CVE-2025-40240

In CVE-2025-40240, the Linux kernel SCTP path had a NULL dereference when chunk data buffer was missing. The fix ensures chunk->skb is not dereferenced unless the chunk head indicates a valid skb, by checking frag_list and reordering the replacement of chunk->skb. The outer if() condition g...

CVE-2025-40240 sctp: avoid NULL dereference when chunk data buffer is missing

In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk-skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk-skb can only be NULL if chunk-headskb is not. Check for fraglist instead...

kernel: net: usb: smsc75xx: Limit packet length to skb->len

In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Limit packet length to skb-len Packet length retrieved from skb data may be larger than the actual socket buffer length up to 9026 bytes. In such case the cloned skb passed up the network stack will leak kerne...

kernel: vsock/virtio: Validate length in packet header before skb_put()

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skbput When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtiovsockskbrxput. Unfortunately, virtiovsockskbrxput uses the length...

net: usb: lan78xx: Limit packet length to skb->len

...

CVE-2025-40183

CVE-2025-40183 reflects a Linux kernel bug in BPF: metadata_dst leak via __bpf_redirect_neigh_v{4,6}. In workloads using Cilium’s BPF egress gateway, vxLAN-decapsulated traffic was routed with bpf_redirect_neigh(), which could leave behind a metadata_dst object attached to the skb and not release...

kernel: skbuff: skb_segment, Call zero copy functions before using skbuff frags

In the Linux kernel, the following vulnerability has been resolved: skbuff: skbsegment, Call zero copy functions before using skbuff frags Commit bf5c25d60861 "skbuff: in skbsegment, call zerocopy functions once per nskb" added the call to zero copy functions in skbsegment. The change introduced ...

kernel: vsock/virtio: Validate length in packet header before skb_put()

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skbput When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtiovsockskbrxput. Unfortunately, virtiovsockskbrxput uses the length...

EUVD-2025-124908

In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skbget. It increases the reference counter for that SKB to prevent unexpected freeing by another...

CVE-2025-40175

In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skbget. It increases the reference counter for that SKB to prevent unexpected freeing by another...

UBUNTU-CVE-2025-40175

In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skbget. It increases the reference counter for that SKB to prevent unexpected freeing by another...

UBUNTU-CVE-2025-40176

In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tlsstrpmsghold fails Async decryption calls tlsstrpmsghold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with...

CVE-2025-40175

CVE-2025-40175 affects the Linux kernel driver for idpf in PTP timestamping. The issue arises when cloning an SKB (skb_get) to latch a Tx timestamp: the K/U may increment the SKB refcount, and under certain conditions the SKB is assigned but not consumed in PTP flows (e.g., due to a reset during ...

CVE-2025-40175 idpf: cleanup remaining SKBs in PTP flows

In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skbget. It increases the reference counter for that SKB to prevent unexpected freeing by another...

CVE-2025-40176 tls: wait for pending async decryptions if tls_strp_msg_hold fails

In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tlsstrpmsghold fails Async decryption calls tlsstrpmsghold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with...

kernel: skbuff: skb_segment, Call zero copy functions before using skbuff frags

In the Linux kernel, the following vulnerability has been resolved: skbuff: skbsegment, Call zero copy functions before using skbuff frags Commit bf5c25d60861 "skbuff: in skbsegment, call zerocopy functions once per nskb" added the call to zero copy functions in skbsegment. The change introduced ...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from idpf's failure to clean up the remaining SKBs in a PTP stream, which could lead to a memory leak...

kernel: ibmvnic: Don't reference skb after sending to VIOS

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the txbytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending t...

kernel: tcp: drop secpath at the same time as we currently drop dst

In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6tunnelnetexit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the...

kernel: af_packet: fix vlan_get_tci() vs MSG_PEEK

In the Linux kernel, the following vulnerability has been resolved: afpacket: fix vlangettci vs MSGPEEK Blamed commit forgot MSGPEEK case, allowing a crash 1 as found by syzbot. Rework vlangettci to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier...