{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-170", "linux-headers-5.15.0-170-generic", "linux-image-5.15.0-170-generic", "linux-modules-5.15.0-170-generic" ], "removed": [ "linux-headers-5.15.0-164", "linux-headers-5.15.0-164-generic", "linux-image-5.15.0-164-generic", "linux-modules-5.15.0-164-generic" ], "diff": [ "libc-bin", "libc6:ppc64el", "libexpat1:ppc64el", "libglib2.0-0:ppc64el", "libglib2.0-bin", "libglib2.0-data", "libgnutls30:ppc64el", "libldap-2.5-0:ppc64el", "libldap-common", "libpng16-16:ppc64el", "libpython3.10:ppc64el", "libpython3.10-minimal:ppc64el", "libpython3.10-stdlib:ppc64el", "libssl3:ppc64el", "libxml2:ppc64el", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "locales", "openssl", "python3-pyasn1", "python3.10", "python3.10-minimal", "screen", "ubuntu-minimal", "ubuntu-server", "ubuntu-standard" ] } }, "diff": { "deb": [ { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.11", "version": "2.35-0ubuntu3.11" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.13", "version": "2.35-0ubuntu3.13" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2089789 ], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.35-0ubuntu3.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:50:56 +0530" }, { "cves": [], "log": [ "", " * d/p/lp2089789-*.patch: fix malloc performance regression (LP: #2089789)", "" ], "package": "glibc", "version": "2.35-0ubuntu3.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2089789 ], "author": "Simon Chopin ", "date": "Tue, 15 Jul 2025 11:40:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6:ppc64el", "from_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.11", "version": "2.35-0ubuntu3.11" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.13", "version": "2.35-0ubuntu3.13" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2089789 ], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.35-0ubuntu3.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:50:56 +0530" }, { "cves": [], "log": [ "", " * d/p/lp2089789-*.patch: fix malloc performance regression (LP: #2089789)", "" ], "package": "glibc", "version": "2.35-0ubuntu3.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2089789 ], "author": "Simon Chopin ", "date": "Tue, 15 Jul 2025 11:40:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libexpat1:ppc64el", "from_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.6", "version": "2.4.7-1ubuntu0.6" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.7", "version": "2.4.7-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2026-24515", "url": "https://ubuntu.com/security/CVE-2026-24515", "cve_description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.", "cve_priority": "medium", "cve_public_date": "2026-01-23 08:16:00 UTC" }, { "cve": "CVE-2026-25210", "url": "https://ubuntu.com/security/CVE-2026-25210", "cve_description": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.", "cve_priority": "medium", "cve_public_date": "2026-01-30 07:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24515", "url": "https://ubuntu.com/security/CVE-2026-24515", "cve_description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.", "cve_priority": "medium", "cve_public_date": "2026-01-23 08:16:00 UTC" }, { "cve": "CVE-2026-25210", "url": "https://ubuntu.com/security/CVE-2026-25210", "cve_description": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.", "cve_priority": "medium", "cve_public_date": "2026-01-30 07:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference", " - debian/patches/CVE-2026-24515.patch: updates", " XML_ExternalEntityParserCreate to copy unknown encoding handler user", " data in expat/lib/xmlparse.c.", " - CVE-2026-24515", " * SECURITY UPDATE: integer overflow", " - debian/patches/CVE-2026-25210*.patch: adds an integer overflow check for", " tag buffer reallocation in the doContent function of", " expat/lib/xmlparse.c.", " - CVE-2026-25210", "" ], "package": "expat", "version": "2.4.7-1ubuntu0.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Wed, 04 Feb 2026 17:24:04 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0:ppc64el", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.7", "version": "2.72.4-0ubuntu2.7" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.9", "version": "2.72.4-0ubuntu2.9" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" }, { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.9", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:57:54 -0500" }, { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:55:03 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.7", "version": "2.72.4-0ubuntu2.7" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.9", "version": "2.72.4-0ubuntu2.9" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" }, { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.9", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:57:54 -0500" }, { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:55:03 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.7", "version": "2.72.4-0ubuntu2.7" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.9", "version": "2.72.4-0ubuntu2.9" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" }, { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.9", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:57:54 -0500" }, { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:55:03 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30:ppc64el", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.7", "version": "3.7.3-4ubuntu1.7" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.7.3-4ubuntu1.8", "version": "3.7.3-4ubuntu1.8" }, "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DoS via malicious certificates", " - debian/patches/CVE-2025-14831-*.patch: rework processing algorithms", " to exhibit better performance characteristics in", " lib/x509/name_constraints.c, tests/name-constraints-ip.c.", " - CVE-2025-14831", " * SECURITY UPDATE: stack overflow via long token label", " - debian/patches/CVE-2025-9820.patch: avoid stack overwrite when", " initializing a token in lib/pkcs11_write.c, tests/Makefile.am,", " tests/pkcs11/long-label.c.", " - CVE-2025-9820", "" ], "package": "gnutls28", "version": "3.7.3-4ubuntu1.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 10 Feb 2026 12:28:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libldap-2.5-0:ppc64el", "from_version": { "source_package_name": "openldap", "source_package_version": "2.5.19+dfsg-0ubuntu0.22.04.1", "version": "2.5.19+dfsg-0ubuntu0.22.04.1" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.5.20+dfsg-0ubuntu0.22.04.1", "version": "2.5.20+dfsg-0ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127665, 2125685, 2121816 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (LP: #2127665)", " - Fixed lloadd handling of starttls critical (ITS#10323)", " - Fixed slapd regression with certain searches (ITS#10307)", " - Fixed slapo-pcache caching behaviors (ITS#10270)", " * pbkdf2 iteration configuration support (LP: #2125685)", " - d/p/lp2125685-pbkdf2-configurable-rounds: make iterations configurable", " - d/p/lp2125685-pbkdf2-fix-iteration-arg: fix iteration argument index", " - d/t/pbkdf2-contrib: test if pbkdf2 hashing rounds are adjustable", " * Enable build of ppm password quality check module (LP: #2121816)", " - d/rules: build ppm password quality module", " - d/p/contrib-makefiles: build patches from 2.6.9+dfsg-1~exp1 (#1039740)", " - d/p/ppm-cross: cross-build patch from 2.6.8+dfsg-1~exp1 (#1079533)", " - d/t/ppm-contrib: test ppm password quality module", " + no attribute checks, since they're first possible with 2.6.2", " - d/control: add dependency on libcrack2-dev for ppm", " - d/slapd-contrib.{examples,install,manpages}: add ppm", "" ], "package": "openldap", "version": "2.5.20+dfsg-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2127665, 2125685, 2121816 ], "author": "Jonas Jelten ", "date": "Wed, 24 Sep 2025 15:40:37 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libldap-common", "from_version": { "source_package_name": "openldap", "source_package_version": "2.5.19+dfsg-0ubuntu0.22.04.1", "version": "2.5.19+dfsg-0ubuntu0.22.04.1" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.5.20+dfsg-0ubuntu0.22.04.1", "version": "2.5.20+dfsg-0ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127665, 2125685, 2121816 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (LP: #2127665)", " - Fixed lloadd handling of starttls critical (ITS#10323)", " - Fixed slapd regression with certain searches (ITS#10307)", " - Fixed slapo-pcache caching behaviors (ITS#10270)", " * pbkdf2 iteration configuration support (LP: #2125685)", " - d/p/lp2125685-pbkdf2-configurable-rounds: make iterations configurable", " - d/p/lp2125685-pbkdf2-fix-iteration-arg: fix iteration argument index", " - d/t/pbkdf2-contrib: test if pbkdf2 hashing rounds are adjustable", " * Enable build of ppm password quality check module (LP: #2121816)", " - d/rules: build ppm password quality module", " - d/p/contrib-makefiles: build patches from 2.6.9+dfsg-1~exp1 (#1039740)", " - d/p/ppm-cross: cross-build patch from 2.6.8+dfsg-1~exp1 (#1079533)", " - d/t/ppm-contrib: test ppm password quality module", " + no attribute checks, since they're first possible with 2.6.2", " - d/control: add dependency on libcrack2-dev for ppm", " - d/slapd-contrib.{examples,install,manpages}: add ppm", "" ], "package": "openldap", "version": "2.5.20+dfsg-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2127665, 2125685, 2121816 ], "author": "Jonas Jelten ", "date": "Wed, 24 Sep 2025 15:40:37 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16:ppc64el", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.3", "version": "1.6.37-3ubuntu0.3" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.4", "version": "1.6.37-3ubuntu0.4" }, "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB read in png_set_quantize()", " - debian/patches/CVE-2026-25646.patch: fix a heap buffer overflow in", " pngrtran.c.", " - CVE-2026-25646", "" ], "package": "libpng1.6", "version": "1.6.37-3ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Feb 2026 09:27:33 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10:ppc64el", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.13", "version": "3.10.12-1~22.04.13" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.14", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 26 Jan 2026 11:25:28 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10-minimal:ppc64el", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.13", "version": "3.10.12-1~22.04.13" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.14", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 26 Jan 2026 11:25:28 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10-stdlib:ppc64el", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.13", "version": "3.10.12-1~22.04.13" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.14", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 26 Jan 2026 11:25:28 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3:ppc64el", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.20", "version": "3.0.2-0ubuntu1.20" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.21", "version": "3.0.2-0ubuntu1.21" }, "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing", " - debian/patches/CVE-2025-15467-1.patch: correct handling of", " AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c.", " - debian/patches/CVE-2025-15467-2.patch: some comments to clarify", " functions usage in crypto/asn1/evp_asn1.c.", " - debian/patches/CVE-2025-15467-3.patch: test for handling of", " AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c,", " test/recipes/80-test_cmsapi.t,", " test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem.", " - CVE-2025-15467", " * SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short", " writes", " - debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in", " BIO_f_linebuffer in crypto/bio/bf_lbuf.c.", " - CVE-2025-68160", " * SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with", " low-level OCB function calls", " - debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path", " unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c.", " - CVE-2025-69418", " * SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion", " - debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc", " in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c.", " - CVE-2025-69419", " * SECURITY UPDATE: Missing ASN1_TYPE validation in", " TS_RESP_verify_response() function", " - debian/patches/CVE-2025-69420.patch: verify ASN1 object's types", " before attempting to access them as a particular type in", " crypto/ts/ts_rsp_verify.c.", " - CVE-2025-69420", " * SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " - debian/patches/CVE-2025-69421.patch: add NULL check in", " crypto/pkcs12/p12_decr.c.", " - CVE-2025-69421", " * SECURITY UPDATE: ASN1_TYPE missing validation and type confusion", " - debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked", " before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c,", " crypto/pkcs7/pk7_doit.c.", " - CVE-2026-22795", " - CVE-2026-22796", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 26 Jan 2026 07:32:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxml2:ppc64el", "from_version": { "source_package_name": "libxml2", "source_package_version": "2.9.13+dfsg-1ubuntu0.10", "version": "2.9.13+dfsg-1ubuntu0.10" }, "to_version": { "source_package_name": "libxml2", "source_package_version": "2.9.13+dfsg-1ubuntu0.11", "version": "2.9.13+dfsg-1ubuntu0.11" }, "cves": [ { "cve": "CVE-2025-8732", "url": "https://ubuntu.com/security/CVE-2025-8732", "cve_description": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"", "cve_priority": "low", "cve_public_date": "2025-08-08 17:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8732", "url": "https://ubuntu.com/security/CVE-2025-8732", "cve_description": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"", "cve_priority": "low", "cve_public_date": "2025-08-08 17:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Infinite recursion with SGML catalogs.", " - debian/patches/CVE-2025-8732.patch: Add catalog depth and checks in", " catalog.c. Add test files in result/catalogs/recursive and", " test/catalogs/recursive.sgml.", " - CVE-2025-8732", " * SECURITY UPDATE: Infinite recursion when resolving include directives in", " RelaxNG parser.", " - debian/patches/CVE-2026-0989.patch: Add xmlRelaxParserSetIncLImit in", " include/libxml/relaxng.h. Add include limit and checks in relaxng.c. Add", " test and test files in runtest.c,", " test/relaxng/include/include-limit.rng,", " test/relaxng/include/include-limit_1.rng,", " test/relaxng/include/include-limit_2.rng, and", " test/relaxng/include/include-limit_3.rng.", " - debian/libxml2.symbols: Add new xmlRelaxParserSetIncLImit symbol.", " - CVE-2026-0989", " * SECURITY UPDATE: Infinite recursion in URI dereferencing.", " - debian/patches/CVE-2026-0990.patch: Add MAX_CATAL_DEPTH and other checks", " in catalog.c.", " - CVE-2026-0990", " * SECURITY UPDATE: Uncontrolled resource consumption in catalogs.", " - debian/patches/CVE-2026-0992.patch: Add catalog duplication checks in", " catalog.c.", " - CVE-2026-0992", "" ], "package": "libxml2", "version": "2.9.13+dfsg-1ubuntu0.11", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 21 Jan 2026 14:38:02 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.164.159", "version": "5.15.0.164.159" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.170.159", "version": "5.15.0.170.159" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-170", "" ], "package": "linux-meta", "version": "5.15.0.170.159", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:59 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.164.159", "version": "5.15.0.164.159" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.170.159", "version": "5.15.0.170.159" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-170", "" ], "package": "linux-meta", "version": "5.15.0.170.159", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:59 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.164.159", "version": "5.15.0.164.159" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.170.159", "version": "5.15.0.170.159" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-170", "" ], "package": "linux-meta", "version": "5.15.0.170.159", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:59 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.164.159", "version": "5.15.0.164.159" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.170.159", "version": "5.15.0.170.159" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-170", "" ], "package": "linux-meta", "version": "5.15.0.170.159", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:59 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "locales", "from_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.11", "version": "2.35-0ubuntu3.11" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.35-0ubuntu3.13", "version": "2.35-0ubuntu3.13" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2089789 ], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.35-0ubuntu3.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:50:56 +0530" }, { "cves": [], "log": [ "", " * d/p/lp2089789-*.patch: fix malloc performance regression (LP: #2089789)", "" ], "package": "glibc", "version": "2.35-0ubuntu3.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2089789 ], "author": "Simon Chopin ", "date": "Tue, 15 Jul 2025 11:40:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.20", "version": "3.0.2-0ubuntu1.20" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.21", "version": "3.0.2-0ubuntu1.21" }, "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing", " - debian/patches/CVE-2025-15467-1.patch: correct handling of", " AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c.", " - debian/patches/CVE-2025-15467-2.patch: some comments to clarify", " functions usage in crypto/asn1/evp_asn1.c.", " - debian/patches/CVE-2025-15467-3.patch: test for handling of", " AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c,", " test/recipes/80-test_cmsapi.t,", " test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem.", " - CVE-2025-15467", " * SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short", " writes", " - debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in", " BIO_f_linebuffer in crypto/bio/bf_lbuf.c.", " - CVE-2025-68160", " * SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with", " low-level OCB function calls", " - debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path", " unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c.", " - CVE-2025-69418", " * SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion", " - debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc", " in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c.", " - CVE-2025-69419", " * SECURITY UPDATE: Missing ASN1_TYPE validation in", " TS_RESP_verify_response() function", " - debian/patches/CVE-2025-69420.patch: verify ASN1 object's types", " before attempting to access them as a particular type in", " crypto/ts/ts_rsp_verify.c.", " - CVE-2025-69420", " * SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " - debian/patches/CVE-2025-69421.patch: add NULL check in", " crypto/pkcs12/p12_decr.c.", " - CVE-2025-69421", " * SECURITY UPDATE: ASN1_TYPE missing validation and type confusion", " - debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked", " before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c,", " crypto/pkcs7/pk7_doit.c.", " - CVE-2026-22795", " - CVE-2026-22796", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 26 Jan 2026 07:32:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pyasn1", "from_version": { "source_package_name": "pyasn1", "source_package_version": "0.4.8-1", "version": "0.4.8-1" }, "to_version": { "source_package_name": "pyasn1", "source_package_version": "0.4.8-1ubuntu0.1", "version": "0.4.8-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-23490", "url": "https://ubuntu.com/security/CVE-2026-23490", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.", "cve_priority": "medium", "cve_public_date": "2026-01-16 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-23490", "url": "https://ubuntu.com/security/CVE-2026-23490", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.", "cve_priority": "medium", "cve_public_date": "2026-01-16 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: memory exhaustion from malformed RELATIVE-OID", " - debian/patches/CVE-2026-23490.patch: add limit of 20 continuation", " octets per OID arc in pyasn1/codec/ber/decoder.py,", " tests/codec/ber/test_decoder.py.", " - CVE-2026-23490", "" ], "package": "pyasn1", "version": "0.4.8-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 12:25:32 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.13", "version": "3.10.12-1~22.04.13" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.14", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 26 Jan 2026 11:25:28 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.13", "version": "3.10.12-1~22.04.13" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.14", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 26 Jan 2026 11:25:28 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "screen", "from_version": { "source_package_name": "screen", "source_package_version": "4.9.0-1", "version": "4.9.0-1" }, "to_version": { "source_package_name": "screen", "source_package_version": "4.9.0-1ubuntu0.1", "version": "4.9.0-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-24626", "url": "https://ubuntu.com/security/CVE-2023-24626", "cve_description": "socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.", "cve_priority": "low", "cve_public_date": "2023-04-08 05:15:00 UTC" }, { "cve": "CVE-2025-46802", "url": "https://ubuntu.com/security/CVE-2025-46802", "cve_description": "For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.", "cve_priority": "medium", "cve_public_date": "2025-05-26 16:15:00 UTC" }, { "cve": "CVE-2025-46804", "url": "https://ubuntu.com/security/CVE-2025-46804", "cve_description": "A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" }, { "cve": "CVE-2025-46805", "url": "https://ubuntu.com/security/CVE-2025-46805", "cve_description": "Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-24626", "url": "https://ubuntu.com/security/CVE-2023-24626", "cve_description": "socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.", "cve_priority": "low", "cve_public_date": "2023-04-08 05:15:00 UTC" }, { "cve": "CVE-2025-46802", "url": "https://ubuntu.com/security/CVE-2025-46802", "cve_description": "For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.", "cve_priority": "medium", "cve_public_date": "2025-05-26 16:15:00 UTC" }, { "cve": "CVE-2025-46804", "url": "https://ubuntu.com/security/CVE-2025-46804", "cve_description": "A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" }, { "cve": "CVE-2025-46805", "url": "https://ubuntu.com/security/CVE-2025-46805", "cve_description": "Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: can send privileged SIGHUP signals to any process", " - debian/patches/CVE-2023-24626.patch: fix missing signal sending", " permission check on failed query messages in socket.c.", " - CVE-2023-24626", " * SECURITY UPDATE: incorrect PTY permissions", " - debian/patches/CVE-2025-46802.patch: prevent temporary 0666 mode on", " PTYs in attacher.c, screen.c.", " - CVE-2025-46802", " * SECURITY UPDATE: minor information leak", " - debian/patches/CVE-2025-46804.patch: avoid file existence test", " information leaks in screen.c, socket.c.", " - CVE-2025-46804", " * SECURITY UPDATE: TOCTOU allowing to send SIGHUP, SIGCONT", " - debian/patches/CVE-2025-46805.patch: don't send signals with root", " privileges in socket.c.", " - CVE-2025-46805", "" ], "package": "screen", "version": "4.9.0-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 22 Jan 2026 15:14:32 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-minimal", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.5", "version": "1.481.5" }, "cves": [], "launchpad_bugs_fixed": [ 2136341 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added wsl-pro-service to wsl-recommends [amd64 arm64] (LP: #2136341)", "" ], "package": "ubuntu-meta", "version": "1.481.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2136341 ], "author": "Carlos Nihelton ", "date": "Tue, 16 Dec 2025 10:38:12 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-server", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.5", "version": "1.481.5" }, "cves": [], "launchpad_bugs_fixed": [ 2136341 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added wsl-pro-service to wsl-recommends [amd64 arm64] (LP: #2136341)", "" ], "package": "ubuntu-meta", "version": "1.481.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2136341 ], "author": "Carlos Nihelton ", "date": "Tue, 16 Dec 2025 10:38:12 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-standard", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.5", "version": "1.481.5" }, "cves": [], "launchpad_bugs_fixed": [ 2136341 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added wsl-pro-service to wsl-recommends [amd64 arm64] (LP: #2136341)", "" ], "package": "ubuntu-meta", "version": "1.481.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2136341 ], "author": "Carlos Nihelton ", "date": "Tue, 16 Dec 2025 10:38:12 -0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-170", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-170.180", "version": "5.15.0-170.180" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)", "", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", "", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", "", " * CVE-2025-40215", " - xfrm: delete x->tunnel as we delete x", "", " * CVE-2025-38248", " - bridge: mcast: Fix use-after-free during router port configuration", "", " * selftests: net: veth: fix compatibility with older ethtool versions", " (LP: #2136734)", " - SAUCE: selftests: net: veth: use short form gro for ethtool -K", " - SAUCE: selftests: net: veth: accept 0 for unsupported combined channels", "", " * veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp", " attached - gro flag) (LP: #2065369)", " - selftests: net: veth: test the ability to independently manipulate GRO", " and XDP", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182)", " - r8152: add error handling in rtl8152_driver_init", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: rc: Directly use ida_free()", " - media: lirc: Fix error handling in lirc_register()", " - blk-crypto: fix missing blktrace bio split events", " - drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in", " functions", " - drm/exynos: exynos7_drm_decon: properly clear channels during bind", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - splice, net: Add a splice_eof op to file-ops and socket-ops", " - net: tls: wait for async completion on last message", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - net: usb: use eth_hw_addr_set() instead of ether_addr_copy()", " - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - riscv: kprobes: Fix probe address validation", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - sched/balancing: Rename newidle_balance() => sched_balance_newidle()", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - PCI/sysfs: Ensure devices are powered for config reads (part 2)", " - exec: Fix incorrect type for ret", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - m68k: bitops: Fix find_*_bit() signatures", " - net: rtnetlink: add helper to extract msg type's kind", " - net: rtnetlink: use BIT for flag values", " - net: netlink: add NLM_F_BULK delete request modifier", " - net: rtnetlink: add bulk delete support flag", " - net: add ndo_fdb_del_bulk", " - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - sctp: avoid NULL dereference when chunk data buffer is missing", " - net: bonding: fix possible peer notify event loss or dup issue", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - ocfs2: clear extent cache after moving/defragmenting extents", " - vsock: fix lock inversion in vsock_assign_transport()", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - most: usb: Fix use-after-free in hdm_disconnect", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - s390/cio: Update purge function to unregister the unused subchannels", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Fix last write offset handling in layoutcommit", " - iio: imu: inv_icm42600: use = { } instead of memset()", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - PM: runtime: Add new devm functions", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - padata: Reset next CPU when reorder sequence wraps around", " - fuse: allocate ff->release_args only if release is needed", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - PCI: j721e: Enable ACSPCIE Refclk if \"ti,syscon-acspcie-proxy-ctrl\"", " exists", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - f2fs: fix wrong block mapping for multi-devices", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - xfs: always warn about deprecated mount options", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - net: rtnetlink: fix module reference count leak issue in", " rtnetlink_rcv_msg", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - Linux 5.15.196", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909)", " - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support", " - KVM: arm64: Fix softirq masking in FPSIMD register saving sequence", " - media: tunner: xc5000: Refactor firmware load", " - USB: serial: option: add SIMCom 8230C compositions", " - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188", " - dm-integrity: limit MAX_TAG_SIZE to 255", " - perf subcmd: avoid crash in exclude_cmds when excludes is empty", " - hid: fix I2C read buffer overflow in raw_event() for mcp2221", " - serial: stm32: allow selecting console when the driver is module", " - staging: axis-fifo: fix maximum TX packet length check", " - staging: axis-fifo: flush RX FIFO on read errors", " - driver core/PM: Set power.no_callbacks along with power.no_pm", " - minmax: add in_range() macro", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - selftests: arm64: Check fread return value in exec_target", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - x86/vdso: Fix output operand size of RDPID", " - regmap: Remove superfluous check for !config in __regmap_init()", " - libbpf: Fix reuse of DEVMAP", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - ARM: at91: pm: fix MCKx restore routine", " - regulator: scmi: Use int type to store negative error codes", " - block: use int to store blk_stack_limits() return value", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - pinctrl: renesas: Use int type to store negative error codes", " - firmware: firmware: meson-sm: fix compile-test default", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - i3c: master: svc: Recycle unused IBI slot", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: designware: Add disabling clocks when probe fails", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - ALSA: lx_core: use int type to store negative error codes", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - wifi: mwifiex: send world regulatory domain to driver", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - tcp: fix __tcp_close() to only send RST when required", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - RDMA/siw: Always report immediate post SQ errors", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - drivers/base/node: fix double free in register_one_node()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - ext4: fix checks for orphan inodes", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - fs: always return zero on success from replace_fd()", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: at91: peripheral: fix return value", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - perf session: Fix handling when buffer exceeds 2 GiB", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: libsas: Add sas_task_find_rq()", " - scsi: mvsas: Delete mvs_tag_init()", " - scsi: mvsas: Use sas_task_find_rq() for tagging", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - s390/cio: unregister the subchannel while purging", " - drm/vmwgfx: Copy DRM hash-table code into driver", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPI: debug: fix signedness issues in read/write helpers", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - firmware: meson_sm: fix device leak at probe", " - media: i2c: mt9v111: fix incorrect type for ret", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - crypto: atmel - Fix dma_unmap_sg() direction", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - parisc: don't reference obsolete termio struct for TC* constants", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mmc: core: SPI mode remove cmd7", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: free orphan info with kvfree", " - lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older", " - ASoC: codecs: wcd934x: Simplify with dev_err_probe", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - Squashfs: add additional inode sanity checking", " - media: mc: Clear minor number before put device", " - mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register", " value", " - mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - locking: Introduce __cleanup() based infrastructure", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - minmax: Introduce {min,max}_array()", " - minmax: deduplicate __unconst_integer_typeof()", " - minmax: fix indentation of __cmp_once() and __clamp_once()", " - minmax: avoid overly complicated constant expressions in VM code", " - minmax: add a few more MIN_T/MAX_T users", " - minmax: simplify and clarify min_t()/max_t() implementation", " - minmax: make generic MIN() and MAX() macros available everywhere", " - minmax: don't use max() in situations that want a C constant expression", " - minmax: simplify min()/max()/clamp() implementation", " - minmax: improve macro expansion and type checking", " - minmax: fix up min3() and max3() too", " - minmax.h: add whitespace around operators and after commas", " - minmax.h: update some comments", " - minmax.h: reduce the #define expansion of min(), max() and clamp()", " - minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()", " - minmax.h: move all the clamp() definitions after the min/max() ones", " - minmax.h: simplify the variants of clamp()", " - minmax.h: remove some #defines that are only expanded once", " - minixfs: Verify inode mode when loading from disk", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - media: switch from 'pci_' to 'dma_' API", " - media: cx18: Add missing check after DMA map", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - media: pci/ivtv: switch from 'pci_' to 'dma_' API", " - media: pci: ivtv: Add missing check after DMA map", " - xen/events: Update virq_to_irq on migration", " - media: pci: ivtv: Add check for DMA map result", " - mm/slab: make __free(kfree) accept error pointers", " - mptcp: pm: in-kernel: usable client side with C-flag", " - selftests: mptcp: join: validate C-flag + def limit", " - Linux 5.15.195", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40178", " - pid: Add a judgment for ns null in pid_nr_ns", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40134", " - dm: fix NULL pointer dereference in __dm_suspend()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40042", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40120", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40200", " - Squashfs: reject negative file sizes in squashfs_read_inode()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40026", " - KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40179", " - ext4: verify orphan file size is not too big", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40204", " - sctp: Fix MAC comparison to be constant-time", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40188", " - pwm: berlin: Fix wrong register in suspend/resume", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40194", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40205", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40183", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40187", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40111", " - drm/vmwgfx: Fix Use-after-free in validation", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40001", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40029", " - bus: fsl-mc: Check return value of platform_get_resource()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40030", " - pinctrl: check the return value of pinmux_ops::get_function_name()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40035", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40153", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40043", " - net: nfc: nci: Add parameter validation for packet data", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40044", " - fs: udf: fix OOB read in lengthAllocDescs handling", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40048", " - uio_hv_generic: Let userspace take care of interrupt mask", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40049", " - Squashfs: fix uninit-value in squashfs_get_parent", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40053", " - net: dlink: handle copy_thresh allocation failure", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40055", " - ocfs2: fix double free in user_cluster_connect()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40127", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40140", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40115", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40060", " - coresight: trbe: Return NULL pointer for allocation failures", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40112", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40124", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40126", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40068", " - fs: ntfs3: Fix integer overflow in run_unpack()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40121", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40154", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40070", " - pps: fix warning in pps_register_cdev when register device fail", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40118", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40116", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40078", " - bpf: Explicitly check accesses to bpf_sock_addr", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40171", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40125", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40081", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40027", " - net/9p: fix double req put in p9_fd_cancelled", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40109", " - crypto: rng - Ensure set_ent is always present", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2024-58011", " - platform/x86: int3472: Check for adev == NULL", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39995", " - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in", " probe", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39994", " - media: tuner: xc5000: Fix use-after-free in xc5000_release", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-22058", " - udp: Fix memory accounting leak.", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39996", " - media: b2c2: Fix use-after-free causing by irq_check_work in", " flexcop_pci_remove", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39998", " - scsi: target: target_core_configfs: Add length check to avoid buffer", " overflow", "", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", "", " * Jammy Linux: Introduced Warning with CVE-2024-53090 fix (LP: #2130553)", " - SAUCE: Remove warning introduced during CVE-2024-53090 fix", "", " * [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user", " namespaces (LP: #2121257)", " - apparmor: shift ouid when mediating hard links in userns", " - apparmor: shift uid when mediating af_unix in userns", "", " * Jammy update: v5.15.194 upstream stable release (LP: #2127866)", " - Revert \"fbdev: Disable sysfb device registration when removing", " conflicting FBs\"", " - xfs: short circuit xfs_growfs_data_private() if delta is zero", " - kunit: kasan_test: disable fortify string checker on kasan_strings()", " test", " - mm: introduce and use {pgd,p4d}_populate_kernel()", " - media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning", " - media: i2c: imx214: Fix link frequency validation", " - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.", " - tracing: Do not add length to print format in synthetic events", " - mm/rmap: reject hugetlb folios in folio_make_device_exclusive()", " - flexfiles/pNFS: fix NULL checks on result of", " ff_layout_choose_ds_for_read", " - NFSv4: Don't clear capabilities that won't be reset", " - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set", " - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server", " - tracing: Fix tracing_marker may trigger page fault during", " preempt_disable", " - NFSv4/flexfiles: Fix layout merge mirror check.", " - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to", " allocate psock->cork.", " - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code", " - KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()", " - KVM: SVM: Set synthesized TSA CPUID flags", " - EDAC/altera: Delete an inappropriate dma_free_coherent() call", " - compiler-clang.h: define __SANITIZE_*__ macros only when undefined", " - ocfs2: fix recursive semaphore deadlock in fiemap call", " - mtd: rawnand: stm32_fmc2: fix ECC overwrite", " - fuse: check if copy_file_range() returns larger than requested size", " - fuse: prevent overflow in copy_file_range return value", " - libceph: fix invalid accesses to ceph_connection_v1_info", " - mm/khugepaged: fix the address passed to notifier on testing young", " - mtd: nand: raw: atmel: Fix comment in timings preparation", " - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing", " - mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check", " - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer", " - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk", " table", " - tty: hvc_console: Call hvc_kick in hvc_write unconditionally", " - dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks", " - USB: serial: option: add Telit Cinterion FN990A w/audio compositions", " - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions", " - net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()", " - tunnels: reset the GSO metadata before reusing the skb", " - igb: fix link test skipping when interface is admin down", " - genirq: Provide new interfaces for affinity hints", " - i40e: Use irq_update_affinity_hint()", " - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path", " - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when", " j1939_local_ecu_get() failed", " - can: j1939: j1939_local_ecu_get(): undo increment when", " j1939_local_ecu_get() fails", " - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted", " SKB", " - net: hsr: Disable promiscuous mode in offload mode", " - net: hsr: Add support for MC filtering at the slave device", " - net: hsr: Add VLAN CTAG filter support", " - hsr: use rtnl lock when iterating over ports", " - hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr", " - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map", " - regulator: sy7636a: fix lifecycle of power good gpio", " - hrtimer: Remove unused function", " - hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()", " - hrtimers: Unconditionally update target CPU base after offline timer", " migration", " - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees", " - phy: tegra: xusb: fix device and OF node leak at probe", " - phy: ti-pipe3: fix device leak at unbind", " - soc: qcom: mdt_loader: Deal with zero e_shentsize", " - drm/amdgpu: fix a memory leak in fence cleanup when unloading", " - drm/i915/power: fix size for for_each_set_bit() in abox iteration", " - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison", " memory", " - net: hsr: hsr_slave: Fix the promiscuous mode in offload mode", " - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is", " not supported", " - wifi: mac80211: fix incorrect type for ret", " - pcmcia: omap_cf: Mark driver struct with __refdata to prevent section", " mismatch", " - cgroup: split cgroup_destroy_wq into 3 workqueues", " - um: virtio_uml: Fix use-after-free after put_device in probe", " - dpaa2-switch: fix buffer pool seeding for control traffic", " - qed: Don't collect too many protection override GRC elements", " - net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure", " - i40e: remove redundant memory barrier when cleaning Tx descs", " - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon port speed set\"", " - net: liquidio: fix overflow in octeon_init_instr_queue()", " - cnic: Fix use-after-free bugs in cnic_delete_task", " - nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*", " - power: supply: bq27xxx: fix error return in case of no bq27000 hdq", " battery", " - power: supply: bq27xxx: restrict no-battery detection to bq27000", " - btrfs: tree-checker: fix the incorrect inode ref size check", " - mmc: mvsdio: Fix dma_unmap_sg() nents value", " - KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active", " - rds: ib: Increment i_fastreg_wrs before bailing out", " - ASoC: wm8940: Correct typo in control name", " - ASoC: wm8974: Correct PLL rate rounding", " - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error", " message", " - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ", " - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path", " - serial: sc16is7xx: fix bug in flow control levels init", " - xhci: dbc: decouple endpoint allocation from initialization", " - xhci: dbc: Fix full DbC transfer ring after several reconnects", " - usb: gadget: dummy_hcd: remove usage of list iterator past the loop body", " - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels", " - phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning", " - phy: Use device_get_match_data()", " - phy: ti: omap-usb2: fix device leak at unbind", " - mptcp: set remote_deny_join_id0 on SYN recv", " - ksmbd: smbdirect: validate data_offset and data_length field of", " smb_direct_data_transfer", " - mptcp: propagate shutdown to subflows when possible", " - net: rfkill: gpio: add DT support", " - net: rfkill: gpio: Fix crash due to dereferencering uninitialized", " pointer", " - ALSA: usb-audio: Fix block comments in mixer_quirks", " - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks", " - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks", " - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks", " - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks", " - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5", " - ALSA: usb-audio: Convert comma to semicolon", " - ALSA: usb-audio: Fix build with CONFIG_INPUT=n", " - usb: core: Add 0x prefix to quirks debug output", " - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions", " - arm64: dts: imx8mp: Correct thermal sensor index", " - cpufreq: Initialize cpufreq-based invariance before subsys", " - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI", " - bpf: Reject bpf_timer for PREEMPT_RT", " - can: bittiming: allow TDC{V,O} to be zero and add", " can_tdc_const::tdc{v,o,f}_min", " - can: bittiming: replace CAN units with the generic ones from", " linux/units.h", " - can: dev: add generic function can_ethtool_op_get_ts_info_hwts()", " - can: dev: add generic function can_eth_ioctl_hwts()", " - can: etas_es58x: advertise timestamping capabilities and add ioctl", " support", " - can: etas_es58x: sort the includes by alphabetic order", " - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow", " - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow", " - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow", " - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow", " - can: peak_usb: fix shift-out-of-bounds issue", " - ethernet: rvu-af: Remove slash from the driver name", " - bnxt_en: correct offset handling for IPv6 destination address", " - nexthop: Forbid FDB status change while nexthop is in a group", " - selftests: fib_nexthops: Fix creation of non-FDB nexthops", " - net: dsa: lantiq_gswip: do also enable or disable cpu port", " - net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to", " port_setup()", " - net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries", " added to the CPU port", " - drm/gma500: Fix null dereference in hdmi teardown", " - i40e: fix idx validation in i40e_validate_queue_map", " - i40e: fix input validation logic for action_meta", " - i40e: add max boundary check for VF filters", " - i40e: add mask to apply valid bits for itr_idx", " - tracing: dynevent: Add a missing lockdown check on dynevent", " - fbcon: fix integer overflow in fbcon_do_set_font", " - fbcon: Fix OOB access in font allocation", " - af_unix: Don't leave consecutive consumed OOB skbs.", " - mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()", " - mm/hugetlb: fix folio is still mapped when deleted", " - i40e: fix validation of VF state in get resources", " - i40e: fix idx validation in config queues msg", " - i40e: increase max descriptors for XL710", " - i40e: add validation for ring_len param", " - drm/i915/backlight: Return immediately when scale() finds invalid", " parameters", " - Linux 5.15.194", "", " * CVE-2024-56538", " - drm: zynqmp_kms: Unplug DRM device before removal", "", " * CVE-2024-53114", " - tools headers cpufeatures: Sync with the kernel sources", " - x86: Fix comment for X86_FEATURE_ZEN", " - x86/CPU/AMD: Add ZenX generations flags", " - x86/CPU/AMD: Carve out the erratum 1386 fix", " - x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function", " - x86/CPU/AMD: Move erratum 1076 fix into the Zen1 init function", " - x86/CPU/AMD: Call the spectral chicken in the Zen2 init function", " - x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()", " - x86/CPU/AMD: Move Zenbleed check to the Zen2 init function", " - x86/CPU/AMD: Move the DIV0 bug detection to the Zen1 init function", " - x86/CPU/AMD: Get rid of amd_erratum_1054[]", " - x86/CPU/AMD: Get rid of amd_erratum_383[]", " - x86/CPU/AMD: Get rid of amd_erratum_400[]", " - x86/CPU/AMD: Get rid of amd_erratum_1485[]", " - x86/CPU/AMD: Drop now unused CPU erratum checking function", " - x86/CPU/AMD: Add X86_FEATURE_ZEN1", " - tools headers x86 cpufeatures: Sync with the kernel sources to pick TDX,", " Zen, APIC MSR fence changes", " - x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load", " - x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client", " - x86/cpu/amd: Fix workaround for erratum 1054", "", " * CVE-2025-38584", " - padata: Fix pd UAF once and for all", " - padata: Remove comment for reorder_work", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /", " Renoir / Rembrandt) (LP: #2128729)", " - SAUCE: drm/amd/display: Fix incorrect code path taken in", " amdgpu_dm_atomic_check()", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "", " * Miscellaneous upstream changes", " - selftests: net: use slowwait to stabilize vrf_route_leaking test", "" ], "package": "linux", "version": "5.15.0-170.180", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:02 +0300" } ], "notes": "linux-headers-5.15.0-170 version '5.15.0-170.180' (source package linux version '5.15.0-170.180') was added. linux-headers-5.15.0-170 version '5.15.0-170.180' has the same source package name, linux, as removed package linux-headers-5.15.0-164. As such we can use the source package version of the removed package, '5.15.0-164.174', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-5.15.0-170-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-170.180", "version": "5.15.0-170.180" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)", "", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", "", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", "", " * CVE-2025-40215", " - xfrm: delete x->tunnel as we delete x", "", " * CVE-2025-38248", " - bridge: mcast: Fix use-after-free during router port configuration", "", " * selftests: net: veth: fix compatibility with older ethtool versions", " (LP: #2136734)", " - SAUCE: selftests: net: veth: use short form gro for ethtool -K", " - SAUCE: selftests: net: veth: accept 0 for unsupported combined channels", "", " * veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp", " attached - gro flag) (LP: #2065369)", " - selftests: net: veth: test the ability to independently manipulate GRO", " and XDP", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182)", " - r8152: add error handling in rtl8152_driver_init", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: rc: Directly use ida_free()", " - media: lirc: Fix error handling in lirc_register()", " - blk-crypto: fix missing blktrace bio split events", " - drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in", " functions", " - drm/exynos: exynos7_drm_decon: properly clear channels during bind", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - splice, net: Add a splice_eof op to file-ops and socket-ops", " - net: tls: wait for async completion on last message", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - net: usb: use eth_hw_addr_set() instead of ether_addr_copy()", " - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - riscv: kprobes: Fix probe address validation", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - sched/balancing: Rename newidle_balance() => sched_balance_newidle()", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - PCI/sysfs: Ensure devices are powered for config reads (part 2)", " - exec: Fix incorrect type for ret", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - m68k: bitops: Fix find_*_bit() signatures", " - net: rtnetlink: add helper to extract msg type's kind", " - net: rtnetlink: use BIT for flag values", " - net: netlink: add NLM_F_BULK delete request modifier", " - net: rtnetlink: add bulk delete support flag", " - net: add ndo_fdb_del_bulk", " - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - sctp: avoid NULL dereference when chunk data buffer is missing", " - net: bonding: fix possible peer notify event loss or dup issue", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - ocfs2: clear extent cache after moving/defragmenting extents", " - vsock: fix lock inversion in vsock_assign_transport()", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - most: usb: Fix use-after-free in hdm_disconnect", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - s390/cio: Update purge function to unregister the unused subchannels", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Fix last write offset handling in layoutcommit", " - iio: imu: inv_icm42600: use = { } instead of memset()", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - PM: runtime: Add new devm functions", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - padata: Reset next CPU when reorder sequence wraps around", " - fuse: allocate ff->release_args only if release is needed", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - PCI: j721e: Enable ACSPCIE Refclk if \"ti,syscon-acspcie-proxy-ctrl\"", " exists", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - f2fs: fix wrong block mapping for multi-devices", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - xfs: always warn about deprecated mount options", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - net: rtnetlink: fix module reference count leak issue in", " rtnetlink_rcv_msg", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - Linux 5.15.196", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909)", " - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support", " - KVM: arm64: Fix softirq masking in FPSIMD register saving sequence", " - media: tunner: xc5000: Refactor firmware load", " - USB: serial: option: add SIMCom 8230C compositions", " - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188", " - dm-integrity: limit MAX_TAG_SIZE to 255", " - perf subcmd: avoid crash in exclude_cmds when excludes is empty", " - hid: fix I2C read buffer overflow in raw_event() for mcp2221", " - serial: stm32: allow selecting console when the driver is module", " - staging: axis-fifo: fix maximum TX packet length check", " - staging: axis-fifo: flush RX FIFO on read errors", " - driver core/PM: Set power.no_callbacks along with power.no_pm", " - minmax: add in_range() macro", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - selftests: arm64: Check fread return value in exec_target", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - x86/vdso: Fix output operand size of RDPID", " - regmap: Remove superfluous check for !config in __regmap_init()", " - libbpf: Fix reuse of DEVMAP", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - ARM: at91: pm: fix MCKx restore routine", " - regulator: scmi: Use int type to store negative error codes", " - block: use int to store blk_stack_limits() return value", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - pinctrl: renesas: Use int type to store negative error codes", " - firmware: firmware: meson-sm: fix compile-test default", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - i3c: master: svc: Recycle unused IBI slot", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: designware: Add disabling clocks when probe fails", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - ALSA: lx_core: use int type to store negative error codes", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - wifi: mwifiex: send world regulatory domain to driver", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - tcp: fix __tcp_close() to only send RST when required", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - RDMA/siw: Always report immediate post SQ errors", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - drivers/base/node: fix double free in register_one_node()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - ext4: fix checks for orphan inodes", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - fs: always return zero on success from replace_fd()", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: at91: peripheral: fix return value", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - perf session: Fix handling when buffer exceeds 2 GiB", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: libsas: Add sas_task_find_rq()", " - scsi: mvsas: Delete mvs_tag_init()", " - scsi: mvsas: Use sas_task_find_rq() for tagging", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - s390/cio: unregister the subchannel while purging", " - drm/vmwgfx: Copy DRM hash-table code into driver", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPI: debug: fix signedness issues in read/write helpers", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - firmware: meson_sm: fix device leak at probe", " - media: i2c: mt9v111: fix incorrect type for ret", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - crypto: atmel - Fix dma_unmap_sg() direction", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - parisc: don't reference obsolete termio struct for TC* constants", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mmc: core: SPI mode remove cmd7", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: free orphan info with kvfree", " - lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older", " - ASoC: codecs: wcd934x: Simplify with dev_err_probe", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - Squashfs: add additional inode sanity checking", " - media: mc: Clear minor number before put device", " - mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register", " value", " - mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - locking: Introduce __cleanup() based infrastructure", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - minmax: Introduce {min,max}_array()", " - minmax: deduplicate __unconst_integer_typeof()", " - minmax: fix indentation of __cmp_once() and __clamp_once()", " - minmax: avoid overly complicated constant expressions in VM code", " - minmax: add a few more MIN_T/MAX_T users", " - minmax: simplify and clarify min_t()/max_t() implementation", " - minmax: make generic MIN() and MAX() macros available everywhere", " - minmax: don't use max() in situations that want a C constant expression", " - minmax: simplify min()/max()/clamp() implementation", " - minmax: improve macro expansion and type checking", " - minmax: fix up min3() and max3() too", " - minmax.h: add whitespace around operators and after commas", " - minmax.h: update some comments", " - minmax.h: reduce the #define expansion of min(), max() and clamp()", " - minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()", " - minmax.h: move all the clamp() definitions after the min/max() ones", " - minmax.h: simplify the variants of clamp()", " - minmax.h: remove some #defines that are only expanded once", " - minixfs: Verify inode mode when loading from disk", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - media: switch from 'pci_' to 'dma_' API", " - media: cx18: Add missing check after DMA map", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - media: pci/ivtv: switch from 'pci_' to 'dma_' API", " - media: pci: ivtv: Add missing check after DMA map", " - xen/events: Update virq_to_irq on migration", " - media: pci: ivtv: Add check for DMA map result", " - mm/slab: make __free(kfree) accept error pointers", " - mptcp: pm: in-kernel: usable client side with C-flag", " - selftests: mptcp: join: validate C-flag + def limit", " - Linux 5.15.195", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40178", " - pid: Add a judgment for ns null in pid_nr_ns", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40134", " - dm: fix NULL pointer dereference in __dm_suspend()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40042", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40120", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40200", " - Squashfs: reject negative file sizes in squashfs_read_inode()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40026", " - KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40179", " - ext4: verify orphan file size is not too big", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40204", " - sctp: Fix MAC comparison to be constant-time", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40188", " - pwm: berlin: Fix wrong register in suspend/resume", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40194", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40205", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40183", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40187", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40111", " - drm/vmwgfx: Fix Use-after-free in validation", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40001", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40029", " - bus: fsl-mc: Check return value of platform_get_resource()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40030", " - pinctrl: check the return value of pinmux_ops::get_function_name()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40035", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40153", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40043", " - net: nfc: nci: Add parameter validation for packet data", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40044", " - fs: udf: fix OOB read in lengthAllocDescs handling", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40048", " - uio_hv_generic: Let userspace take care of interrupt mask", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40049", " - Squashfs: fix uninit-value in squashfs_get_parent", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40053", " - net: dlink: handle copy_thresh allocation failure", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40055", " - ocfs2: fix double free in user_cluster_connect()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40127", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40140", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40115", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40060", " - coresight: trbe: Return NULL pointer for allocation failures", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40112", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40124", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40126", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40068", " - fs: ntfs3: Fix integer overflow in run_unpack()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40121", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40154", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40070", " - pps: fix warning in pps_register_cdev when register device fail", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40118", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40116", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40078", " - bpf: Explicitly check accesses to bpf_sock_addr", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40171", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40125", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40081", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40027", " - net/9p: fix double req put in p9_fd_cancelled", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40109", " - crypto: rng - Ensure set_ent is always present", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2024-58011", " - platform/x86: int3472: Check for adev == NULL", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39995", " - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in", " probe", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39994", " - media: tuner: xc5000: Fix use-after-free in xc5000_release", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-22058", " - udp: Fix memory accounting leak.", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39996", " - media: b2c2: Fix use-after-free causing by irq_check_work in", " flexcop_pci_remove", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39998", " - scsi: target: target_core_configfs: Add length check to avoid buffer", " overflow", "", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", "", " * Jammy Linux: Introduced Warning with CVE-2024-53090 fix (LP: #2130553)", " - SAUCE: Remove warning introduced during CVE-2024-53090 fix", "", " * [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user", " namespaces (LP: #2121257)", " - apparmor: shift ouid when mediating hard links in userns", " - apparmor: shift uid when mediating af_unix in userns", "", " * Jammy update: v5.15.194 upstream stable release (LP: #2127866)", " - Revert \"fbdev: Disable sysfb device registration when removing", " conflicting FBs\"", " - xfs: short circuit xfs_growfs_data_private() if delta is zero", " - kunit: kasan_test: disable fortify string checker on kasan_strings()", " test", " - mm: introduce and use {pgd,p4d}_populate_kernel()", " - media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning", " - media: i2c: imx214: Fix link frequency validation", " - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.", " - tracing: Do not add length to print format in synthetic events", " - mm/rmap: reject hugetlb folios in folio_make_device_exclusive()", " - flexfiles/pNFS: fix NULL checks on result of", " ff_layout_choose_ds_for_read", " - NFSv4: Don't clear capabilities that won't be reset", " - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set", " - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server", " - tracing: Fix tracing_marker may trigger page fault during", " preempt_disable", " - NFSv4/flexfiles: Fix layout merge mirror check.", " - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to", " allocate psock->cork.", " - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code", " - KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()", " - KVM: SVM: Set synthesized TSA CPUID flags", " - EDAC/altera: Delete an inappropriate dma_free_coherent() call", " - compiler-clang.h: define __SANITIZE_*__ macros only when undefined", " - ocfs2: fix recursive semaphore deadlock in fiemap call", " - mtd: rawnand: stm32_fmc2: fix ECC overwrite", " - fuse: check if copy_file_range() returns larger than requested size", " - fuse: prevent overflow in copy_file_range return value", " - libceph: fix invalid accesses to ceph_connection_v1_info", " - mm/khugepaged: fix the address passed to notifier on testing young", " - mtd: nand: raw: atmel: Fix comment in timings preparation", " - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing", " - mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check", " - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer", " - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk", " table", " - tty: hvc_console: Call hvc_kick in hvc_write unconditionally", " - dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks", " - USB: serial: option: add Telit Cinterion FN990A w/audio compositions", " - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions", " - net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()", " - tunnels: reset the GSO metadata before reusing the skb", " - igb: fix link test skipping when interface is admin down", " - genirq: Provide new interfaces for affinity hints", " - i40e: Use irq_update_affinity_hint()", " - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path", " - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when", " j1939_local_ecu_get() failed", " - can: j1939: j1939_local_ecu_get(): undo increment when", " j1939_local_ecu_get() fails", " - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted", " SKB", " - net: hsr: Disable promiscuous mode in offload mode", " - net: hsr: Add support for MC filtering at the slave device", " - net: hsr: Add VLAN CTAG filter support", " - hsr: use rtnl lock when iterating over ports", " - hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr", " - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map", " - regulator: sy7636a: fix lifecycle of power good gpio", " - hrtimer: Remove unused function", " - hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()", " - hrtimers: Unconditionally update target CPU base after offline timer", " migration", " - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees", " - phy: tegra: xusb: fix device and OF node leak at probe", " - phy: ti-pipe3: fix device leak at unbind", " - soc: qcom: mdt_loader: Deal with zero e_shentsize", " - drm/amdgpu: fix a memory leak in fence cleanup when unloading", " - drm/i915/power: fix size for for_each_set_bit() in abox iteration", " - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison", " memory", " - net: hsr: hsr_slave: Fix the promiscuous mode in offload mode", " - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is", " not supported", " - wifi: mac80211: fix incorrect type for ret", " - pcmcia: omap_cf: Mark driver struct with __refdata to prevent section", " mismatch", " - cgroup: split cgroup_destroy_wq into 3 workqueues", " - um: virtio_uml: Fix use-after-free after put_device in probe", " - dpaa2-switch: fix buffer pool seeding for control traffic", " - qed: Don't collect too many protection override GRC elements", " - net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure", " - i40e: remove redundant memory barrier when cleaning Tx descs", " - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon port speed set\"", " - net: liquidio: fix overflow in octeon_init_instr_queue()", " - cnic: Fix use-after-free bugs in cnic_delete_task", " - nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*", " - power: supply: bq27xxx: fix error return in case of no bq27000 hdq", " battery", " - power: supply: bq27xxx: restrict no-battery detection to bq27000", " - btrfs: tree-checker: fix the incorrect inode ref size check", " - mmc: mvsdio: Fix dma_unmap_sg() nents value", " - KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active", " - rds: ib: Increment i_fastreg_wrs before bailing out", " - ASoC: wm8940: Correct typo in control name", " - ASoC: wm8974: Correct PLL rate rounding", " - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error", " message", " - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ", " - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path", " - serial: sc16is7xx: fix bug in flow control levels init", " - xhci: dbc: decouple endpoint allocation from initialization", " - xhci: dbc: Fix full DbC transfer ring after several reconnects", " - usb: gadget: dummy_hcd: remove usage of list iterator past the loop body", " - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels", " - phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning", " - phy: Use device_get_match_data()", " - phy: ti: omap-usb2: fix device leak at unbind", " - mptcp: set remote_deny_join_id0 on SYN recv", " - ksmbd: smbdirect: validate data_offset and data_length field of", " smb_direct_data_transfer", " - mptcp: propagate shutdown to subflows when possible", " - net: rfkill: gpio: add DT support", " - net: rfkill: gpio: Fix crash due to dereferencering uninitialized", " pointer", " - ALSA: usb-audio: Fix block comments in mixer_quirks", " - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks", " - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks", " - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks", " - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks", " - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5", " - ALSA: usb-audio: Convert comma to semicolon", " - ALSA: usb-audio: Fix build with CONFIG_INPUT=n", " - usb: core: Add 0x prefix to quirks debug output", " - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions", " - arm64: dts: imx8mp: Correct thermal sensor index", " - cpufreq: Initialize cpufreq-based invariance before subsys", " - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI", " - bpf: Reject bpf_timer for PREEMPT_RT", " - can: bittiming: allow TDC{V,O} to be zero and add", " can_tdc_const::tdc{v,o,f}_min", " - can: bittiming: replace CAN units with the generic ones from", " linux/units.h", " - can: dev: add generic function can_ethtool_op_get_ts_info_hwts()", " - can: dev: add generic function can_eth_ioctl_hwts()", " - can: etas_es58x: advertise timestamping capabilities and add ioctl", " support", " - can: etas_es58x: sort the includes by alphabetic order", " - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow", " - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow", " - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow", " - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow", " - can: peak_usb: fix shift-out-of-bounds issue", " - ethernet: rvu-af: Remove slash from the driver name", " - bnxt_en: correct offset handling for IPv6 destination address", " - nexthop: Forbid FDB status change while nexthop is in a group", " - selftests: fib_nexthops: Fix creation of non-FDB nexthops", " - net: dsa: lantiq_gswip: do also enable or disable cpu port", " - net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to", " port_setup()", " - net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries", " added to the CPU port", " - drm/gma500: Fix null dereference in hdmi teardown", " - i40e: fix idx validation in i40e_validate_queue_map", " - i40e: fix input validation logic for action_meta", " - i40e: add max boundary check for VF filters", " - i40e: add mask to apply valid bits for itr_idx", " - tracing: dynevent: Add a missing lockdown check on dynevent", " - fbcon: fix integer overflow in fbcon_do_set_font", " - fbcon: Fix OOB access in font allocation", " - af_unix: Don't leave consecutive consumed OOB skbs.", " - mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()", " - mm/hugetlb: fix folio is still mapped when deleted", " - i40e: fix validation of VF state in get resources", " - i40e: fix idx validation in config queues msg", " - i40e: increase max descriptors for XL710", " - i40e: add validation for ring_len param", " - drm/i915/backlight: Return immediately when scale() finds invalid", " parameters", " - Linux 5.15.194", "", " * CVE-2024-56538", " - drm: zynqmp_kms: Unplug DRM device before removal", "", " * CVE-2024-53114", " - tools headers cpufeatures: Sync with the kernel sources", " - x86: Fix comment for X86_FEATURE_ZEN", " - x86/CPU/AMD: Add ZenX generations flags", " - x86/CPU/AMD: Carve out the erratum 1386 fix", " - x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function", " - x86/CPU/AMD: Move erratum 1076 fix into the Zen1 init function", " - x86/CPU/AMD: Call the spectral chicken in the Zen2 init function", " - x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()", " - x86/CPU/AMD: Move Zenbleed check to the Zen2 init function", " - x86/CPU/AMD: Move the DIV0 bug detection to the Zen1 init function", " - x86/CPU/AMD: Get rid of amd_erratum_1054[]", " - x86/CPU/AMD: Get rid of amd_erratum_383[]", " - x86/CPU/AMD: Get rid of amd_erratum_400[]", " - x86/CPU/AMD: Get rid of amd_erratum_1485[]", " - x86/CPU/AMD: Drop now unused CPU erratum checking function", " - x86/CPU/AMD: Add X86_FEATURE_ZEN1", " - tools headers x86 cpufeatures: Sync with the kernel sources to pick TDX,", " Zen, APIC MSR fence changes", " - x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load", " - x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client", " - x86/cpu/amd: Fix workaround for erratum 1054", "", " * CVE-2025-38584", " - padata: Fix pd UAF once and for all", " - padata: Remove comment for reorder_work", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /", " Renoir / Rembrandt) (LP: #2128729)", " - SAUCE: drm/amd/display: Fix incorrect code path taken in", " amdgpu_dm_atomic_check()", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "", " * Miscellaneous upstream changes", " - selftests: net: use slowwait to stabilize vrf_route_leaking test", "" ], "package": "linux", "version": "5.15.0-170.180", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:02 +0300" } ], "notes": "linux-headers-5.15.0-170-generic version '5.15.0-170.180' (source package linux version '5.15.0-170.180') was added. linux-headers-5.15.0-170-generic version '5.15.0-170.180' has the same source package name, linux, as removed package linux-headers-5.15.0-164. As such we can use the source package version of the removed package, '5.15.0-164.174', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-170-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-164.174", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-170.180", "version": "5.15.0-170.180" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-170.180", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-170.180", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:52:25 +0300" } ], "notes": "linux-image-5.15.0-170-generic version '5.15.0-170.180' (source package linux-signed version '5.15.0-170.180') was added. linux-image-5.15.0-170-generic version '5.15.0-170.180' has the same source package name, linux-signed, as removed package linux-image-5.15.0-164-generic. As such we can use the source package version of the removed package, '5.15.0-164.174', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-170-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-170.180", "version": "5.15.0-170.180" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40215", "url": "https://ubuntu.com/security/CVE-2025-40215", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state synchronously on net exit path\") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we currently drop dst\")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.", "cve_priority": "medium", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-38248", "url": "https://ubuntu.com/security/CVE-2025-38248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions\"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: dump_stack ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40178", "url": "https://ubuntu.com/security/CVE-2025-40178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: \tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058 \tMem abort info: \tESR = 0x0000000096000007 \tEC = 0x25: DABT (current EL), IL = 32 bits \tSET = 0, FnV = 0 \tEA = 0, S1PTW = 0 \tFSC = 0x07: level 3 translation fault \tData abort info: \tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 \tCM = 0, WnR = 0, TnD = 0, TagAccess = 0 \tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 \tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 \t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 \tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) \tpc : __task_pid_nr_ns+0x74/0xd0 \tlr : __task_pid_nr_ns+0x24/0xd0 \tsp : ffffffc08001bd10 \tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 \tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 \tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 \tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 \tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc \tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 \tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 \tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 \tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc \tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 \tCall trace: \t__task_pid_nr_ns+0x74/0xd0 \t... \t__handle_irq_event_percpu+0xd4/0x284 \thandle_irq_event+0x48/0xb0 \thandle_fasteoi_irq+0x160/0x2d8 \tgeneric_handle_domain_irq+0x44/0x60 \tgic_handle_irq+0x4c/0x114 \tcall_on_irq_stack+0x3c/0x74 \tdo_interrupt_handler+0x4c/0x84 \tel1_interrupt+0x34/0x58 \tel1h_64_irq_handler+0x18/0x24 \tel1h_64_irq+0x68/0x6c \taccount_kernel_stack+0x60/0x144 \texit_task_stack_account+0x1c/0x80 \tdo_exit+0x7e4/0xaf8 \t... \tget_signal+0x7bc/0x8d8 \tdo_notify_resume+0x128/0x828 \tel0_svc+0x6c/0x70 \tel0t_64_sync_handler+0x68/0xbc \tel0t_64_sync+0x1a8/0x1ac \tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) \t---[ end trace 0000000000000000 ]--- \tKernel panic - not syncing: Oops: Fatal exception in interrupt", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40134", "url": "https://ubuntu.com/security/CVE-2025-40134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 \t\t\t\t\t\tT2 dm_suspend\t\t\t\t\ttable_load __dm_suspend\t\t\t\t\tdm_setup_md_queue \t\t\t\t\t\tdm_mq_init_request_queue \t\t\t\t\t\tblk_mq_init_allocated_queue \t\t\t\t\t\t=> q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer!\t(2) \t\t\t\t\t\t=> q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40042", "url": "https://ubuntu.com/security/CVE-2025-40042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec : ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 : ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: \treturn 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40120", "url": "https://ubuntu.com/security/CVE-2025-40120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40200", "url": "https://ubuntu.com/security/CVE-2025-40200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40026", "url": "https://ubuntu.com/security/CVE-2025-40026", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access. Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the intended \"recipient\") can reach the code in question. gp_interception()'s use is mutually exclusive with is_guest_mode(), and complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with EMULTYPE_SKIP. The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction. WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] Modules linked in: kvm_intel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: kvm_fast_pio+0xd6/0x1d0 [kvm] vmx_handle_exit+0x149/0x610 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] kvm_vcpu_ioctl+0x244/0x8c0 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0x5d/0xc60 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40179", "url": "https://ubuntu.com/security/CVE-2025-40179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40204", "url": "https://ubuntu.com/security/CVE-2025-40204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40188", "url": "https://ubuntu.com/security/CVE-2025-40188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40194", "url": "https://ubuntu.com/security/CVE-2025-40194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40205", "url": "https://ubuntu.com/security/CVE-2025-40205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40183", "url": "https://ubuntu.com/security/CVE-2025-40183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40187", "url": "https://ubuntu.com/security/CVE-2025-40187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function.", "cve_priority": "medium", "cve_public_date": "2025-11-12 22:15:00 UTC" }, { "cve": "CVE-2025-40111", "url": "https://ubuntu.com/security/CVE-2025-40111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.", "cve_priority": "medium", "cve_public_date": "2025-11-12 02:15:00 UTC" }, { "cve": "CVE-2025-40001", "url": "https://ubuntu.com/security/CVE-2025-40001", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.", "cve_priority": "medium", "cve_public_date": "2025-10-18 08:15:00 UTC" }, { "cve": "CVE-2025-40029", "url": "https://ubuntu.com/security/CVE-2025-40029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: Check return value of platform_get_resource() platform_get_resource() returns NULL in case of failure, so check its return value and propagate the error in order to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40030", "url": "https://ubuntu.com/security/CVE-2025-40030", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: check the return value of pinmux_ops::get_function_name() While the API contract in docs doesn't specify it explicitly, the generic implementation of the get_function_name() callback from struct pinmux_ops - pinmux_generic_get_function_name() - can fail and return NULL. This is already checked in pinmux_check_ops() so add a similar check in pinmux_func_name_to_selector() instead of passing the returned pointer right down to strcmp() where the NULL can get dereferenced. This is normal operation when adding new pinfunctions.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40035", "url": "https://ubuntu.com/security/CVE-2025-40035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40153", "url": "https://ubuntu.com/security/CVE-2025-40153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace:   mte_clear_page_tags+0x14/0x24   set_huge_pte_at+0x25c/0x280   hugetlb_change_protection+0x220/0x430   change_protection+0x5c/0x8c   mprotect_fixup+0x10c/0x294   do_mprotect_pkey.constprop.0+0x2e0/0x3d4   __arm64_sys_mprotect+0x24/0x44   invoke_syscall+0x50/0x160   el0_svc_common+0x48/0x144   do_el0_svc+0x30/0xe0   el0_svc+0x30/0xf0   el0t_64_sync_handler+0xc4/0x148   el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40043", "url": "https://ubuntu.com/security/CVE-2025-40043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 (\"Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40044", "url": "https://ubuntu.com/security/CVE-2025-40044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40048", "url": "https://ubuntu.com/security/CVE-2025-40048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang. For eg- when the driver sets inbound ring buffer interrupt mask to 1, the host does not interrupt the guest on the UIO VMBus channel. However, setting the mask does not prevent the host from putting a message in the inbound ring buffer. So let’s assume that happens, the host puts a message into the ring buffer but does not interrupt. Subsequently, the user space code in the guest sets the inbound ring buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. User space code then calls pread() to wait for an interrupt. Then one of two things happens: * The host never sends another message. So the pread() waits forever. * The host does send another message. But because there’s already a message in the ring buffer, it doesn’t generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever. This could be easily reproduced in hv_fcopy_uio_daemon if we delay setting interrupt mask to 0. Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, there’s a race condition. Once user space empties the inbound ring buffer, but before user space sets interrupt_mask to 0, the host could put another message in the ring buffer but it wouldn’t interrupt. Then the next pread() would hang. Fix these by removing all instances where interrupt_mask is changed, while keeping the one in set_event() unchanged to enable userspace control the interrupt mask by writing 0/1 to /dev/uioX.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40049", "url": "https://ubuntu.com/security/CVE-2025-40049", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. \tunsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40053", "url": "https://ubuntu.com/security/CVE-2025-40053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40055", "url": "https://ubuntu.com/security/CVE-2025-40055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then the error handling frees \"lc\" a second time. Set \"lc\" to NULL on this path to avoid a double free.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40127", "url": "https://ubuntu.com/security/CVE-2025-40127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40140", "url": "https://ubuntu.com/security/CVE-2025-40140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { \tnetif_stop_queue(); \tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done } rtl8150_start_xmit() { \tnetif_stop_queue(); \tusb_submit_urb(dev->tx_urb);\t<-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40115", "url": "https://ubuntu.com/security/CVE-2025-40115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40060", "url": "https://ubuntu.com/security/CVE-2025-40060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code \"-ENOMEM\". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can properly handle the failure.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40112", "url": "https://ubuntu.com/security/CVE-2025-40112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40124", "url": "https://ubuntu.com/security/CVE-2025-40124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40126", "url": "https://ubuntu.com/security/CVE-2025-40126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40068", "url": "https://ubuntu.com/security/CVE-2025-40068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40121", "url": "https://ubuntu.com/security/CVE-2025-40121", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40154", "url": "https://ubuntu.com/security/CVE-2025-40154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40070", "url": "https://ubuntu.com/security/CVE-2025-40070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error handling in __video_register_device()\"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 (\"pps: Fix a use-after-free\"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40118", "url": "https://ubuntu.com/security/CVE-2025-40118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when device is gone\") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40116", "url": "https://ubuntu.com/security/CVE-2025-40116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40078", "url": "https://ubuntu.com/security/CVE-2025-40078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40171", "url": "https://ubuntu.com/security/CVE-2025-40171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40125", "url": "https://ubuntu.com/security/CVE-2025-40125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40081", "url": "https://ubuntu.com/security/CVE-2025-40081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB).", "cve_priority": "medium", "cve_public_date": "2025-10-28 12:15:00 UTC" }, { "cve": "CVE-2025-40027", "url": "https://ubuntu.com/security/CVE-2025-40027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Update the check for req->status in p9_fd_cancelled to skip processing not just received requests, but anything that is not SENT, as whatever changed the state from SENT also removed the request from its list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [updated the check from status == RECV || status == ERROR to status != SENT]", "cve_priority": "medium", "cve_public_date": "2025-10-28 10:15:00 UTC" }, { "cve": "CVE-2025-40109", "url": "https://ubuntu.com/security/CVE-2025-40109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.", "cve_priority": "medium", "cve_public_date": "2025-11-09 05:15:00 UTC" }, { "cve": "CVE-2024-58011", "url": "https://ubuntu.com/security/CVE-2024-58011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2025-39995", "url": "https://ubuntu.com/security/CVE-2025-39995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39994", "url": "https://ubuntu.com/security/CVE-2025-39994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39996", "url": "https://ubuntu.com/security/CVE-2025-39996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-39998", "url": "https://ubuntu.com/security/CVE-2025-39998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer \"buf\" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2024-53090", "url": "https://ubuntu.com/security/CVE-2024-53090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afs_wake_up_async_call() can incur lock recursion. The problem is that it is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to take a ref on the afs_call struct in order to pass it to a work queue - but if the afs_call is already queued, we then have an extraneous ref that must be put... calling afs_put_call() may call back down into AF_RXRPC through rxrpc_kernel_shutdown_call(), however, which might try taking the ->notify_lock again. This case isn't very common, however, so defer it to a workqueue. The oops looks something like: BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646 lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0 CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x47/0x70 do_raw_spin_lock+0x3c/0x90 rxrpc_kernel_shutdown_call+0x83/0xb0 afs_put_call+0xd7/0x180 rxrpc_notify_socket+0xa0/0x190 rxrpc_input_split_jumbo+0x198/0x1d0 rxrpc_input_data+0x14b/0x1e0 ? rxrpc_input_call_packet+0xc2/0x1f0 rxrpc_input_call_event+0xad/0x6b0 rxrpc_input_packet_on_conn+0x1e1/0x210 rxrpc_input_packet+0x3f2/0x4d0 rxrpc_io_thread+0x243/0x410 ? __pfx_rxrpc_io_thread+0x10/0x10 kthread+0xcf/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x24/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-11-21 19:15:00 UTC" }, { "cve": "CVE-2024-56538", "url": "https://ubuntu.com/security/CVE-2024-56538", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_kms: Unplug DRM device before removal Prevent userspace accesses to the DRM device from causing use-after-frees by unplugging the device before we remove it. This causes any further userspace accesses to result in an error without further calls into this driver's internals.", "cve_priority": "medium", "cve_public_date": "2024-12-27 14:15:00 UTC" }, { "cve": "CVE-2024-53114", "url": "https://ubuntu.com/security/CVE-2024-53114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability.", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2025-38584", "url": "https://ubuntu.com/security/CVE-2025-38584", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.", "cve_priority": "low", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)", "", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", "", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", "", " * CVE-2025-40215", " - xfrm: delete x->tunnel as we delete x", "", " * CVE-2025-38248", " - bridge: mcast: Fix use-after-free during router port configuration", "", " * selftests: net: veth: fix compatibility with older ethtool versions", " (LP: #2136734)", " - SAUCE: selftests: net: veth: use short form gro for ethtool -K", " - SAUCE: selftests: net: veth: accept 0 for unsupported combined channels", "", " * veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp", " attached - gro flag) (LP: #2065369)", " - selftests: net: veth: test the ability to independently manipulate GRO", " and XDP", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182)", " - r8152: add error handling in rtl8152_driver_init", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: rc: Directly use ida_free()", " - media: lirc: Fix error handling in lirc_register()", " - blk-crypto: fix missing blktrace bio split events", " - drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in", " functions", " - drm/exynos: exynos7_drm_decon: properly clear channels during bind", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - splice, net: Add a splice_eof op to file-ops and socket-ops", " - net: tls: wait for async completion on last message", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - net: usb: use eth_hw_addr_set() instead of ether_addr_copy()", " - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - riscv: kprobes: Fix probe address validation", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - sched/balancing: Rename newidle_balance() => sched_balance_newidle()", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - PCI/sysfs: Ensure devices are powered for config reads (part 2)", " - exec: Fix incorrect type for ret", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - m68k: bitops: Fix find_*_bit() signatures", " - net: rtnetlink: add helper to extract msg type's kind", " - net: rtnetlink: use BIT for flag values", " - net: netlink: add NLM_F_BULK delete request modifier", " - net: rtnetlink: add bulk delete support flag", " - net: add ndo_fdb_del_bulk", " - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - sctp: avoid NULL dereference when chunk data buffer is missing", " - net: bonding: fix possible peer notify event loss or dup issue", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - ocfs2: clear extent cache after moving/defragmenting extents", " - vsock: fix lock inversion in vsock_assign_transport()", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - most: usb: Fix use-after-free in hdm_disconnect", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - s390/cio: Update purge function to unregister the unused subchannels", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Fix last write offset handling in layoutcommit", " - iio: imu: inv_icm42600: use = { } instead of memset()", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - PM: runtime: Add new devm functions", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - padata: Reset next CPU when reorder sequence wraps around", " - fuse: allocate ff->release_args only if release is needed", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - PCI: j721e: Enable ACSPCIE Refclk if \"ti,syscon-acspcie-proxy-ctrl\"", " exists", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - f2fs: fix wrong block mapping for multi-devices", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - xfs: always warn about deprecated mount options", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - net: rtnetlink: fix module reference count leak issue in", " rtnetlink_rcv_msg", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - Linux 5.15.196", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", "", " * Jammy update: v5.15.196 upstream stable release (LP: #2134182) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909)", " - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support", " - KVM: arm64: Fix softirq masking in FPSIMD register saving sequence", " - media: tunner: xc5000: Refactor firmware load", " - USB: serial: option: add SIMCom 8230C compositions", " - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188", " - dm-integrity: limit MAX_TAG_SIZE to 255", " - perf subcmd: avoid crash in exclude_cmds when excludes is empty", " - hid: fix I2C read buffer overflow in raw_event() for mcp2221", " - serial: stm32: allow selecting console when the driver is module", " - staging: axis-fifo: fix maximum TX packet length check", " - staging: axis-fifo: flush RX FIFO on read errors", " - driver core/PM: Set power.no_callbacks along with power.no_pm", " - minmax: add in_range() macro", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - selftests: arm64: Check fread return value in exec_target", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - x86/vdso: Fix output operand size of RDPID", " - regmap: Remove superfluous check for !config in __regmap_init()", " - libbpf: Fix reuse of DEVMAP", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - ARM: at91: pm: fix MCKx restore routine", " - regulator: scmi: Use int type to store negative error codes", " - block: use int to store blk_stack_limits() return value", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - pinctrl: renesas: Use int type to store negative error codes", " - firmware: firmware: meson-sm: fix compile-test default", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - i3c: master: svc: Recycle unused IBI slot", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: designware: Add disabling clocks when probe fails", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - ALSA: lx_core: use int type to store negative error codes", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - wifi: mwifiex: send world regulatory domain to driver", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - tcp: fix __tcp_close() to only send RST when required", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - RDMA/siw: Always report immediate post SQ errors", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - drivers/base/node: fix double free in register_one_node()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - ext4: fix checks for orphan inodes", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - fs: always return zero on success from replace_fd()", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: at91: peripheral: fix return value", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - perf session: Fix handling when buffer exceeds 2 GiB", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: libsas: Add sas_task_find_rq()", " - scsi: mvsas: Delete mvs_tag_init()", " - scsi: mvsas: Use sas_task_find_rq() for tagging", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - s390/cio: unregister the subchannel while purging", " - drm/vmwgfx: Copy DRM hash-table code into driver", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPI: debug: fix signedness issues in read/write helpers", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - firmware: meson_sm: fix device leak at probe", " - media: i2c: mt9v111: fix incorrect type for ret", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - crypto: atmel - Fix dma_unmap_sg() direction", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - parisc: don't reference obsolete termio struct for TC* constants", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mmc: core: SPI mode remove cmd7", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: free orphan info with kvfree", " - lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older", " - ASoC: codecs: wcd934x: Simplify with dev_err_probe", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - Squashfs: add additional inode sanity checking", " - media: mc: Clear minor number before put device", " - mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register", " value", " - mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - locking: Introduce __cleanup() based infrastructure", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - minmax: Introduce {min,max}_array()", " - minmax: deduplicate __unconst_integer_typeof()", " - minmax: fix indentation of __cmp_once() and __clamp_once()", " - minmax: avoid overly complicated constant expressions in VM code", " - minmax: add a few more MIN_T/MAX_T users", " - minmax: simplify and clarify min_t()/max_t() implementation", " - minmax: make generic MIN() and MAX() macros available everywhere", " - minmax: don't use max() in situations that want a C constant expression", " - minmax: simplify min()/max()/clamp() implementation", " - minmax: improve macro expansion and type checking", " - minmax: fix up min3() and max3() too", " - minmax.h: add whitespace around operators and after commas", " - minmax.h: update some comments", " - minmax.h: reduce the #define expansion of min(), max() and clamp()", " - minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()", " - minmax.h: move all the clamp() definitions after the min/max() ones", " - minmax.h: simplify the variants of clamp()", " - minmax.h: remove some #defines that are only expanded once", " - minixfs: Verify inode mode when loading from disk", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - media: switch from 'pci_' to 'dma_' API", " - media: cx18: Add missing check after DMA map", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - media: pci/ivtv: switch from 'pci_' to 'dma_' API", " - media: pci: ivtv: Add missing check after DMA map", " - xen/events: Update virq_to_irq on migration", " - media: pci: ivtv: Add check for DMA map result", " - mm/slab: make __free(kfree) accept error pointers", " - mptcp: pm: in-kernel: usable client side with C-flag", " - selftests: mptcp: join: validate C-flag + def limit", " - Linux 5.15.195", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40178", " - pid: Add a judgment for ns null in pid_nr_ns", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40134", " - dm: fix NULL pointer dereference in __dm_suspend()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40042", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40120", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40200", " - Squashfs: reject negative file sizes in squashfs_read_inode()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40026", " - KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40179", " - ext4: verify orphan file size is not too big", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40204", " - sctp: Fix MAC comparison to be constant-time", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40188", " - pwm: berlin: Fix wrong register in suspend/resume", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40194", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40205", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40183", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40187", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40111", " - drm/vmwgfx: Fix Use-after-free in validation", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40001", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40029", " - bus: fsl-mc: Check return value of platform_get_resource()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40030", " - pinctrl: check the return value of pinmux_ops::get_function_name()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40035", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40153", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40043", " - net: nfc: nci: Add parameter validation for packet data", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40044", " - fs: udf: fix OOB read in lengthAllocDescs handling", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40048", " - uio_hv_generic: Let userspace take care of interrupt mask", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40049", " - Squashfs: fix uninit-value in squashfs_get_parent", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40053", " - net: dlink: handle copy_thresh allocation failure", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40055", " - ocfs2: fix double free in user_cluster_connect()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40127", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40140", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40115", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40060", " - coresight: trbe: Return NULL pointer for allocation failures", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40112", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40124", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40126", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40068", " - fs: ntfs3: Fix integer overflow in run_unpack()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40121", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40154", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40070", " - pps: fix warning in pps_register_cdev when register device fail", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40118", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40116", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40078", " - bpf: Explicitly check accesses to bpf_sock_addr", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40171", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40125", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40081", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40027", " - net/9p: fix double req put in p9_fd_cancelled", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-40109", " - crypto: rng - Ensure set_ent is always present", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2024-58011", " - platform/x86: int3472: Check for adev == NULL", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39995", " - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in", " probe", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39994", " - media: tuner: xc5000: Fix use-after-free in xc5000_release", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-22058", " - udp: Fix memory accounting leak.", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39996", " - media: b2c2: Fix use-after-free causing by irq_check_work in", " flexcop_pci_remove", "", " * Jammy update: v5.15.195 upstream stable release (LP: #2133909) //", " CVE-2025-39998", " - scsi: target: target_core_configfs: Add length check to avoid buffer", " overflow", "", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", "", " * Jammy Linux: Introduced Warning with CVE-2024-53090 fix (LP: #2130553)", " - SAUCE: Remove warning introduced during CVE-2024-53090 fix", "", " * [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user", " namespaces (LP: #2121257)", " - apparmor: shift ouid when mediating hard links in userns", " - apparmor: shift uid when mediating af_unix in userns", "", " * Jammy update: v5.15.194 upstream stable release (LP: #2127866)", " - Revert \"fbdev: Disable sysfb device registration when removing", " conflicting FBs\"", " - xfs: short circuit xfs_growfs_data_private() if delta is zero", " - kunit: kasan_test: disable fortify string checker on kasan_strings()", " test", " - mm: introduce and use {pgd,p4d}_populate_kernel()", " - media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning", " - media: i2c: imx214: Fix link frequency validation", " - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.", " - tracing: Do not add length to print format in synthetic events", " - mm/rmap: reject hugetlb folios in folio_make_device_exclusive()", " - flexfiles/pNFS: fix NULL checks on result of", " ff_layout_choose_ds_for_read", " - NFSv4: Don't clear capabilities that won't be reset", " - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set", " - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server", " - tracing: Fix tracing_marker may trigger page fault during", " preempt_disable", " - NFSv4/flexfiles: Fix layout merge mirror check.", " - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to", " allocate psock->cork.", " - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code", " - KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()", " - KVM: SVM: Set synthesized TSA CPUID flags", " - EDAC/altera: Delete an inappropriate dma_free_coherent() call", " - compiler-clang.h: define __SANITIZE_*__ macros only when undefined", " - ocfs2: fix recursive semaphore deadlock in fiemap call", " - mtd: rawnand: stm32_fmc2: fix ECC overwrite", " - fuse: check if copy_file_range() returns larger than requested size", " - fuse: prevent overflow in copy_file_range return value", " - libceph: fix invalid accesses to ceph_connection_v1_info", " - mm/khugepaged: fix the address passed to notifier on testing young", " - mtd: nand: raw: atmel: Fix comment in timings preparation", " - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing", " - mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check", " - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer", " - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk", " table", " - tty: hvc_console: Call hvc_kick in hvc_write unconditionally", " - dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks", " - USB: serial: option: add Telit Cinterion FN990A w/audio compositions", " - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions", " - net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()", " - tunnels: reset the GSO metadata before reusing the skb", " - igb: fix link test skipping when interface is admin down", " - genirq: Provide new interfaces for affinity hints", " - i40e: Use irq_update_affinity_hint()", " - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path", " - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when", " j1939_local_ecu_get() failed", " - can: j1939: j1939_local_ecu_get(): undo increment when", " j1939_local_ecu_get() fails", " - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted", " SKB", " - net: hsr: Disable promiscuous mode in offload mode", " - net: hsr: Add support for MC filtering at the slave device", " - net: hsr: Add VLAN CTAG filter support", " - hsr: use rtnl lock when iterating over ports", " - hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr", " - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map", " - regulator: sy7636a: fix lifecycle of power good gpio", " - hrtimer: Remove unused function", " - hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()", " - hrtimers: Unconditionally update target CPU base after offline timer", " migration", " - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees", " - phy: tegra: xusb: fix device and OF node leak at probe", " - phy: ti-pipe3: fix device leak at unbind", " - soc: qcom: mdt_loader: Deal with zero e_shentsize", " - drm/amdgpu: fix a memory leak in fence cleanup when unloading", " - drm/i915/power: fix size for for_each_set_bit() in abox iteration", " - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison", " memory", " - net: hsr: hsr_slave: Fix the promiscuous mode in offload mode", " - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is", " not supported", " - wifi: mac80211: fix incorrect type for ret", " - pcmcia: omap_cf: Mark driver struct with __refdata to prevent section", " mismatch", " - cgroup: split cgroup_destroy_wq into 3 workqueues", " - um: virtio_uml: Fix use-after-free after put_device in probe", " - dpaa2-switch: fix buffer pool seeding for control traffic", " - qed: Don't collect too many protection override GRC elements", " - net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure", " - i40e: remove redundant memory barrier when cleaning Tx descs", " - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon port speed set\"", " - net: liquidio: fix overflow in octeon_init_instr_queue()", " - cnic: Fix use-after-free bugs in cnic_delete_task", " - nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*", " - power: supply: bq27xxx: fix error return in case of no bq27000 hdq", " battery", " - power: supply: bq27xxx: restrict no-battery detection to bq27000", " - btrfs: tree-checker: fix the incorrect inode ref size check", " - mmc: mvsdio: Fix dma_unmap_sg() nents value", " - KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active", " - rds: ib: Increment i_fastreg_wrs before bailing out", " - ASoC: wm8940: Correct typo in control name", " - ASoC: wm8974: Correct PLL rate rounding", " - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error", " message", " - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ", " - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path", " - serial: sc16is7xx: fix bug in flow control levels init", " - xhci: dbc: decouple endpoint allocation from initialization", " - xhci: dbc: Fix full DbC transfer ring after several reconnects", " - usb: gadget: dummy_hcd: remove usage of list iterator past the loop body", " - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels", " - phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning", " - phy: Use device_get_match_data()", " - phy: ti: omap-usb2: fix device leak at unbind", " - mptcp: set remote_deny_join_id0 on SYN recv", " - ksmbd: smbdirect: validate data_offset and data_length field of", " smb_direct_data_transfer", " - mptcp: propagate shutdown to subflows when possible", " - net: rfkill: gpio: add DT support", " - net: rfkill: gpio: Fix crash due to dereferencering uninitialized", " pointer", " - ALSA: usb-audio: Fix block comments in mixer_quirks", " - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks", " - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks", " - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks", " - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks", " - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5", " - ALSA: usb-audio: Convert comma to semicolon", " - ALSA: usb-audio: Fix build with CONFIG_INPUT=n", " - usb: core: Add 0x prefix to quirks debug output", " - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions", " - arm64: dts: imx8mp: Correct thermal sensor index", " - cpufreq: Initialize cpufreq-based invariance before subsys", " - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI", " - bpf: Reject bpf_timer for PREEMPT_RT", " - can: bittiming: allow TDC{V,O} to be zero and add", " can_tdc_const::tdc{v,o,f}_min", " - can: bittiming: replace CAN units with the generic ones from", " linux/units.h", " - can: dev: add generic function can_ethtool_op_get_ts_info_hwts()", " - can: dev: add generic function can_eth_ioctl_hwts()", " - can: etas_es58x: advertise timestamping capabilities and add ioctl", " support", " - can: etas_es58x: sort the includes by alphabetic order", " - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow", " - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow", " - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow", " - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow", " - can: peak_usb: fix shift-out-of-bounds issue", " - ethernet: rvu-af: Remove slash from the driver name", " - bnxt_en: correct offset handling for IPv6 destination address", " - nexthop: Forbid FDB status change while nexthop is in a group", " - selftests: fib_nexthops: Fix creation of non-FDB nexthops", " - net: dsa: lantiq_gswip: do also enable or disable cpu port", " - net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to", " port_setup()", " - net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries", " added to the CPU port", " - drm/gma500: Fix null dereference in hdmi teardown", " - i40e: fix idx validation in i40e_validate_queue_map", " - i40e: fix input validation logic for action_meta", " - i40e: add max boundary check for VF filters", " - i40e: add mask to apply valid bits for itr_idx", " - tracing: dynevent: Add a missing lockdown check on dynevent", " - fbcon: fix integer overflow in fbcon_do_set_font", " - fbcon: Fix OOB access in font allocation", " - af_unix: Don't leave consecutive consumed OOB skbs.", " - mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()", " - mm/hugetlb: fix folio is still mapped when deleted", " - i40e: fix validation of VF state in get resources", " - i40e: fix idx validation in config queues msg", " - i40e: increase max descriptors for XL710", " - i40e: add validation for ring_len param", " - drm/i915/backlight: Return immediately when scale() finds invalid", " parameters", " - Linux 5.15.194", "", " * CVE-2024-56538", " - drm: zynqmp_kms: Unplug DRM device before removal", "", " * CVE-2024-53114", " - tools headers cpufeatures: Sync with the kernel sources", " - x86: Fix comment for X86_FEATURE_ZEN", " - x86/CPU/AMD: Add ZenX generations flags", " - x86/CPU/AMD: Carve out the erratum 1386 fix", " - x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function", " - x86/CPU/AMD: Move erratum 1076 fix into the Zen1 init function", " - x86/CPU/AMD: Call the spectral chicken in the Zen2 init function", " - x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()", " - x86/CPU/AMD: Move Zenbleed check to the Zen2 init function", " - x86/CPU/AMD: Move the DIV0 bug detection to the Zen1 init function", " - x86/CPU/AMD: Get rid of amd_erratum_1054[]", " - x86/CPU/AMD: Get rid of amd_erratum_383[]", " - x86/CPU/AMD: Get rid of amd_erratum_400[]", " - x86/CPU/AMD: Get rid of amd_erratum_1485[]", " - x86/CPU/AMD: Drop now unused CPU erratum checking function", " - x86/CPU/AMD: Add X86_FEATURE_ZEN1", " - tools headers x86 cpufeatures: Sync with the kernel sources to pick TDX,", " Zen, APIC MSR fence changes", " - x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load", " - x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client", " - x86/cpu/amd: Fix workaround for erratum 1054", "", " * CVE-2025-38584", " - padata: Fix pd UAF once and for all", " - padata: Remove comment for reorder_work", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /", " Renoir / Rembrandt) (LP: #2128729)", " - SAUCE: drm/amd/display: Fix incorrect code path taken in", " amdgpu_dm_atomic_check()", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "", " * Miscellaneous upstream changes", " - selftests: net: use slowwait to stabilize vrf_route_leaking test", "" ], "package": "linux", "version": "5.15.0-170.180", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2137825, 2136820, 2136734, 2065369, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2134182, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2133909, 2131046, 2130553, 2121257, 2127866, 2128729 ], "author": "Mehmet Basaran ", "date": "Fri, 09 Jan 2026 18:51:02 +0300" } ], "notes": "linux-modules-5.15.0-170-generic version '5.15.0-170.180' (source package linux version '5.15.0-170.180') was added. linux-modules-5.15.0-170-generic version '5.15.0-170.180' has the same source package name, linux, as removed package linux-headers-5.15.0-164. As such we can use the source package version of the removed package, '5.15.0-164.174', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-164", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": "5.15.0-164.174" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-5.15.0-164-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": "5.15.0-164.174" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-164-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-164.174", "version": "5.15.0-164.174" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-164-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-164.174", "version": "5.15.0-164.174" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260119 to 20260216", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260119", "to_serial": "20260216", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }