185 matches found
CVE-2023-3865
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bound read in smb2_write ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If->NextCommand is bigger than Offset + Length of smb2 write, It willallow oversized smb2 write length. It will cause OOB ...
CVE-2023-3866
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in the compound request This patch validate session id and tree id in compound request.If first operation in the compound is SMB2 ECHO request, ksmbd bypasssession and tree validation. So work...
CVE-2023-3867
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds read in smb2_sess_setup ksmbd does not consider the case of that smb2 session setup isin compound request. If this is the second payload of the compound,OOB read issue occurs while processing the first payl...
CVE-2023-32249
In the Linux kernel, the following vulnerability has been resolved: ksmbd: not allow guest user on multichannel This patch return STATUS_NOT_SUPPORTED if binding session is guest.
CVE-2023-32246
In the Linux kernel, the following vulnerability has been resolved: ksmbd: call rcu_barrier() in ksmbd_server_exit() racy issue is triggered the bug by racing between closing a connectionand rmmod. In ksmbd, rcu_barrier() is not called at module unload time,so nothing prevents ksmbd from getting un...
CVE-2025-38499
In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose somethinghidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"may be a ...
CVE-2023-4130
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION requestfrom client. ksmbd find next smb2_ea_info using ->NextEntryOffset ofcurrent smb2_ea...
CVE-2024-58238
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test This fixes the tx timeout issue seen while running a stress test onbtnxpuart for couple of hours, such that the interval between two HCIcommands coincide with...
CVE-2023-4515
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), exceptfor SMB2_OPLOCK_BREAK_HE command, the request size of other commandsis not checked, it's not expected. Fix it by add check ...
CVE-2025-38500
In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation,thus xfrmi_changelink() should fail when called on such interfaces. The check to...
CVE-2022-50233
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated sothis instead use strnlen and then attempt to determine if the resultingstring needs to be ...
CVE-2025-38524
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placedon the socket's queue and a thread in recvmsg can be awakened to go andprocess it. Once the thread has picked up t...
CVE-2025-38527
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to ause-after-free of the cinode structure when unmounting: cifs_oplock_break()_cifsFileInfo_put(cfile)cifsFileInfo_put_...
CVE-2025-38550
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()does, the reference should be put after ip6_mc_clear_src() return.
CVE-2025-38552
In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch betweensubflow failing and additional subflow creation. They are just harder totrigger. The solution is si...
CVE-2025-38560
In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line evictionmitigation when validating memory after a page state change to private.The specific mitigation is to touch t...
CVE-2025-38614
In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper thanEP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free anddoes some recursion depth checks, bu...
CVE-2025-38501
In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaustthe max connections and prevent other normal client connections.This patch limit repeated connect...
CVE-2025-38503
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree featureenabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree...
CVE-2025-38507
In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: avoid bluetooth suspend/resume stalls Ensure we don't stall or panic the kernel when using bluetooth-connectedcontrollers. This was reported as an issue on android devices usingkernel 6.6 due to the resume hook which...
CVE-2025-38512
In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerabilityfor mesh networks. The initial update to the IEEE 802.11 standard, inresponse to the FragAttacks, missed this case...
CVE-2025-38515
In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, inwhich spsc_queue_push may return not-first while the run-job worker hasalready idled due to the jo...
CVE-2025-38520
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback fromcompactd or fork or numa balancing could release the last referenceof mm struct to call exit_mmap and fre...
CVE-2025-38523
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves usingcopy_to_iter() to copy data from the smbd_reponse struct's packet trailerto a folioq buffer provided by net...
CVE-2025-38526
In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside ofthe LAG event handler code. This results in the lag->upper_netdev beingNULL sometimes. To avoid a NULL-pointer d...
CVE-2025-38531
In the Linux kernel, the following vulnerability has been resolved: iio: common: st_sensors: Fix use of uninitialize device structs Throughout the various probe functions &indio_dev->dev is used before itis initialized. This caused a kernel panic in st_sensors_power_enable()when the call to devm...
CVE-2025-38535
In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the codeassumed that the regulator should be disabled. However, if the regulatoris marked as always-on, r...
CVE-2025-38539
In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. Itmay also need to modify the modules trace printk formats to replace enumnames with their values...
CVE-2025-38545
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info While transitioning from netdev_alloc_ip_align() to build_skb(), memoryfor the "skb_shared_info" member of an "skb" was not allocated. Fix thisby all...
CVE-2025-38546
In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it tovcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skbto vcc->push() when the socket is close()d, an...
CVE-2025-38548
In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes.Validate buffer_recv_size in send_usb_cmd().
CVE-2025-38551
In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe()rtnl_lock()virtio_config_changed_work()netdev_notify_peers()rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANN...
CVE-2025-38568
In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated usingNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the valueTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-o...
CVE-2025-38584
In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes backto the initial commit. A reference count is taken at the startof the process in padata_do_parallel, and released at the end inpadata_...
CVE-2025-38585
In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variableis larger than the expected buffer size, two behaviors combine to createa stack buffer...
CVE-2025-38595
In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through -up to xen folks] As soon as we'd inserted a file reference into descriptor table, anotherthread could close it. That's ...
CVE-2025-38608
In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the correspondingciphertext length. However, if we later reduced the plaintext data lengthvia socket policy, ...
CVE-2024-58239
In the Linux kernel, the following vulnerability has been resolved: tls: stop recv() if initial process_rx_list gave us non-DATA If we have a non-DATA record on the rx_list and another record of thesame type still on the queue, we will end up merging them: process_rx_list copies the non-DATA record...
CVE-2025-38502
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storagecan be crafted via tail calls. Given two programs each utilizing acgroup local storage with a different value size, and...
CVE-2025-38510
In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() iscalled to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1vmalloc();all...
CVE-2025-38513
In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). Forexample, the following is possible: T0 T1 zd_mac_tx_to_dev()/* len == skb_queue_le...
CVE-2025-38514
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls arepreallocated, then rxrpc_alloc_incoming_call() will oops because therxrpc_backlog struct doesn't get al...
CVE-2025-38516
In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM butis nevertheless registered as a GPIO in the kernel. This enables theuser-space to trigger a BUG(...
CVE-2025-38521
In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix kernel crash when hard resetting the GPU The GPU hard reset sequence calls pm_runtime_force_suspend() andpm_runtime_force_resume(), which according to their documentation shouldonly be used during system-wide P...
CVE-2025-38528
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%";bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning atruntime: Please remove unsupported %\x00 i...
CVE-2025-38529
In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 <options[1]) & 0xdcfc) { However, it->options[i] is an unchecked int value from userspace, sothe sh...
CVE-2025-38530
In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 <options[1]) & board->irq_bits) { However, it->options[i] is an unchecked int value from userspace, s...
CVE-2025-38532
In the Linux kernel, the following vulnerability has been resolved: net: libwx: properly reset Rx ring descriptor When device reset is triggered by feature changes such as toggling RxVLAN offload, wx->do_reset() is called to reinitialize Rx rings. Thehardware descriptor ring may retain stale val...
CVE-2025-38533
In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and'page_dma'. However, only 'page_dma' was actually initialized and usedto program the Rx descriptor. But 'dma' was unin...
CVE-2025-38538
In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() functionand it has "num_channels" elements. These three loops iterate oneelement farther than they should and c...