2fad395b7ad7701c","https://git.kernel.org/stable/c/dbf291d8ffffb70f48286176a15c6c54f0bb0743","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26878","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix potential NULL pointer dereference\n\nBelow race may cause NULL pointer dereference\n\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\n\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\n\nSo let's fix it by using a temporary pointer to avoid this issue.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":6e-05,"ranking_epss":0.00329,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25","https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5","https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0","https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0","https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877","https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754","https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1","https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f","https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7","https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25","https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5","https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0","https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0","https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877","https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754","https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1","https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f","https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26880","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm: call the resume method on internal suspend\n\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\n\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\n\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\n\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n<snip>\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS:  00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n <TASK>\n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n<snip>\n---[ end trace 0000000000000000 ]---","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00042,"ranking_epss":0.13035,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/03ad5ad53e51abf3a4c7538c1bc67a5982b41dc5","https://git.kernel.org/stable/c/15a3fc5c8774c17589dabfe1d642d40685c985af","https://git.kernel.org/stable/c/360a7d1be8112654f1fb328ed3862be630bca3f4","https://git.kernel.org/stable/c/65e8fbde64520001abf1c8d0e573561b4746ef38","https://git.kernel.org/stable/c/69836d9329f0b4c58faaf3d886a7748ddb5bf718","https://git.kernel.org/stable/c/ad10289f68f45649816cc68eb93f45fd5ec48a15","https://git.kernel.org/stable/c/da7ece2197101b1469853e6b5e915be1e3896d52","https://git.kernel.org/stable/c/ef02d8edf738557af2865c5bfb66a03c4e071be7","https://git.kernel.org/stable/c/f89bd27709376d37ff883067193320c58a8c1d5a","https://git.kernel.org/stable/c/03ad5ad53e51abf3a4c7538c1bc67a5982b41dc5","https://git.kernel.org/stable/c/15a3fc5c8774c17589dabfe1d642d40685c985af","https://git.kernel.org/stable/c/360a7d1be8112654f1fb328ed3862be630bca3f4","https://git.kernel.org/stable/c/65e8fbde64520001abf1c8d0e573561b4746ef38","https://git.kernel.org/stable/c/69836d9329f0b4c58faaf3d886a7748ddb5bf718","https://git.kernel.org/stable/c/ad10289f68f45649816cc68eb93f45fd5ec48a15","https://git.kernel.org/stable/c/da7ece2197101b1469853e6b5e915be1e3896d52","https://git.kernel.org/stable/c/ef02d8edf738557af2865c5bfb66a03c4e071be7","https://git.kernel.org/stable/c/f89bd27709376d37ff883067193320c58a8c1d5a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52644","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\n\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\n\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"epss":4e-05,"ranking_epss":0.00177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/04a2b6eff2ae1c19cb7f41e803bcbfaf94c06455","https://git.kernel.org/stable/c/1824f942527f784a19e01eac2d9679a21623d010","https://git.kernel.org/stable/c/31aaf17200c336fe258b70d39c40645ae19d0240","https://git.kernel.org/stable/c/4049a9f80513a6739c5677736a4c88f96df1b436","https://git.kernel.org/stable/c/49f067726ab01c87cf57566797a8a719badbbf08","https://git.kernel.org/stable/c/9636951e4468f02c72cc75a82dc65d003077edbc","https://git.kernel.org/stable/c/bc845e2e42cae95172c04bf29807c480f51a2a83","https://git.kernel.org/stable/c/c67698325c68f8768db858f5c87c34823421746d","https://git.kernel.org/stable/c/f1cf77bb870046a6111a604f7f7fe83d1c8c9610","https://git.kernel.org/stable/c/04a2b6eff2ae1c19cb7f41e803bcbfaf94c06455","https://git.kernel.org/stable/c/1824f942527f784a19e01eac2d9679a21623d010","https://git.kernel.org/stable/c/31aaf17200c336fe258b70d39c40645ae19d0240","https://git.kernel.org/stable/c/4049a9f80513a6739c5677736a4c88f96df1b436","https://git.kernel.org/stable/c/49f067726ab01c87cf57566797a8a719badbbf08","https://git.kernel.org/stable/c/9636951e4468f02c72cc75a82dc65d003077edbc","https://git.kernel.org/stable/c/bc845e2e42cae95172c04bf29807c480f51a2a83","https://git.kernel.org/stable/c/c67698325c68f8768db858f5c87c34823421746d","https://git.kernel.org/stable/c/f1cf77bb870046a6111a604f7f7fe83d1c8c9610","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26851","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\n\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\n\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\n\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00617,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/014a807f1cc9c9d5173c1cd935835553b00d211c","https://git.kernel.org/stable/c/39001e3c42000e7c2038717af0d33c32319ad591","https://git.kernel.org/stable/c/4bafcc43baf7bcf93566394dbd15726b5b456b7a","https://git.kernel.org/stable/c/767146637efc528b5e3d31297df115e85a2fd362","https://git.kernel.org/stable/c/80ee5054435a11c87c9a4f30f1ff750080c96416","https://git.kernel.org/stable/c/98db42191329c679f4ca52bec0b319689e1ad8cb","https://git.kernel.org/stable/c/b3c0f553820516ad4b62a9390ecd28d6f73a7b13","https://git.kernel.org/stable/c/ccd1108b16ab572d9bf635586b0925635dbd6bbc","https://git.kernel.org/stable/c/014a807f1cc9c9d5173c1cd935835553b00d211c","https://git.kernel.org/stable/c/39001e3c42000e7c2038717af0d33c32319ad591","https://git.kernel.org/stable/c/4bafcc43baf7bcf93566394dbd15726b5b456b7a","https://git.kernel.org/stable/c/767146637efc528b5e3d31297df115e85a2fd362","https://git.kernel.org/stable/c/80ee5054435a11c87c9a4f30f1ff750080c96416","https://git.kernel.org/stable/c/98db42191329c679f4ca52bec0b319689e1ad8cb","https://git.kernel.org/stable/c/b3c0f553820516ad4b62a9390ecd28d6f73a7b13","https://git.kernel.org/stable/c/ccd1108b16ab572d9bf635586b0925635dbd6bbc","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26852","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\n\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\n\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\n\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\n\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\n\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x167/0x540 mm/kasan/report.c:488\n  kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n </TASK>\n\nAllocated by task 23037:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3981 [inline]\n  __kmalloc+0x22e/0x490 mm/slub.c:3994\n  kmalloc include/linux/slab.h:594 [inline]\n  kzalloc include/linux/slab.h:711 [inline]\n  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nFreed by task 16:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n  poison_slab_object+0xa6/0xe0 m\n---truncated---","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00012,"ranking_epss":0.01645,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136","https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18","https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda","https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e","https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab","https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe","https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24","https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a","https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136","https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18","https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda","https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e","https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab","https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe","https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24","https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26855","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\n\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01523,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/06e456a05d669ca30b224b8ed962421770c1496c","https://git.kernel.org/stable/c/0e296067ae0d74a10b4933601f9aa9f0ec8f157f","https://git.kernel.org/stable/c/1a770927dc1d642b22417c3e668c871689fc58b3","https://git.kernel.org/stable/c/37fe99016b12d32100ce670216816dba6c48b309","https://git.kernel.org/stable/c/8d95465d9a424200485792858c5b3be54658ce19","https://git.kernel.org/stable/c/afdd29726a6de4ba27cd15590661424c888dc596","https://git.kernel.org/stable/c/d9fefc51133107e59d192d773be86c1150cfeebb","https://git.kernel.org/stable/c/06e456a05d669ca30b224b8ed962421770c1496c","https://git.kernel.org/stable/c/0e296067ae0d74a10b4933601f9aa9f0ec8f157f","https://git.kernel.org/stable/c/1a770927dc1d642b22417c3e668c871689fc58b3","https://git.kernel.org/stable/c/37fe99016b12d32100ce670216816dba6c48b309","https://git.kernel.org/stable/c/8d95465d9a424200485792858c5b3be54658ce19","https://git.kernel.org/stable/c/afdd29726a6de4ba27cd15590661424c888dc596","https://git.kernel.org/stable/c/d9fefc51133107e59d192d773be86c1150cfeebb","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26857","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: make sure to pull inner header in geneve_rx()\n\nsyzbot triggered a bug in geneve_rx() [1]\n\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n  geneve_rx drivers/net/geneve.c:279 [inline]\n  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n  dst_input include/net/dst.h:461 [inline]\n  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n  process_backlog+0x480/0x8b0 net/core/dev.c:5976\n  __napi_poll+0xe3/0x980 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n  do_softirq+0x9a/0xf0 kernel/softirq.c:454\n  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n  dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3819 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1296 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca","https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5","https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74","https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29","https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5","https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c","https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914","https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a","https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca","https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5","https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74","https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29","https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5","https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c","https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914","https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26859","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":9e-05,"ranking_epss":0.00805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26861","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: receive: annotate data-race around receiving_counter.counter\n\nSyzkaller with KCSAN identified a data-race issue when accessing\nkeypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()\nannotations to mark the data race as intentional.\n\n    BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll\n\n    write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:\n     counter_validate drivers/net/wireguard/receive.c:321 [inline]\n     wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461\n     __napi_poll+0x60/0x3b0 net/core/dev.c:6536\n     napi_poll net/core/dev.c:6605 [inline]\n     net_rx_action+0x32b/0x750 net/core/dev.c:6738\n     __do_softirq+0xc4/0x279 kernel/softirq.c:553\n     do_softirq+0x5e/0x90 kernel/softirq.c:454\n     __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n     __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n     _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\n     spin_unlock_bh include/linux/spinlock.h:396 [inline]\n     ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]\n     wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499\n     process_one_work kernel/workqueue.c:2633 [inline]\n     ...\n\n    read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:\n     decrypt_packet drivers/net/wireguard/receive.c:252 [inline]\n     wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501\n     process_one_work kernel/workqueue.c:2633 [inline]\n     process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706\n     worker_thread+0x525/0x730 kernel/workqueue.c:2787\n     ...","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"epss":0.00011,"ranking_epss":0.01237,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3f94da807fe1668b9830f0eefbbf7e887b0a7bc6","https://git.kernel.org/stable/c/45a83b220c83e3c326513269afbf69ae6fc65cce","https://git.kernel.org/stable/c/78739d72f16b2d7d549f713f1dfebd678d32484b","https://git.kernel.org/stable/c/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3","https://git.kernel.org/stable/c/d691be84ab898cf136a35176eaf2f8fc116563f0","https://git.kernel.org/stable/c/f87884e0dffd61b47e58bc6e1e2f6843c212b0cc","https://git.kernel.org/stable/c/fdf16de078a97bf14bb8ee2b8d47cc3d3ead09ed","https://git.kernel.org/stable/c/3f94da807fe1668b9830f0eefbbf7e887b0a7bc6","https://git.kernel.org/stable/c/45a83b220c83e3c326513269afbf69ae6fc65cce","https://git.kernel.org/stable/c/78739d72f16b2d7d549f713f1dfebd678d32484b","https://git.kernel.org/stable/c/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3","https://git.kernel.org/stable/c/d691be84ab898cf136a35176eaf2f8fc116563f0","https://git.kernel.org/stable/c/f87884e0dffd61b47e58bc6e1e2f6843c212b0cc","https://git.kernel.org/stable/c/fdf16de078a97bf14bb8ee2b8d47cc3d3ead09ed","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T11:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26843","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: Fix potential overflow of soft-reserved region size\n\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"epss":6e-05,"ranking_epss":0.00434,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0","https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9","https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426","https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be","https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70","https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4","https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0","https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9","https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426","https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be","https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70","https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T10:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26845","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Add TMF to tmr_list handling\n\nAn abort that is responded to by iSCSI itself is added to tmr_list but does\nnot go to target core. A LUN_RESET that goes through tmr_list takes a\nrefcounter on the abort and waits for completion. However, the abort will\nbe never complete because it was not started in target core.\n\n Unable to locate ITT: 0x05000000 on CID: 0\n Unable to locate RefTaskTag: 0x05000000 on CID: 0.\n wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n...\n INFO: task kworker/0:2:49 blocked for more than 491 seconds.\n task:kworker/0:2     state:D stack:    0 pid:   49 ppid:     2 flags:0x00000800\n Workqueue: events target_tmr_work [target_core_mod]\nCall Trace:\n __switch_to+0x2c4/0x470\n _schedule+0x314/0x1730\n schedule+0x64/0x130\n schedule_timeout+0x168/0x430\n wait_for_completion+0x140/0x270\n target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]\n core_tmr_lun_reset+0x30/0xa0 [target_core_mod]\n target_tmr_work+0xc8/0x1b0 [target_core_mod]\n process_one_work+0x2d4/0x5d0\n worker_thread+0x78/0x6c0\n\nTo fix this, only add abort to tmr_list if it will be handled by target\ncore.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d","https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf","https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb","https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25","https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d","https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f","https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a","https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d","https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf","https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb","https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171","https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25","https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d","https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f","https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T10:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26846","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"epss":6e-05,"ranking_epss":0.00419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17","https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c","https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2","https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982","https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9","https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67","https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17","https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c","https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2","https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982","https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9","https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T10:15:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26825","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\n\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\n\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":7e-05,"ranking_epss":0.00633,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1","https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d","https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23","https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895","https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf","https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81","https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9","https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c","https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1","https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d","https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23","https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895","https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf","https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81","https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9","https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26833","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak in dm_sw_fini()\n\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\n\nunreferenced object 0xffff896302b45800 (size 1024):\n  comm \"(udev-worker)\", pid 222, jiffies 4294894636\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 6265fd77):\n    [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340\n    [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n    [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu]\n    [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n    [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n    [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n    [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90\n    [<ffffffff996918a3>] pci_device_probe+0xc3/0x230\n    [<ffffffff99805872>] really_probe+0xe2/0x480\n    [<ffffffff99805c98>] __driver_probe_device+0x78/0x160\n    [<ffffffff99805daf>] driver_probe_device+0x1f/0x90\n    [<ffffffff9980601e>] __driver_attach+0xce/0x1c0\n    [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0\n    [<ffffffff99804822>] bus_add_driver+0x112/0x210\n    [<ffffffff99807245>] driver_register+0x55/0x100\n    [<ffffffff990012d1>] do_one_initcall+0x41/0x300\n\nFix this by freeing dmub_srv after destroying it.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00012,"ranking_epss":0.01677,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2","https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e","https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b","https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30","https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857","https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3","https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2","https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e","https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b","https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30","https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857","https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26835","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: set dormant flag on hook register failure\n\nWe need to set the dormant flag again if we fail to register\nthe hooks.\n\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\n\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01266,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376","https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af","https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be","https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95","https://git.kernel.org/stable/c/a6411f3c48f991c19aaf9a24fce36865fbba28d7","https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3","https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec","https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069","https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376","https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af","https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be","https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95","https://git.kernel.org/stable/c/a6411f3c48f991c19aaf9a24fce36865fbba28d7","https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3","https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec","https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26839","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix a memleak in init_credit_return\n\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01314,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3","https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7","https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25","https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2","https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a","https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896","https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8","https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b","https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3","https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7","https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25","https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2","https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a","https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896","https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8","https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-52642","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: bpf attach/detach requires write permission\n\nNote that bpf attach/detach also requires CAP_NET_ADMIN.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00013,"ranking_epss":0.02282,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f","https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8","https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f","https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e","https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be","https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0","https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f","https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8","https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f","https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e","https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be","https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-17T10:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26820","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed\n\nIf hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER\nhandler cannot perform VF register successfully as the register call\nis received before netvsc_probe is finished. This is because we\nregister register_netdevice_notifier() very early( even before\nvmbus_driver_register()).\nTo fix this, we try to register each such matching VF( if it is visible\nas a netdevice) at the end of netvsc_probe.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00011,"ranking_epss":0.01342,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef","https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135","https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7","https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2","https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418","https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c","https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d","https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366","https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef","https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135","https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7","https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2","https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418","https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c","https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d","https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-17T10:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21096","summary":"Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"epss":0.00121,"ranking_epss":0.31259,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKWVBZ6DBRFMLDXTHJUZ6LU7MJ5RTNA7/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFYBDWDBE4YICSV34LJZGYRVSG6QIRKE/","https://security.netapp.com/advisory/ntap-20240426-0013/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00034.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKWVBZ6DBRFMLDXTHJUZ6LU7MJ5RTNA7/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFYBDWDBE4YICSV34LJZGYRVSG6QIRKE/","https://security.netapp.com/advisory/ntap-20240426-0013/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21094","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"epss":0.00417,"ranking_epss":0.617,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21085","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"epss":0.00109,"ranking_epss":0.29238,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21068","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"epss":0.0054,"ranking_epss":0.67576,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21011","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22;   Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"epss":0.00339,"ranking_epss":0.5668,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-21012","summary":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"epss":0.00146,"ranking_epss":0.35055,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00014.html","https://security.netapp.com/advisory/ntap-20240426-0004/","https://www.oracle.com/security-alerts/cpuapr2024.html"],"published_time":"2024-04-16T22:15:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24809","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00135,"ranking_epss":0.33331,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105242","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105242","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24810","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00187,"ranking_epss":0.40521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105241","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105241","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24806","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00212,"ranking_epss":0.43742,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24807","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00501,"ranking_epss":0.65945,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105239","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105239","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24808","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00195,"ranking_epss":0.41481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105240","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105240","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2022-24805","summary":"net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of             `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.\n","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"epss":0.00483,"ranking_epss":0.65199,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105238","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209","https://bugzilla.redhat.com/show_bug.cgi?id=2103225","https://bugzilla.redhat.com/show_bug.cgi?id=2105238","https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937","https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775","https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/","https://security.gentoo.org/glsa/202210-29","https://www.debian.org/security/2022/dsa-5209"],"published_time":"2024-04-16T20:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3857","summary":"The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"epss":0.00136,"ranking_epss":0.33433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1886683","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/","https://bugzilla.mozilla.org/show_bug.cgi?id=1886683","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/"],"published_time":"2024-04-16T16:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3859","summary":"On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"epss":0.0172,"ranking_epss":0.8234,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1874489","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/","https://bugzilla.mozilla.org/show_bug.cgi?id=1874489","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/"],"published_time":"2024-04-16T16:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3861","summary":"If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"epss":0.00129,"ranking_epss":0.32512,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1883158","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/","https://bugzilla.mozilla.org/show_bug.cgi?id=1883158","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/"],"published_time":"2024-04-16T16:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-3864","summary":"Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"epss":0.01067,"ranking_epss":0.77649,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1888333","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/","https://bugzilla.mozilla.org/show_bug.cgi?id=1888333","https://lists.debian.org/debian-lts-announce/2024/04/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/04/msg00013.html","https://www.mozilla.org/security/advisories/mfsa2024-18/","https://www.mozilla.org/security/advisories/mfsa2024-19/","https://www.mozilla.org/security/advisories/mfsa2024-20/"],"published_time":"2024-04-16T16:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-32487","summary":"less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"epss":0.00357,"ranking_epss":0.57961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/04/15/1","https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33","https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html","https://security.netapp.com/advisory/ntap-20240605-0009/","https://www.openwall.com/lists/oss-security/2024/04/12/5","https://www.openwall.com/lists/oss-security/2024/04/13/2","http://www.openwall.com/lists/oss-security/2024/04/15/1","https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33","https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html","https://security.netapp.com/advisory/ntap-20240605-0009/","https://www.openwall.com/lists/oss-security/2024/04/12/5","https://www.openwall.com/lists/oss-security/2024/04/13/2"],"published_time":"2024-04-13T15:15:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26817","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00158,"ranking_epss":0.36745,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a","https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7","https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29","https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0","https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad","https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751","https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a","https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91","https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a","https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7","https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29","https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0","https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad","https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751","https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a","https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3TH6JK7ZZMSXSVHOJKIMSSOC6EQM4WV/"],"published_time":"2024-04-13T12:15:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26816","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86, relocs: Ignore relocations in .notes section\n\nWhen building with CONFIG_XEN_PV=y, .text symbols are emitted into\nthe .notes section so that Xen can find the \"startup_xen\" entry point.\nThis information is used prior to booting the kernel, so relocations\nare not useful. In fact, performing relocations against the .notes\nsection means that the KASLR base is exposed since /sys/kernel/notes\nis world-readable.\n\nTo avoid leaking the KASLR base without breaking unprivileged tools that\nare expecting to read /sys/kernel/notes, skip performing relocations in\nthe .notes section. The values readable in .notes are then identical to\nthose found in System.map.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.0002,"ranking_epss":0.0516,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/13edb509abc91c72152a11baaf0e7c060a312e03","https://git.kernel.org/stable/c/47635b112a64b7b208224962471e7e42f110e723","https://git.kernel.org/stable/c/52018aa146e3cf76569a9b1e6e49a2b7c8d4a088","https://git.kernel.org/stable/c/5cb59db49c9c0fccfd33b2209af4f7ae3c6ddf40","https://git.kernel.org/stable/c/a4e7ff1a74274e59a2de9bb57236542aa990d20a","https://git.kernel.org/stable/c/aaa8736370db1a78f0e8434344a484f9fd20be3b","https://git.kernel.org/stable/c/ae7079238f6faf1b94accfccf334e98b46a0c0aa","https://git.kernel.org/stable/c/af2a9f98d884205145fd155304a6955822ccca1c","https://git.kernel.org/stable/c/c7cff9780297d55d97ad068b68b703cfe53ef9af","https://git.kernel.org/stable/c/13edb509abc91c72152a11baaf0e7c060a312e03","https://git.kernel.org/stable/c/47635b112a64b7b208224962471e7e42f110e723","https://git.kernel.org/stable/c/52018aa146e3cf76569a9b1e6e49a2b7c8d4a088","https://git.kernel.org/stable/c/5cb59db49c9c0fccfd33b2209af4f7ae3c6ddf40","https://git.kernel.org/stable/c/a4e7ff1a74274e59a2de9bb57236542aa990d20a","https://git.kernel.org/stable/c/aaa8736370db1a78f0e8434344a484f9fd20be3b","https://git.kernel.org/stable/c/ae7079238f6faf1b94accfccf334e98b46a0c0aa","https://git.kernel.org/stable/c/af2a9f98d884205145fd155304a6955822ccca1c","https://git.kernel.org/stable/c/c7cff9780297d55d97ad068b68b703cfe53ef9af","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"],"published_time":"2024-04-10T14:15:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-31309","summary":"HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.\n\nUsers can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.\nUsers are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"epss":0.02839,"ranking_epss":0.86139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/10/7","https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc","https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/","http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/10/7","https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc","https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/","https://www.kb.cert.org/vuls/id/421644"],"published_time":"2024-04-10T12:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26812","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.0214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034","https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d","https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897","https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834","https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c","https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e","https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3","https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899","https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034","https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d","https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897","https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834","https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c","https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e","https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3","https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-05T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26814","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1.  The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger.  The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00021,"ranking_epss":0.05573,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417","https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d","https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9","https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012","https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede","https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d","https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267","https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417","https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d","https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9","https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012","https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede","https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d","https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-05T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-27437","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00013,"ranking_epss":0.0214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060","https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351","https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2","https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda","https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5","https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438","https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec","https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43","https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060","https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351","https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2","https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda","https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5","https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438","https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec","https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-05T09:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2023-38709","summary":"Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.\n\nThis issue affects Apache HTTP Server: through 2.4.58.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"epss":0.03342,"ranking_epss":0.87261,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://seclists.org/fulldisclosure/2024/Jul/18","http://www.openwall.com/lists/oss-security/2024/04/04/3","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/","https://security.netapp.com/advisory/ntap-20240415-0013/","https://support.apple.com/kb/HT214119","http://seclists.org/fulldisclosure/2024/Jul/18","http://www.openwall.com/lists/oss-security/2024/04/04/3","http://www.openwall.com/lists/oss-security/2025/07/10/2","http://www.openwall.com/lists/oss-security/2025/07/10/3","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/","https://security.netapp.com/advisory/ntap-20240415-0013/","https://support.apple.com/kb/HT214119"],"published_time":"2024-04-04T20:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-24795","summary":"HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.\n\nUsers are recommended to upgrade to version 2.4.59, which fixes this issue.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"epss":0.01123,"ranking_epss":0.78219,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://httpd.apache.org/security/vulnerabilities_24.html","http://seclists.org/fulldisclosure/2024/Jul/18","http://www.openwall.com/lists/oss-security/2024/04/04/5","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html","https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/","https://security.netapp.com/advisory/ntap-20240415-0013/","https://support.apple.com/kb/HT214119"],"published_time":"2024-04-04T20:15:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-28182","summary":"nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync.  This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"epss":0.24971,"ranking_epss":0.96136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.openwall.com/lists/oss-security/2024/04/03/16","https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0","https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9","https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q","https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/","http://www.openwall.com/lists/oss-security/2024/04/03/16","https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0","https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9","https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q","https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/","https://www.kb.cert.org/vuls/id/421644"],"published_time":"2024-04-04T15:15:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26809","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":0.00014,"ranking_epss":0.02759,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c","https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af","https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b","https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2","https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee","https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144","https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2","https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c","https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af","https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b","https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2","https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee","https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144","https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-04T10:15:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-26808","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\n\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"epss":8e-05,"ranking_epss":0.00706,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913","https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee","https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58","https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f","https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3","https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4","https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913","https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee","https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58","https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f","https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3","https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4","https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"],"published_time":"2024-04-04T10:15:08","vendor":null,"product":null,"version":null}]}