12632 matches found
CVE-2025-38604
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187stop move the call of usbkillanchoredurbs before clearing btxstatus.queue. This change prevents callbacks from using already freed skb due to anchor was not kille...
CVE-2025-38591
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = u8 r1 + 169; exit; With pointer field sk being at offset 168 in skbuff. This access is...
CVE-2025-38592
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcidevcddump: fix out-of-bounds via devcoredumpv Currently both devcoredumpv and skbputdata in hcidevcddump use hdev-dump.head. However, devcoredumpv can free the buffer. From devcoredumpmtimeout documentation, which i...
CVE-2025-38574
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptpxmit Commit aabc6596ffb3 "net: ppp: Add bound checking for skb data on pppsynctxmung" fixed pppsynctxmunge We need a similar fix in pptpxmit, otherwise we might read uninit data as reported ...
CVE-2025-38566
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tlsalertrecv due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-da...
CVE-2025-38571
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tlsalertrecv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the...
UBUNTU-CVE-2025-38574
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptpxmit Commit aabc6596ffb3 "net: ppp: Add bound checking for skb data on pppsynctxmung" fixed pppsynctxmunge We need a similar fix in pptpxmit, otherwise we might read uninit data as reported ...
CVE-2025-38604 wifi: rtl818x: Kill URBs before clearing tx status queue
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187stop move the call of usbkillanchoredurbs before clearing btxstatus.queue. This change prevents callbacks from using already freed skb due to anchor was not kille...
CVE-2025-38592
CVE-2025-38592 affects the Linux kernel Bluetooth subsystem. The issue arises in hci_devcd_dump where dev_coredumpv and skb_put_data both use hdev->dump.head, allowing a freed vmalloc buffer to be accessed and causing vmalloc-out-of-bounds access. The documented root cause is that dev_coredump...
CVE-2025-38591
CVE-2025-38591 affects the Linux kernel and is resolved by a patch in the BPF verifier. The issue involved a narrowing context access check in BPF, where a program attempted to read a pointer field (offset 169) in __sk_buff (field sk at offset 168). The verifier incorrectly allowed this “narrower...
CVE-2025-38591 bpf: Reject narrower access to pointer ctx fields
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = u8 r1 + 169; exit; With pointer field sk being at offset 168 in skbuff. This access is...
CVE-2025-38591
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = u8 r1 + 169; exit; With pointer field sk being at offset 168 in skbuff. This access is...
CVE-2025-38591 bpf: Reject narrower access to pointer ctx fields
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = u8 r1 + 169; exit; With pointer field sk being at offset 168 in skbuff. This access is...
CVE-2025-38590 net/mlx5e: Remove skb secpath if xfrm state is not found
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this...
CVE-2025-38574
CVE-2025-38574 affects the Linux kernel PPTP transmit path (pptp_xmit). A missing bound check on skb length could allow reading uninitialized data in pptp_xmit(), similar to changes made for ppp_sync_txmunge. The issue is fixed by the upstream commit aabc6596ffb3 and related bound-checking change...
CVE-2025-38574 pptp: ensure minimal skb length in pptp_xmit()
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptpxmit Commit aabc6596ffb3 "net: ppp: Add bound checking for skb data on pppsynctxmung" fixed pppsynctxmunge We need a similar fix in pptpxmit, otherwise we might read uninit data as reported ...
CVE-2025-38574
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptpxmit Commit aabc6596ffb3 "net: ppp: Add bound checking for skb data on pppsynctxmung" fixed pppsynctxmunge We need a similar fix in pptpxmit, otherwise we might read uninit data as reported ...
CVE-2025-38574 pptp: ensure minimal skb length in pptp_xmit()
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptpxmit Commit aabc6596ffb3 "net: ppp: Add bound checking for skb data on pppsynctxmung" fixed pppsynctxmunge We need a similar fix in pptpxmit, otherwise we might read uninit data as reported ...
CVE-2025-38571 sunrpc: fix client side handling of tls alerts
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tlsalertrecv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the...
CVE-2025-38571 sunrpc: fix client side handling of tls alerts
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tlsalertrecv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the...