{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.8.0-87-generic", "linux-modules-6.8.0-87-generic" ], "removed": [ "linux-image-6.8.0-85-generic", "linux-modules-6.8.0-85-generic" ], "diff": [ "distro-info-data", "intel-microcode", "libpam-systemd", "libssh-4", "libsystemd-shared", "libsystemd0", "libudev1", "linux-image-virtual", "snapd", "systemd", "systemd-dev", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "udev" ] } }, "diff": { "deb": [ { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.60ubuntu0.3", "version": "0.60ubuntu0.3" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.60ubuntu0.5", "version": "0.60ubuntu0.5" }, "cves": [], "launchpad_bugs_fixed": [ 2126961 ], "changes": [ { "cves": [], "log": [ "", " * ubuntu.csv: remove eol-legacy field from resolute", " This version of distro-info does not know about eol-legacy.", "" ], "package": "distro-info-data", "version": "0.60ubuntu0.5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 10 Oct 2025 12:02:16 -0400" }, { "cves": [], "log": [ "", " * Add Ubuntu 26.04 LTS \"Resolute Raccoon\" (LP: #2126961)", " * Correct date for forky", " * Correct estimation for trixie ELTS EoL to 10 years total support.", " * Update the bookworm EoL", "" ], "package": "distro-info-data", "version": "0.60ubuntu0.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2126961 ], "author": "Florent 'Skia' Jacquet ", "date": "Fri, 10 Oct 2025 11:31:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "intel-microcode", "from_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20250512.0ubuntu0.24.04.1", "version": "3.20250512.0ubuntu0.24.04.1" }, "to_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20250812.0ubuntu0.24.04.1", "version": "3.20250812.0ubuntu0.24.04.1" }, "cves": [ { "cve": "CVE-2025-20109", "url": "https://ubuntu.com/security/CVE-2025-20109", "cve_description": "Improper Isolation or Compartmentalization in the stream cache mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22840", "url": "https://ubuntu.com/security/CVE-2025-22840", "cve_description": "Sequence of processor instructions leads to unexpected behavior for some Intel(R) Xeon(R) 6 Scalable processors may allow an authenticated user to potentially enable escalation of privilege via local access", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22839", "url": "https://ubuntu.com/security/CVE-2025-22839", "cve_description": "Insufficient granularity of access control in the OOB-MSM for some Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22889", "url": "https://ubuntu.com/security/CVE-2025-22889", "cve_description": "Improper handling of overlap between protected memory ranges for some Intel(R) Xeon(R) 6 processor with Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-21090", "url": "https://ubuntu.com/security/CVE-2025-21090", "cve_description": "Missing reference to active allocated resource for some Intel(R) Xeon(R) processors may allow an authenticated user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-20053", "url": "https://ubuntu.com/security/CVE-2025-20053", "cve_description": "Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with SGX enabled may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-24305", "url": "https://ubuntu.com/security/CVE-2025-24305", "cve_description": "Insufficient control flow management in the Alias Checking Trusted Module (ACTM) firmware for some Intel(R) Xeon(R) processors may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-26403", "url": "https://ubuntu.com/security/CVE-2025-26403", "cve_description": "Out-of-bounds write in the memory subsystem for some Intel(R) Xeon(R) 6 processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-32086", "url": "https://ubuntu.com/security/CVE-2025-32086", "cve_description": "Improperly implemented security check for standard in the DDRIO configuration for some Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-20109", "url": "https://ubuntu.com/security/CVE-2025-20109", "cve_description": "Improper Isolation or Compartmentalization in the stream cache mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22840", "url": "https://ubuntu.com/security/CVE-2025-22840", "cve_description": "Sequence of processor instructions leads to unexpected behavior for some Intel(R) Xeon(R) 6 Scalable processors may allow an authenticated user to potentially enable escalation of privilege via local access", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22839", "url": "https://ubuntu.com/security/CVE-2025-22839", "cve_description": "Insufficient granularity of access control in the OOB-MSM for some Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-22889", "url": "https://ubuntu.com/security/CVE-2025-22889", "cve_description": "Improper handling of overlap between protected memory ranges for some Intel(R) Xeon(R) 6 processor with Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-21090", "url": "https://ubuntu.com/security/CVE-2025-21090", "cve_description": "Missing reference to active allocated resource for some Intel(R) Xeon(R) processors may allow an authenticated user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-20053", "url": "https://ubuntu.com/security/CVE-2025-20053", "cve_description": "Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with SGX enabled may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-24305", "url": "https://ubuntu.com/security/CVE-2025-24305", "cve_description": "Insufficient control flow management in the Alias Checking Trusted Module (ACTM) firmware for some Intel(R) Xeon(R) processors may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-26403", "url": "https://ubuntu.com/security/CVE-2025-26403", "cve_description": "Out-of-bounds write in the memory subsystem for some Intel(R) Xeon(R) 6 processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" }, { "cve": "CVE-2025-32086", "url": "https://ubuntu.com/security/CVE-2025-32086", "cve_description": "Improperly implemented security check for standard in the DDRIO configuration for some Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "cve_priority": "medium", "cve_public_date": "2025-08-12 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: New upstream microcode datafile 20250812", " - Updated microcodes:", " sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248", " sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056", " sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664", " sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896", " sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664", " sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896", " sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664", " sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896", " sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896", " sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664", " sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896", " sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288", " sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400", " sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072", " sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880", " sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256", " sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256", " sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256", " sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896", " sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112", " sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112", " sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112", " sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112", " sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224", " sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224", " - CVE-2025-20109 (INTEL-SA-01249)", " - CVE-2025-22840 (INTEL-SA-01308)", " - CVE-2025-22839 (INTEL-SA-01310)", " - CVE-2025-22889 (INTEL-SA-01311)", " - CVE-2025-21090 (INTEL-SA-01313)", " - CVE-2025-20053 (INTEL-SA-01313)", " - CVE-2025-24305 (INTEL-SA-01313)", " - CVE-2025-26403 (INTEL-SA-01367)", " - CVE-2025-32086 (INTEL-SA-01367) ", "" ], "package": "intel-microcode", "version": "3.20250812.0ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 28 Oct 2025 15:28:49 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssh-4", "from_version": { "source_package_name": "libssh", "source_package_version": "0.10.6-2ubuntu0.1", "version": "0.10.6-2ubuntu0.1" }, "to_version": { "source_package_name": "libssh", "source_package_version": "0.10.6-2ubuntu0.2", "version": "0.10.6-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-8114", "url": "https://ubuntu.com/security/CVE-2025-8114", "cve_description": "A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.", "cve_priority": "low", "cve_public_date": "2025-07-24 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8114", "url": "https://ubuntu.com/security/CVE-2025-8114", "cve_description": "A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.", "cve_priority": "low", "cve_public_date": "2025-07-24 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference", " - debian/patches/CVE-2025-8114.patch: sets rc to SSH_ERROR prior to goto", " error in ssh_make_sessionid() of src/kex.c.", " - CVE-2025-8114 ", "" ], "package": "libssh", "version": "0.10.6-2ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Wed, 29 Oct 2025 14:58:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-85.85", "version": "6.8.0-85.85" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-87.88", "" ], "package": "linux-meta", "version": "6.8.0-87.88", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 20:41:31 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-86.87", "" ], "package": "linux-meta", "version": "6.8.0-86.87", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Mon, 22 Sep 2025 18:19:06 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-86.86", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "6.8.0-86.86", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Mon, 22 Sep 2025 15:09:11 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.68.5+ubuntu24.04.1", "version": "2.68.5+ubuntu24.04.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.71+ubuntu24.04", "version": "2.71+ubuntu24.04" }, "cves": [], "launchpad_bugs_fixed": [ 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883, 2107443, 2104066, 2102456, 2106121, 2088456, 2098137, 2104933, 2098137, 2101834, 2098137, 2099709, 2098137, 2098137, 2089195, 2072987, 1712808, 1966203, 1886414, 2089691 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2118396", " - FDE: auto-repair when recovery key is used", " - FDE: revoke keys on shim update", " - FDE: revoke old TPM keys when dbx has been updated", " - FDE: do not reseal FDE hook keys every time", " - FDE: store keys in the kernel keyring when installing from initrd", " - FDE: allow disabled DMA on Core", " - FDE: snap-bootstrap: do not check for partition in scan-disk on", " CVM", " - FDE: support secboot preinstall check for 25.10+ hybrid installs", " via the /v2/system/{label} endpoint", " - FDE: support generating recovery key at install time via the", " /v2/systems/{label} endpoint", " - FDE: update passphrase quality check at install time via the", " /v2/systems/{label} endpoint", " - FDE: support replacing recovery key at runtime via the new", " /v2/system-volumes endpoint", " - FDE: support checking recovery keys at runtime via the /v2/system-", " volumes endpoint", " - FDE: support enumerating keyslots at runtime via the /v2/system-", " volumes endpoint", " - FDE: support changing passphrase at runtime via the /v2/system-", " volumes endpoint", " - FDE: support passphrase quality check at runtime via the", " /v2/system-volumes endpoint", " - FDE: update secboot to revision 3e181c8edf0f", " - Confdb: support lists and indexed paths on read and write", " - Confdb: alias references must be wrapped in brackets", " - Confdb: support indexed paths in confdb-schema assertion", " - Confdb: make API errors consistent with options", " - Confdb: fetch confdb-schema assertion on access", " - Confdb: prevent --previous from being used in read-side hooks", " - Components: fix snap command with multiple components", " - Components: set revision of seed components to x1", " - Components: unmount extra kernel-modules components mounts", " - AppArmor Prompting: add lifespan \"session\" for prompting rules", " - AppArmor Prompting: support restoring prompts after snapd restart", " - AppArmor Prompting: limit the extra information included in probed", " AppArmor features and system key", " - Notices: refactor notice state internals", " - SELinux: look for restorecon/matchpathcon at all known locations", " rather than current PATH", " - SELinux: update policy to allow watching cgroups (for RAA), and", " talking to user session agents (service mgmt/refresh)", " - Refresh App Awareness: Fix unexpected inotify file descriptor", " cleanup", " - snap-confine: workaround for glibc fchmodat() fallback and handle", " ENOSYS", " - snap-confine: add support for host policy for limiting users able", " to run snaps", " - LP: #2114923 Reject system key mismatch advise when not yet seeded", " - Use separate lanes for essential and non-essential snaps during", " seeding and allow non-essential installs to retry", " - Fix bug preventing remodel from core18 to core18 when snapd snap", " is unchanged", " - LP: #2112551 Make removal of last active revision of a snap equal", " to snap remove", " - LP: #2114779 Allow non-gpt in fallback mode to support RPi", " - Switch from using systemd LogNamespace to manually controlled", " journal quotas", " - Change snap command trace logging to only log the command names", " - Grant desktop-launch access to /v2/snaps", " - Update code for creating the snap journal stream", " - Switch from using core to snapd snap for snap debug connectivity", " - LP: #2112544 Fix offline remodel case where we switched to a", " channel without an actual refresh", " - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed", " tarball", " - LP: #1952500 Fix snap command progress reporting", " - LP: #1849346 Interfaces: kerberos-tickets | add new interface", " - Interfaces: u2f | add support for Thetis Pro", " - Interfaces: u2f | add OneSpan device and fix older device", " - Interfaces: pipewire, audio-playback | support pipewire as system", " daemon", " - Interfaces: gpg-keys | allow access to GPG agent sockets", " - Interfaces: usb-gadget | add new interface", " - Interfaces: snap-fde-control, firmware-updater-support | add new", " interfaces to support FDE", " - Interfaces: timezone-control | extend to support timedatectl", " varlink", " - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and", " procfs directories", " - Interfaces: microstack-support | allow SR-IOV attachments", " - Interfaces: modify AppArmor template to allow snaps to read their", " own systemd credentials", " - Interfaces: posix-mq | allow stat on /dev/mqueue", " - LP: #2098780 Interfaces: log-observe | add capability", " dac_read_search", " - Interfaces: block-devices | allow access to ZFS pools and datasets", " - LP: #2033883 Interfaces: block-devices | opt-in access to", " individual partitions", " - Interfaces: accel | add new interface to support accel kernel", " subsystem", " - Interfaces: shutdown | allow client to bind on its side of dbus", " socket", " - Interfaces: modify seccomp template to allow pwritev2", " - Interfaces: modify AppArmor template to allow reading", " /proc/sys/fs/nr_open", " - Packaging: drop snap.failure service for openSUSE", " - Packaging: add SELinux support for openSUSE", " - Packaging: disable optee when using nooptee build tag", " - Packaging: add support for static PIE builds in snapd.mk, drop", " pie.patch from openSUSE", " - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04", " - Packaging: use snapd.mk for packaging on Fedora", " - Packaging: exclude .git directory", " - Packaging: fix DPKG_PARSECHANGELOG assignment", " - Packaging: fix building on Fedora with dpkg installed", "" ], "package": "snapd", "version": "2.71+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883 ], "author": "Ernest Lotter ", "date": "Fri, 25 Jul 2025 13:18:47 +0200" }, { "cves": [], "log": [ "", " - FDE: Fix reseal with v1 hook key format", " - FDE: set role in TPM keys", " - AppArmor prompting (experimental): add handling for expired", " requests or listener in the kernel", " - AppArmor prompting: log the notification protocol version", " negotiated with the kernel", " - AppArmor prompting: implement notification protocol v5 (manually", " disabled for now)", " - AppArmor prompting: register listener ID with the kernel and", " resend notifications after snapd restart (requires protocol v5+)", " - AppArmor prompting: select interface from metadata tags and set", " request interface accordingly (requires protocol v5+)", " - AppArmor prompting: include request PID in prompt", " - AppArmor prompting: move the max prompt ID file to a subdirectory", " of the snap run directory", " - AppArmor prompting: avoid race between closing/reading socket fd", " - Confdb (experimental): make save/load hooks mandatory if affecting", " ephemeral", " - Confdb: clear tx state on failed load", " - Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g.", " confdb-schema)", " - Confdb: add NestedEphemeral to confdb schemas", " - Confdb: add early concurrency checks", " - Simplify building Arch package", " - Enable snapd.apparmor on Fedora", " - Build snapd snap with libselinux", " - Emit snapd.apparmor warning only when using apparmor backend", " - When running snap, on system key mismatch e.g. due to network", " attached HOME, trigger and wait for a security profiles", " regeneration", " - Avoid requiring state lock to get user, warnings, or pending", " restarts when handling API requests", " - Start/stop ssh.socket for core24+ when enabling/disabling the ssh", " service", " - Allow providing a different base when overriding snap", " - Modify snap-bootstrap to mount snapd snap directly to /snap", " - Modify snap-bootstrap to mount /lib/{modules,firmware} from snap", " as fallback", " - Modify core-initrd to use systemctl reboot instead of /sbin/reboot", " - Copy the initramfs 'manifest-initramfs.yaml' to initramfs file", " creation directory so it can be copied to the kernel snap", " - Build the early initrd from installed ucode packages", " - Create drivers tree when remodeling from UC20/22 to UC24", " - Load gpio-aggregator module before the helper-service needs it", " - Run 'systemctl start' for mount units to ensure they are run also", " when unchanged", " - Update godbus version to 'v5 v5.1.0'", " - Add support for POST to /v2/system-info with system-key-mismatch", " indication from the client", " - Add 'snap sign --update-timestamp' flag to update timestamp before", " signing", " - Add vfs support for snap-update-ns to use to simulate and evaluate", " mount sequences", " - Add refresh app awareness debug logging", " - Add snap-bootstrap scan-disk subcommand to be called from udev", " - Add feature to inject proxy store assertions in build image", " - Add OP-TEE bindings, enable by default in ARM and ARM64 builds", " - Fix systemd dependency options target to go under 'unit' section", " - Fix snap-bootstrap reading kernel snap instead of base resulting", " in bad modeenv", " - Fix a regression during seeding when using early-config", " - LP: #2107443 reset SHELL to /bin/bash in non-classic snaps", " - Make Azure kernels reboot upon panic", " - Fix snap-confine to not drop capabilities if the original user is", " already root", " - Fix data race when stopping services", " - Fix task dependency issue by temporarily disable re-refresh on", " prerequisite updates", " - Fix compiling against op-tee on armhf", " - Fix dbx update when not using FDE", " - Fix potential validation set deadlock due to bases waiting on", " snaps", " - LP: #2104066 Only cancel notices requests on stop/shutdown", " - Interfaces: bool-file | fix gpio glob pattern as required for", " '[XXXX]*' format", " - Interfaces: system-packages-doc | allow access to", " /usr/local/share/doc", " - Interfaces: ros-snapd-support interface | added new interface", " - Interfaces: udisks2 | allow chown capability", " - Interfaces: system-observe | allow reading cpu.max", " - Interfaces: serial-port | add ttyMAXX to allowed list", " - Interfaces: modified seccomp template to disallow", " 'O_NOTIFICATION_PIPE'", " - Interfaces: fwupd | add support for modem-manager plugin", " - Interfaces: gpio-chardev | make unsupported and remove", " experimental flag to hide this feature until gpio-aggregator is", " available", " - Interfaces: hardware-random | fix udev match rule", " - Interfaces: timeserver-control | extend to allow timedatectl", " timesync commands", " - Interfaces: add symlinks backend", " - Interfaces: system key mismatch handling", "" ], "package": "snapd", "version": "2.70+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2107443, 2104066 ], "author": "Ernest Lotter ", "date": "Tue, 03 Jun 2025 11:46:44 +0200" }, { "cves": [], "log": [ "", " - FDE: re-factor listing of the disks based on run mode model and", " model to correctly resolve paths", " - FDE: run snapd from snap-failure with the correct keyring mode", " - Snap components: allow remodeling back to an old snap revision", " that includes components", " - Snap components: fix remodel to a kernel snap that is already", " installed on the system, but not the current kernel due to a", " previous remodel.", " - Snap components: fix for snapctl inputs that can crash snapd", " - Confdb (experimental): load ephemeral data when reading data via", " snapctl get", " - Confdb (experimental): load ephemeral data when reading data via", " snap get", " - Confdb (experimental): rename {plug}-view-changed hook to observe-", " view-{plug}", " - Confdb (experimental): rename confdb assertion to confdb-schema", " - Confdb (experimental): change operator grouping in confdb-control", " assertion", " - Confdb (experimental): add confdb-control API", " - AppArmor: extend the probed features to include the presence of", " files, as well as directories", " - AppArmor prompting (experimental): simplify the listener", " - AppArmor metadata tagging (disabled): probe parser support for", " tags", " - AppArmor metadata tagging (disabled): implement notification", " protocol v5", " - Confidential VMs: sysroot.mount is now dynamically created by", " snap-bootstrap instead of being a static file in the initramfs", " - Confidential VMs: Add new implementation of snap integrity API", " - Non-suid snap-confine: first phase to replace snap-confine suid", " with capabilities to achieve the required permissions", " - Initial changes for dynamic security profiles updates", " - Provide snap icon fallback for /v2/icons without requiring network", " access at runtime", " - Add eMMC gadget update support", " - Support reexec when using /usr/libexec/snapd on the host (Arch", " Linux, openSUSE)", " - Auto detect snap mount dir location on unknown distributions", " - Modify snap-confine AppArmor template to allow all glibc HWCAPS", " subdirectories to prevent launch errors", " - LP: #2102456 update secboot to bf2f40ea35c4 and modify snap-", " bootstrap to remove usage of go templates to reduce size by 4MB", " - Fix snap-bootstrap to mount kernel snap from", " /sysroot/writable/system-data", " - LP: #2106121 fix snap-bootstrap busy loop", " - Fix encoding of time.Time by using omitzero instead of omitempty", " (on go 1.24+)", " - Fix setting snapd permissions through permctl for openSUSE", " - Fix snap struct json tags typo", " - Fix snap pack configure hook permissions check incorrect file mode", " - Fix gadget snap reinstall to honor existing sizes of partitions", " - Fix to update command line when re-executing a snapd tool", " - Fix 'snap validate' of specific missing newline and add error on", " missed case of 'snap validate --refresh' without another action", " - Workaround for snapd-confine time_t size differences between", " architectures", " - Disallow pack and install of snapd, base and os with specific", " configure hooks", " - Drop udev build dependency that is no longer required and add", " missing systemd-dev dependency", " - Build snap-bootstrap with nomanagers tag to decrease size by 1MB", " - Interfaces: polkit | support custom polkit rules", " - Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is", " confined by AppArmor", " - Interfaces: log-observe | add missing udev rule", " - Interfaces: hostname-control | fix call to hostnamectl in core24", " - Interfaces: network-control | allow removing created network", " namespaces", " - Interfaces: scsi-generic | re-enable base declaration for scsi-", " generic plug", " - Interfaces: u2f | add support for Arculus AuthentiKey", "" ], "package": "snapd", "version": "2.69+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2102456, 2106121, 2088456 ], "author": "Ernest Lotter ", "date": "Tue, 08 Apr 2025 12:53:39 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - Snap components: LP: #2104933 workaround for classic 24.04/24.10", " models that incorrectly specify core22 instead of core24", " - Update build dependencies", "" ], "package": "snapd", "version": "2.68.4", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137, 2104933 ], "author": "Ernest Lotter ", "date": "Wed, 02 Apr 2025 19:48:25 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to", " old keyring path", " - Fix Plucky snapd deb build issue related to /var/lib/snapd/void", " permissions", " - Fix snapd deb build complaint about ifneq with extra bracket", "" ], "package": "snapd", "version": "2.68.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137, 2101834 ], "author": "Ernest Lotter ", "date": "Mon, 10 Mar 2025 20:13:38 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - FDE: use boot mode for FDE hooks", " - FDE: add snap-bootstrap compatibility check to prevent image", " creation with incompatible snapd and kernel snap", " - FDE: add argon2 out-of-process KDF support", " - FDE: have separate mutex for the sections writing a fresh modeenv", " - FDE: LP: #2099709 update secboot to e07f4ae48e98", " - Confdb: support pruning ephemeral data and process alternative", " types in order", " - core-initrd: look at env to mount directly to /sysroot", " - core-initrd: prepare for Plucky build and split out 24.10", " (Oracular)", " - Fix missing primed packages in snapd snap manifest", " - Interfaces: posix-mq | fix incorrect clobbering of global variable", " and make interface more precise", " - Interfaces: opengl | add more kernel fusion driver files", "" ], "package": "snapd", "version": "2.68.2", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137, 2099709 ], "author": "Ernest Lotter ", "date": "Thu, 27 Feb 2025 09:56:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - Fix snap-confine type specifier type mismatch on armhf", "" ], "package": "snapd", "version": "2.68.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137 ], "author": "Ernest Lotter ", "date": "Mon, 24 Feb 2025 10:31:49 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - FDE: add support for new and more extensible key format that is", " unified between TPM and FDE hook", " - FDE: add support for adding passphrases during installation", " - FDE: update secboot to 30317622bbbc", " - Snap components: make kernel components available on firstboot", " after either initramfs or ephemeral rootfs style install", " - Snap components: mount drivers tree from initramfs so kernel", " modules are available in early boot stages", " - Snap components: support remodeling to models that contain", " components", " - Snap components: support offline remodeling to models that contain", " components", " - Snap components: support creating new recovery systems with", " components", " - Snap components: support downloading components with 'snap", " download' command", " - Snap components: support sideloading asserted components", " - AppArmor Prompting(experimental): improve version checks and", " handling of listener notification protocol for communication with", " kernel AppArmor", " - AppArmor Prompting(experimental): make prompt replies idempotent,", " and have at most one rule for any given path pattern, with", " potentially mixed outcomes and lifespans", " - AppArmor Prompting(experimental): timeout unresolved prompts after", " a period of client inactivity", " - AppArmor Prompting(experimental): return an error if a patch", " request to the API would result in a rule without any permissions", " - AppArmor Prompting(experimental): warn if there is no prompting", " client present but prompting is enabled, or if a prompting-related", " error occurs during snapd startup", " - AppArmor Prompting(experimental): do not log error when converting", " empty permissions to AppArmor permissions", " - Confdb(experimental): rename registries to confdbs (including API", " /v2/registries => /v2/confdb)", " - Confdb(experimental): support marking confdb schemas as ephemeral", " - Confdb(experimental): add confdb-control assertion and feature", " flag", " - Refresh App Awareness(experimental): LP: #2089195 prevent", " possibility of incorrect notification that snap will quit and", " update", " - Confidential VMs: snap-bootstrap support for loading partition", " information from a manifest file for cloudimg-rootfs mode", " - Confidential VMs: snap-bootstrap support for setting up cloudimg-", " rootfs as an overlayfs with integrity protection", " - dm-verity for essential snaps: add support for snap-integrity", " assertion", " - Interfaces: modify AppArmor template to allow owner read on", " @{PROC}/@{pid}/fdinfo/*", " - Interfaces: LP: #2072987 modify AppArmor template to allow using", " setpriv to run daemon as non-root user", " - Interfaces: add configfiles backend that ensures the state of", " configuration files in the filesystem", " - Interfaces: add ldconfig backend that exposes libraries coming", " from snaps to either the rootfs or to other snaps", " - Interfaces: LP: #1712808 LP: 1865503 disable udev backend when", " inside a container", " - Interfaces: add auditd-support interface that grants audit_control", " capability and required paths for auditd to function", " - Interfaces: add checkbox-support interface that allows", " unrestricted access to all devices", " - Interfaces: fwupd | allow access to dell bios recovery", " - Interfaces: fwupd | allow access to shim and fallback shim", " - Interfaces: mount-control | add mount option validator to detect", " mount option conflicts early", " - Interfaces: cpu-control | add read access to /sys/kernel/irq/", " - Interfaces: locale-control | changed to be implicit on Ubuntu Core", " Desktop", " - Interfaces: microstack-support | support for utilizing of AMD SEV", " capabilities", " - Interfaces: u2f | added missing OneSpan device product IDs", " - Interfaces: auditd-support | grant seccomp setpriority", " - Interfaces: opengl interface | enable parsing of nvidia driver", " information files", " - Allow mksquashfs 'xattrs' when packing snap types os, core, base", " and snapd as part of work to support non-root snap-confine", " - Upstream/downstream packaging changes and build updates", " - Improve error logs for malformed desktop files to also show which", " desktop file is at fault", " - Provide more precise error message when overriding channels with", " grade during seed creation", " - Expose 'snap prepare-image' validation parameter", " - Add snap-seccomp 'dump' command that dumps the filter rules from a", " compiled profile", " - Add fallback release info location /etc/initrd-release", " - Added core-initrd to snapd repo and fixed issues with ubuntu-core-", " initramfs deb builds", " - Remove stale robust-mount-namespace-updates experimental feature", " flag", " - Remove snapd-snap experimental feature (rejected) and it's feature", " flag", " - Changed snap-bootstrap to mount base directly on /sysroot", " - Mount ubuntu-seed mounted as no-{suid,exec,dev}", " - Mapping volumes to disks: add support for volume-assignments in", " gadget", " - Fix silently broken binaries produced by distro patchelf 0.14.3 by", " using locally build patchelf 0.18", " - Fix mismatch between listed refresh candidates and actual refresh", " due to outdated validation sets", " - Fix 'snap get' to produce compact listing for tty", " - Fix missing store-url by keeping it as part of auxiliary store", " info", " - Fix snap-confine attempting to retrieve device cgroup setup inside", " container where it is not available", " - Fix 'snap set' and 'snap get' panic on empty strings with early", " error checking", " - Fix logger debug entries to show correct caller and file", " information", " - Fix issue preventing hybrid systems from being seeded on first", " boot", " - LP: #1966203 remove auto-import udev rules not required by deb", " package to avoid unwanted syslog errors", " - LP: #1886414 fix progress reporting when stdout is on a tty, but", " stdin is not", "" ], "package": "snapd", "version": "2.68", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137, 2089195, 2072987, 1712808, 1966203, 1886414 ], "author": "Ernest Lotter ", "date": "Thu, 13 Feb 2025 12:42:09 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2089691", " - Fix apparmor permissions to allow snaps access to kernel modules", " and firmware on UC24, which also fixes the kernel-modules-control", " interface on UC24", " - AppArmor prompting (experimental): disallow /./ and /../ in path", " patterns", " - Fix 'snap run' getent based user lookup in case of bad PATH", " - Fix snapd using the incorrect AppArmor version during undo of an", " refresh for regenerating snap profiles", " - Add new syscalls to base templates", " - hardware-observe interface: allow riscv_hwprobe syscall", " - mount-observe interface: allow listmount and statmount syscalls", "" ], "package": "snapd", "version": "2.67.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2089691 ], "author": "Ernest Lotter ", "date": "Wed, 15 Jan 2025 22:02:37 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-dev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "cves": [], "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)", " * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)", " - d/t/control: add Depends: dnsmasq-base", " (Revealed by test progressing past previous failure)", " * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)", " Backport the logic from plucky onward, but adjust the version string for", " noble.", " * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED", " Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,", " only targeting TEST-75-RESOLVED.", "", " [ Matthew Ruffell ]", " * pcrlock: handle measurement logs where hash algs in header.", " Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs", " (LP: #2115391)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "" ], "package": "systemd", "version": "255.4-1ubuntu8.11", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112237, 2115263, 2044104, 2115391, 2115418, 2110585 ], "author": "Nick Rosbrook ", "date": "Fri, 11 Jul 2025 14:52:59 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.8.0-87-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-85.85", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-87.88", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-87.88", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 20:41:40 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-86.87", "" ], "package": "linux-signed", "version": "6.8.0-86.87", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Mon, 22 Sep 2025 18:18:42 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-86.86", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-86.86", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Mon, 22 Sep 2025 15:08:57 +0200" } ], "notes": "linux-image-6.8.0-87-generic version '6.8.0-87.88' (source package linux-signed version '6.8.0-87.88') was added. linux-image-6.8.0-87-generic version '6.8.0-87.88' has the same source package name, linux-signed, as removed package linux-image-6.8.0-85-generic. As such we can use the source package version of the removed package, '6.8.0-85.85', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-87-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-85.85", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-87.88", "version": "6.8.0-87.88" }, "cves": [ { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "high", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-22028", "url": "https://ubuntu.com/security/CVE-2025-22028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22036", "url": "https://ubuntu.com/security/CVE-2025-22036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. mpage_read_folio <> do_mpage_readpage exfat_get_block bh_read __bh_read \t get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <> ... ... ... ... <> . . another_function <> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head.", "cve_priority": "high", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22039", "url": "https://ubuntu.com/security/CVE-2025-22039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access to the DACL.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22062", "url": "https://ubuntu.com/security/CVE-2025-22062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 Call Trace: udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 do_splice_from fs/splice.c:935 [inline] direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 do_splice_direct_actor fs/splice.c:1201 [inline] do_splice_direct+0x174/0x240 fs/splice.c:1227 do_sendfile+0xafd/0xe50 fs/read_write.c:1368 __do_sys_sendfile64 fs/read_write.c:1429 [inline] __se_sys_sendfile64 fs/read_write.c:1415 [inline] __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22065", "url": "https://ubuntu.com/security/CVE-2025-22065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net//device/sriov_numvfs reboot BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] ... ? idpf_remove+0x22/0x1f0 [idpf] ? idpf_remove+0x1e4/0x1f0 [idpf] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf] idpf_remove+0x1b9/0x1f0 [idpf] idpf_shutdown+0x12/0x30 [idpf] pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ... Replace the direct idpf_remove() call in idpf_shutdown() with idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22068", "url": "https://ubuntu.com/security/CVE-2025-22068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk: make sure ubq->canceling is set when queue is frozen Now ublk driver depends on `ubq->canceling` for deciding if the request can be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd() and io_uring_cmd_done(). So set ubq->canceling when queue is frozen, this way makes sure that the flag can be observed from ublk_queue_rq() reliably, and avoids use-after-free on uring_cmd.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22070", "url": "https://ubuntu.com/security/CVE-2025-22070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix NULL pointer dereference on mkdir When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.: setfacl -m default:group:simpsons:rwx parentdir then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fs_set_create_acl() call expects a valid non-NULL 'fid' pointer: [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p [ 37.338590] vfs_mkdir (fs/namei.c:4313) [ 37.339535] do_mkdirat (fs/namei.c:4336) [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by simply swapping the sequence of these two calls in v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before v9fs_fid_add().", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-40114", "url": "https://ubuntu.com/security/CVE-2025-40114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) overrun-local: Overrunning array veml6075_it_ms of 5 4-byte elements at element index 7 (byte offset 31) using index int_index (which evaluates to 7) This is hardening against potentially broken hardware. Good to have but not necessary to backport.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22025", "url": "https://ubuntu.com/security/CVE-2025-22025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm \"nfsd\", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm \"nfsd\", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22027", "url": "https://ubuntu.com/security/CVE-2025-22027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39735", "url": "https://ubuntu.com/security/CVE-2025-39735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the \"size_check\" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs \"ea_get: invalid extended attribute\" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: \tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads \"size\" to wrap around and become negative (-184549328). The \"size\" is then passed to print_hex_dump() (called \"len\" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called \"int remaining\", which is then assigned to \"int linelen\" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: \tfor (i = 0; i < len; i += rowsize) { \t\tlinelen = min(remaining, rowsize); \t\tremaining -= rowsize; \t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, \t\t\t\t linebuf, sizeof(linebuf), ascii); \t\t... \t} The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the \"ptr+i\" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of \"ptr\", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: \tfor (j = 0; j < len; j++) { \t\t\tif (linebuflen < lx + 2) \t\t\t\tgoto overflow2; \t\t\tch = ptr[j]; \t\t... \t} To fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\" before it is utilised.", "cve_priority": "high", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22033", "url": "https://ubuntu.com/security/CVE-2025-22033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22035", "url": "https://ubuntu.com/security/CVE-2025-22035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22038", "url": "https://ubuntu.com/security/CVE-2025-22038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22040", "url": "https://ubuntu.com/security/CVE-2025-22040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22041", "url": "https://ubuntu.com/security/CVE-2025-22041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22042", "url": "https://ubuntu.com/security/CVE-2025-22042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for create lease context Add missing bounds check for create lease context.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22044", "url": "https://ubuntu.com/security/CVE-2025-22044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Syzkaller has reported a warning in to_nfit_bus_uuid(): \"only secondary bus families can be translated\". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while the lower 32 bits are zero. Furthermore, it is best to return EINVAL immediately upon seeing the invalid user input. The WARNING is insufficient to prevent further undefined behavior based on other invalid user input. All checks of the input value should be applied to the original variable call_pkg->nd_family. [iweiny: update commit message]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22045", "url": "https://ubuntu.com/security/CVE-2025-22045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch \"x86/mm: only invalidate final translations with INVLPGB\" which is currently under review (see ) would probably be making the impact of this a lot worse.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22050", "url": "https://ubuntu.com/security/CVE-2025-22050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued. Subsequent processes: (e.g., rx_complete → defer_bh → __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic).", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22053", "url": "https://ubuntu.com/security/CVE-2025-22053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/30000002/pool*/*. You can do this easily with a little shell script. This causes a hang. I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new kernel. I ran this test again and saw: Setting pool0/active to 0 Setting pool1/active to 1 [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting Setting pool1/active to 1 Setting pool1/active to 0 [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 [ 243.683833][ T123] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 [ 243.683852][ T123] Call Trace: [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec ... [ 243.684087][ T123] Showing all locks held in the system: [ 243.684095][ T123] 1 lock held by khungtaskd/123: [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 [ 243.684114][ T123] 4 locks held by stress.sh/4365: [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 [ 243.684166][ T123] 5 locks held by stress.sh/4366: [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243. ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22054", "url": "https://ubuntu.com/security/CVE-2025-22054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, com20020pci_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensure no resources are left allocated.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22055", "url": "https://ubuntu.com/security/CVE-2025-22055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22056", "url": "https://ubuntu.com/security/CVE-2025-22056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 Fix this bug with correct pointer addition and conversion in parse and dump code.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22057", "url": "https://ubuntu.com/security/CVE-2025-22057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: decrease cached dst counters in dst_release Upstream fix ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") moved decrementing the dst count from dst_destroy to dst_release to avoid accessing already freed data in case of netns dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels are used, this fix is incomplete as the same issue will be seen for cached dsts: Unable to handle kernel paging request at virtual address ffff5aabf6b5c000 Call trace: percpu_counter_add_batch+0x3c/0x160 (P) dst_release+0xec/0x108 dst_cache_destroy+0x68/0xd8 dst_destroy+0x13c/0x168 dst_destroy_rcu+0x1c/0xb0 rcu_do_batch+0x18c/0x7d0 rcu_core+0x174/0x378 rcu_core_si+0x18/0x30 Fix this by invalidating the cache, and thus decrementing cached dst counters, in dst_release too.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22060", "url": "https://ubuntu.com/security/CVE-2025-22060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free rows in the hardware table, it must also be protected in order to avoid TOCTOU errors where multiple cores allocate the same row. This issue was detected in a situation where `mvpp2_set_rx_mode()` ran concurrently on two CPUs. In this particular case the MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the classifier unit to drop all incoming unicast - indicated by the `rx_classifier_drops` counter.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-38637", "url": "https://ubuntu.com/security/CVE-2025-38637", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: skbprio: Remove overly strict queue assertions In the current implementation, skbprio enqueue/dequeue contains an assertion that fails under certain conditions when SKBPRIO is used as a child qdisc under TBF with specific parameters. The failure occurs because TBF sometimes peeks at packets in the child qdisc without actually dequeuing them when tokens are unavailable. This peek operation creates a discrepancy between the parent and child qdisc queue length counters. When TBF later receives a high-priority packet, SKBPRIO's queue length may show a different value than what's reflected in its internal priority queue tracking, triggering the assertion. The fix removes this overly strict assertions in SKBPRIO, they are not necessary at all.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22063", "url": "https://ubuntu.com/security/CVE-2025-22063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. Inside this function, the following code is executed: sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; Since sk is an IPv4 socket, pinet6 is NULL, leading to a null pointer dereference. This patch fixes the issue by checking if inet6_sk(sk) returns a NULL pointer before accessing pinet6.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22064", "url": "https://ubuntu.com/security/CVE-2025-22064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22066", "url": "https://ubuntu.com/security/CVE-2025-22066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, imx_card_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2023-53034", "url": "https://ubuntu.com/security/CVE-2023-53034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22071", "url": "https://ubuntu.com/security/CVE-2025-22071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak in spufs_create_context() Leak fixes back in 2008 missed one case - if we are trying to set affinity and spufs_mkdir() fails, we need to drop the reference to neighbor.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22072", "url": "https://ubuntu.com/security/CVE-2025-22072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix gang directory lifetimes prior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and kept it alive until the gang got closed, removal failed and we ended up with a leak. Unfortunately, it had been fixed the wrong way. Dentry of gang directory was no longer pinned, and rmdir on close was gone. One problem was that failure of open kept calling simple_rmdir() as cleanup, which meant an unbalanced dput(). Another bug was in the success case - gang creation incremented link count on root directory, but that was no longer undone when gang got destroyed. Fix consists of \t* reverting the commit in question \t* adding a counter to gang, protected by ->i_rwsem of gang directory inode. \t* having it set to 1 at creation time, dropped in both spufs_dir_close() and spufs_gang_close() and bumped in spufs_create_context(), provided that it's not 0. \t* using simple_recursive_removal() to take the gang directory out when counter reaches zero.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22073", "url": "https://ubuntu.com/security/CVE-2025-22073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak on spufs_new_file() failure It's called from spufs_fill_dir(), and caller of that will do spufs_rmdir() in case of failure. That does remove everything we'd managed to create, but... the problem dentry is still negative. IOW, it needs to be explicitly dropped.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-38575", "url": "https://ubuntu.com/security/CVE-2025-38575", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22075", "url": "https://ubuntu.com/security/CVE-2025-22075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Allocate vfinfo size for VF GUIDs when supported Commit 30aad41721e0 (\"net/core: Add support for getting VF GUIDs\") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\\:08\\:00.0/sriov_numvfs # ip link show dev ib0 RTNETLINK answers: Message too long Cannot send link get request: Message too long Kernel warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0 Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rtnl_getlink+0x586/0x5a0 Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffff888113557348 EFLAGS: 00010246 RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn+0xa5/0x230 ? rtnl_getlink+0x586/0x5a0 ? report_bug+0x22d/0x240 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? skb_trim+0x6a/0x80 ? rtnl_getlink+0x586/0x5a0 ? __pfx_rtnl_getlink+0x10/0x10 ? rtnetlink_rcv_msg+0x1e5/0x860 ? __pfx___mutex_lock+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx_lock_acquire+0x10/0x10 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1d/0x70 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 rtnetlink_rcv_msg+0x21c/0x860 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? arch_stack_walk+0x9e/0xf0 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 ? rcu_is_watching+0x34/0x60 netlink_rcv_skb+0xe0/0x210 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx___netlink_lookup+0x10/0x10 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0xfd/0x290 ? rcu_is_watching+0x34/0x60 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0x95/0x290 netlink_unicast+0x31f/0x480 ? __pfx_netlink_unicast+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 netlink_sendmsg+0x369/0x660 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ? import_ubuf+0xb9/0xf0 ? __import_iovec+0x254/0x2b0 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ____sys_sendmsg+0x559/0x5a0 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? do_read_fault+0x213/0x4a0 ? rcu_is_watching+0x34/0x60 ___sys_sendmsg+0xe4/0x150 ? __pfx____sys_sendmsg+0x10/0x10 ? do_fault+0x2cc/0x6f0 ? handle_pte_fault+0x2e3/0x3d0 ? __pfx_handle_pte_fault+0x10/0x10 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-37937", "url": "https://ubuntu.com/security/CVE-2025-37937", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-22079", "url": "https://ubuntu.com/security/CVE-2025-22079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is limited to OCFS2_MAX_PATH_DEPTH. Add a check to prevent out-of-bounds access if l_tree_depth has an invalid value, which may occur when reading from a corrupted mounted disk [1].", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22080", "url": "https://ubuntu.com/security/CVE-2025-22080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The \"de_off\" and \"used\" variables come from the disk so they both need to check. The problem is that on 32bit systems if they're both greater than UINT_MAX - 16 then the check does work as intended because of an integer overflow.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22081", "url": "https://ubuntu.com/security/CVE-2025-22081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the \"off + sizeof(struct NTFS_DE)\" addition can have an integer wrapping issue. Fix it by using size_add().", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22083", "url": "https://ubuntu.com/security/CVE-2025-22083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22086", "url": "https://ubuntu.com/security/CVE-2025-22086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number. Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below. This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp. BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] __ib_process_cq+0x5a/0x150 [ib_core] ib_cq_poll_work+0x31/0x90 [ib_core] process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 ", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22089", "url": "https://ubuntu.com/security/CVE-2025-22089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a (\"RDMA/core: Split port and device counter sysfs attributes\") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] [42021.953842] [] ? show_regs+0x64/0x70 [42021.959030] [] ? __die+0x78/0xc0 [42021.963874] [] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [] dev_attr_show+0x1e/0x50 [42022.000803] [] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [] seq_read_iter+0xf4/0x410 [42022.011954] [] vfs_read+0x16e/0x2f0 [42022.017058] [] ksys_read+0x6e/0xe0 [42022.022073] [] do_syscall_64+0x6a/0xa0 [42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-39728", "url": "https://ubuntu.com/security/CVE-2025-39728", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: samsung: Fix UBSAN panic in samsung_clk_init() With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to dereferencing `ctx->clk_data.hws` before setting `ctx->clk_data.num = nr_clks`. Move that up to fix the crash. UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP Call trace: samsung_clk_init+0x110/0x124 (P) samsung_clk_init+0x48/0x124 (L) samsung_cmu_register_one+0x3c/0xa0 exynos_arm64_register_cmu+0x54/0x64 __gs101_cmu_top_of_clk_init_declare+0x28/0x60 ...", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22090", "url": "https://ubuntu.com/security/CVE-2025-22090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not copied. The easiest fix would be to simply clear the VM_PAT flag of the dst VMA if track_pfn_copy() fails. However, the whole thing is about \"simply\" clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() and performed a reservation, but copying the page tables fails, we'll simply clear the VM_PAT flag, not properly undoing the reservation ... which is also wrong. So let's fix it properly: set the VM_PAT flag only if the reservation succeeded (leaving it clear initially), and undo the reservation if anything goes wrong while copying the page tables: clearing the VM_PAT flag after undoing the reservation. Note that any copied page table entries will get zapped when the VMA will get removed later, after copy_page_range() succeeded; as VM_PAT is not set then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be happy. Note that leaving these page tables in place without a reservation is not a problem, as we are aborting fork(); this process will never run. A reproducer can trigger this usually at the first try: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 Modules linked in: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Call Trace: ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Likely this case was missed in: d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\") ... and instead of undoing the reservation we simply cleared the VM_PAT flag. Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-38152", "url": "https://ubuntu.com/security/CVE-2025-38152", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Clear table_sz when rproc_shutdown There is case as below could trigger kernel dump: Use U-Boot to start remote processor(rproc) with resource table published to a fixed address by rproc. After Kernel boots up, stop the rproc, load a new firmware which doesn't have resource table ,and start rproc. When starting rproc with a firmware not have resource table, `memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will trigger dump, because rproc->cache_table is set to NULL during the last stop operation, but rproc->table_sz is still valid. This issue is found on i.MX8MP and i.MX9. Dump as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x110/0x22c lr : rproc_start+0x88/0x1e0 Call trace: __pi_memcpy_generic+0x110/0x22c (P) rproc_boot+0x198/0x57c state_store+0x40/0x104 dev_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x120/0x1cc vfs_write+0x240/0x378 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xcc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c Clear rproc->table_sz to address the issue.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-38240", "url": "https://ubuntu.com/security/CVE-2025-38240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr The function mtk_dp_wait_hpd_asserted() may be called before the `mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach(). Specifically it can be called via this callpath: - mtk_edp_wait_hpd_asserted - [panel probe] - dp_aux_ep_probe Using \"drm\" level prints anywhere in this callpath causes a NULL pointer dereference. Change the error message directly in mtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the error messages in mtk_dp_parse_capabilities(), which is called by mtk_dp_wait_hpd_asserted(). While touching these prints, also add the error code to them to make future debugging easier.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22095", "url": "https://ubuntu.com/security/CVE-2025-22095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While at it, print the error value, as we cannot return an error upwards as the kernel will WARN() on an error from add_bus(). [kwilczynski: commit log, use comma in the message to match style with other similar messages]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22097", "url": "https://ubuntu.com/security/CVE-2025-22097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-23136", "url": "https://ubuntu.com/security/CVE-2025-23136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: Add NULL check for adev Not all devices have an ACPI companion fwnode, so adev might be NULL. This is similar to the commit cd2fd6eab480 (\"platform/x86: int3472: Check for adev == NULL\"). Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in int3402_thermal_probe(). Note, under the same directory, int3400_thermal_probe() has such a check. [ rjw: Subject edit, added Fixes: ]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-23138", "url": "https://ubuntu.com/security/CVE-2025-23138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-39682", "url": "https://ubuntu.com/security/CVE-2025-39682", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length.", "cve_priority": "medium", "cve_public_date": "2025-09-05 18:15:00 UTC" }, { "cve": "CVE-2025-38500", "url": "https://ubuntu.com/security/CVE-2025-38500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] ", "cve_priority": "medium", "cve_public_date": "2025-08-12 16:15:00 UTC" }, { "cve": "CVE-2025-37756", "url": "https://ubuntu.com/security/CVE-2025-37756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38477", "url": "https://ubuntu.com/security/CVE-2025-38477", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.", "cve_priority": "medium", "cve_public_date": "2025-07-28 12:15:00 UTC" }, { "cve": "CVE-2025-38618", "url": "https://ubuntu.com/security/CVE-2025-38618", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-38617", "url": "https://ubuntu.com/security/CVE-2025-38617", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 (\"net/packet: fix a race in packet_bind() and packet_notifier()\"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-37785", "url": "https://ubuntu.com/security/CVE-2025-37785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2127436, 2124105, 2124105, 2125391, 2121673, 2103415, 2122554, 2121956, 2121150, 2121149, 2121146, 2120209, 2104911, 2121257, 2119713, 2102749, 2120561, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2120877, 2120516, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "high", "cve_public_date": "2025-07-03 09:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-87.88 -proposed tracker (LP: #2127436)", "", " * CVE-2025-37838", " - HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol", " Driver Due to Race Condition", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300", " - Documentation/hw-vuln: Add VMSCAPE documentation", " - x86/vmscape: Enumerate VMSCAPE bug", " - x86/vmscape: Add conditional IBPB mitigation", " - x86/vmscape: Enable the mitigation", " - x86/bugs: Move cpu_bugs_smt_update() down", " - x86/vmscape: Warn when STIBP is disabled with SMT", " - x86/vmscape: Add old Intel CPUs to affected list", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105)", " - [Config] Enable MITIGATION_VMSCAPE config", "", " * CVE-2025-38352", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", "", " * CVE-2025-38118", " - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete", " - Bluetooth: MGMT: Fix sparse errors", "" ], "package": "linux", "version": "6.8.0-87.88", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2127436, 2124105, 2124105 ], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 20:20:13 +0200" }, { "cves": [ { "cve": "CVE-2025-22028", "url": "https://ubuntu.com/security/CVE-2025-22028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22036", "url": "https://ubuntu.com/security/CVE-2025-22036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. mpage_read_folio <> do_mpage_readpage exfat_get_block bh_read __bh_read \t get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <> ... ... ... ... <> . . another_function <> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head.", "cve_priority": "high", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22039", "url": "https://ubuntu.com/security/CVE-2025-22039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access to the DACL.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22062", "url": "https://ubuntu.com/security/CVE-2025-22062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 Call Trace: udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 do_splice_from fs/splice.c:935 [inline] direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 do_splice_direct_actor fs/splice.c:1201 [inline] do_splice_direct+0x174/0x240 fs/splice.c:1227 do_sendfile+0xafd/0xe50 fs/read_write.c:1368 __do_sys_sendfile64 fs/read_write.c:1429 [inline] __se_sys_sendfile64 fs/read_write.c:1415 [inline] __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22065", "url": "https://ubuntu.com/security/CVE-2025-22065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net//device/sriov_numvfs reboot BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] ... ? idpf_remove+0x22/0x1f0 [idpf] ? idpf_remove+0x1e4/0x1f0 [idpf] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf] idpf_remove+0x1b9/0x1f0 [idpf] idpf_shutdown+0x12/0x30 [idpf] pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ... Replace the direct idpf_remove() call in idpf_shutdown() with idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22068", "url": "https://ubuntu.com/security/CVE-2025-22068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk: make sure ubq->canceling is set when queue is frozen Now ublk driver depends on `ubq->canceling` for deciding if the request can be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd() and io_uring_cmd_done(). So set ubq->canceling when queue is frozen, this way makes sure that the flag can be observed from ublk_queue_rq() reliably, and avoids use-after-free on uring_cmd.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22070", "url": "https://ubuntu.com/security/CVE-2025-22070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix NULL pointer dereference on mkdir When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.: setfacl -m default:group:simpsons:rwx parentdir then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fs_set_create_acl() call expects a valid non-NULL 'fid' pointer: [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p [ 37.338590] vfs_mkdir (fs/namei.c:4313) [ 37.339535] do_mkdirat (fs/namei.c:4336) [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by simply swapping the sequence of these two calls in v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before v9fs_fid_add().", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-40114", "url": "https://ubuntu.com/security/CVE-2025-40114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) overrun-local: Overrunning array veml6075_it_ms of 5 4-byte elements at element index 7 (byte offset 31) using index int_index (which evaluates to 7) This is hardening against potentially broken hardware. Good to have but not necessary to backport.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22025", "url": "https://ubuntu.com/security/CVE-2025-22025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm \"nfsd\", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm \"nfsd\", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22027", "url": "https://ubuntu.com/security/CVE-2025-22027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-39735", "url": "https://ubuntu.com/security/CVE-2025-39735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the \"size_check\" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs \"ea_get: invalid extended attribute\" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: \tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads \"size\" to wrap around and become negative (-184549328). The \"size\" is then passed to print_hex_dump() (called \"len\" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called \"int remaining\", which is then assigned to \"int linelen\" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: \tfor (i = 0; i < len; i += rowsize) { \t\tlinelen = min(remaining, rowsize); \t\tremaining -= rowsize; \t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, \t\t\t\t linebuf, sizeof(linebuf), ascii); \t\t... \t} The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the \"ptr+i\" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of \"ptr\", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: \tfor (j = 0; j < len; j++) { \t\t\tif (linebuflen < lx + 2) \t\t\t\tgoto overflow2; \t\t\tch = ptr[j]; \t\t... \t} To fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\" before it is utilised.", "cve_priority": "high", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22033", "url": "https://ubuntu.com/security/CVE-2025-22033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22035", "url": "https://ubuntu.com/security/CVE-2025-22035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22038", "url": "https://ubuntu.com/security/CVE-2025-22038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22040", "url": "https://ubuntu.com/security/CVE-2025-22040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22041", "url": "https://ubuntu.com/security/CVE-2025-22041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22042", "url": "https://ubuntu.com/security/CVE-2025-22042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for create lease context Add missing bounds check for create lease context.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22044", "url": "https://ubuntu.com/security/CVE-2025-22044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Syzkaller has reported a warning in to_nfit_bus_uuid(): \"only secondary bus families can be translated\". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while the lower 32 bits are zero. Furthermore, it is best to return EINVAL immediately upon seeing the invalid user input. The WARNING is insufficient to prevent further undefined behavior based on other invalid user input. All checks of the input value should be applied to the original variable call_pkg->nd_family. [iweiny: update commit message]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22045", "url": "https://ubuntu.com/security/CVE-2025-22045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch \"x86/mm: only invalidate final translations with INVLPGB\" which is currently under review (see ) would probably be making the impact of this a lot worse.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22050", "url": "https://ubuntu.com/security/CVE-2025-22050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued. Subsequent processes: (e.g., rx_complete → defer_bh → __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic).", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22053", "url": "https://ubuntu.com/security/CVE-2025-22053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/30000002/pool*/*. You can do this easily with a little shell script. This causes a hang. I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new kernel. I ran this test again and saw: Setting pool0/active to 0 Setting pool1/active to 1 [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting Setting pool1/active to 1 Setting pool1/active to 0 [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 [ 243.683833][ T123] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 [ 243.683852][ T123] Call Trace: [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec ... [ 243.684087][ T123] Showing all locks held in the system: [ 243.684095][ T123] 1 lock held by khungtaskd/123: [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 [ 243.684114][ T123] 4 locks held by stress.sh/4365: [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 [ 243.684166][ T123] 5 locks held by stress.sh/4366: [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243. ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22054", "url": "https://ubuntu.com/security/CVE-2025-22054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, com20020pci_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensure no resources are left allocated.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22055", "url": "https://ubuntu.com/security/CVE-2025-22055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22056", "url": "https://ubuntu.com/security/CVE-2025-22056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 Fix this bug with correct pointer addition and conversion in parse and dump code.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22057", "url": "https://ubuntu.com/security/CVE-2025-22057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: decrease cached dst counters in dst_release Upstream fix ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") moved decrementing the dst count from dst_destroy to dst_release to avoid accessing already freed data in case of netns dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels are used, this fix is incomplete as the same issue will be seen for cached dsts: Unable to handle kernel paging request at virtual address ffff5aabf6b5c000 Call trace: percpu_counter_add_batch+0x3c/0x160 (P) dst_release+0xec/0x108 dst_cache_destroy+0x68/0xd8 dst_destroy+0x13c/0x168 dst_destroy_rcu+0x1c/0xb0 rcu_do_batch+0x18c/0x7d0 rcu_core+0x174/0x378 rcu_core_si+0x18/0x30 Fix this by invalidating the cache, and thus decrementing cached dst counters, in dst_release too.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22058", "url": "https://ubuntu.com/security/CVE-2025-22058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for memory_allocated\"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22060", "url": "https://ubuntu.com/security/CVE-2025-22060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free rows in the hardware table, it must also be protected in order to avoid TOCTOU errors where multiple cores allocate the same row. This issue was detected in a situation where `mvpp2_set_rx_mode()` ran concurrently on two CPUs. In this particular case the MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the classifier unit to drop all incoming unicast - indicated by the `rx_classifier_drops` counter.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-38637", "url": "https://ubuntu.com/security/CVE-2025-38637", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: skbprio: Remove overly strict queue assertions In the current implementation, skbprio enqueue/dequeue contains an assertion that fails under certain conditions when SKBPRIO is used as a child qdisc under TBF with specific parameters. The failure occurs because TBF sometimes peeks at packets in the child qdisc without actually dequeuing them when tokens are unavailable. This peek operation creates a discrepancy between the parent and child qdisc queue length counters. When TBF later receives a high-priority packet, SKBPRIO's queue length may show a different value than what's reflected in its internal priority queue tracking, triggering the assertion. The fix removes this overly strict assertions in SKBPRIO, they are not necessary at all.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22063", "url": "https://ubuntu.com/security/CVE-2025-22063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. Inside this function, the following code is executed: sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; Since sk is an IPv4 socket, pinet6 is NULL, leading to a null pointer dereference. This patch fixes the issue by checking if inet6_sk(sk) returns a NULL pointer before accessing pinet6.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22064", "url": "https://ubuntu.com/security/CVE-2025-22064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22066", "url": "https://ubuntu.com/security/CVE-2025-22066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, imx_card_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2023-53034", "url": "https://ubuntu.com/security/CVE-2023-53034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-22071", "url": "https://ubuntu.com/security/CVE-2025-22071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak in spufs_create_context() Leak fixes back in 2008 missed one case - if we are trying to set affinity and spufs_mkdir() fails, we need to drop the reference to neighbor.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22072", "url": "https://ubuntu.com/security/CVE-2025-22072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix gang directory lifetimes prior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and kept it alive until the gang got closed, removal failed and we ended up with a leak. Unfortunately, it had been fixed the wrong way. Dentry of gang directory was no longer pinned, and rmdir on close was gone. One problem was that failure of open kept calling simple_rmdir() as cleanup, which meant an unbalanced dput(). Another bug was in the success case - gang creation incremented link count on root directory, but that was no longer undone when gang got destroyed. Fix consists of \t* reverting the commit in question \t* adding a counter to gang, protected by ->i_rwsem of gang directory inode. \t* having it set to 1 at creation time, dropped in both spufs_dir_close() and spufs_gang_close() and bumped in spufs_create_context(), provided that it's not 0. \t* using simple_recursive_removal() to take the gang directory out when counter reaches zero.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22073", "url": "https://ubuntu.com/security/CVE-2025-22073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak on spufs_new_file() failure It's called from spufs_fill_dir(), and caller of that will do spufs_rmdir() in case of failure. That does remove everything we'd managed to create, but... the problem dentry is still negative. IOW, it needs to be explicitly dropped.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-38575", "url": "https://ubuntu.com/security/CVE-2025-38575", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22075", "url": "https://ubuntu.com/security/CVE-2025-22075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Allocate vfinfo size for VF GUIDs when supported Commit 30aad41721e0 (\"net/core: Add support for getting VF GUIDs\") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\\:08\\:00.0/sriov_numvfs # ip link show dev ib0 RTNETLINK answers: Message too long Cannot send link get request: Message too long Kernel warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0 Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rtnl_getlink+0x586/0x5a0 Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffff888113557348 EFLAGS: 00010246 RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn+0xa5/0x230 ? rtnl_getlink+0x586/0x5a0 ? report_bug+0x22d/0x240 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? skb_trim+0x6a/0x80 ? rtnl_getlink+0x586/0x5a0 ? __pfx_rtnl_getlink+0x10/0x10 ? rtnetlink_rcv_msg+0x1e5/0x860 ? __pfx___mutex_lock+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx_lock_acquire+0x10/0x10 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1d/0x70 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 rtnetlink_rcv_msg+0x21c/0x860 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? arch_stack_walk+0x9e/0xf0 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 ? rcu_is_watching+0x34/0x60 netlink_rcv_skb+0xe0/0x210 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx___netlink_lookup+0x10/0x10 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0xfd/0x290 ? rcu_is_watching+0x34/0x60 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0x95/0x290 netlink_unicast+0x31f/0x480 ? __pfx_netlink_unicast+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 netlink_sendmsg+0x369/0x660 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ? import_ubuf+0xb9/0xf0 ? __import_iovec+0x254/0x2b0 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ____sys_sendmsg+0x559/0x5a0 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? do_read_fault+0x213/0x4a0 ? rcu_is_watching+0x34/0x60 ___sys_sendmsg+0xe4/0x150 ? __pfx____sys_sendmsg+0x10/0x10 ? do_fault+0x2cc/0x6f0 ? handle_pte_fault+0x2e3/0x3d0 ? __pfx_handle_pte_fault+0x10/0x10 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-37937", "url": "https://ubuntu.com/security/CVE-2025-37937", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-22079", "url": "https://ubuntu.com/security/CVE-2025-22079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate l_tree_depth to avoid out-of-bounds access The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is limited to OCFS2_MAX_PATH_DEPTH. Add a check to prevent out-of-bounds access if l_tree_depth has an invalid value, which may occur when reading from a corrupted mounted disk [1].", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22080", "url": "https://ubuntu.com/security/CVE-2025-22080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The \"de_off\" and \"used\" variables come from the disk so they both need to check. The problem is that on 32bit systems if they're both greater than UINT_MAX - 16 then the check does work as intended because of an integer overflow.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22081", "url": "https://ubuntu.com/security/CVE-2025-22081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the \"off + sizeof(struct NTFS_DE)\" addition can have an integer wrapping issue. Fix it by using size_add().", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22083", "url": "https://ubuntu.com/security/CVE-2025-22083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22086", "url": "https://ubuntu.com/security/CVE-2025-22086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number. Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below. This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp. BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] __ib_process_cq+0x5a/0x150 [ib_core] ib_cq_poll_work+0x31/0x90 [ib_core] process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 ", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22089", "url": "https://ubuntu.com/security/CVE-2025-22089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a (\"RDMA/core: Split port and device counter sysfs attributes\") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] [42021.953842] [] ? show_regs+0x64/0x70 [42021.959030] [] ? __die+0x78/0xc0 [42021.963874] [] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [] dev_attr_show+0x1e/0x50 [42022.000803] [] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [] seq_read_iter+0xf4/0x410 [42022.011954] [] vfs_read+0x16e/0x2f0 [42022.017058] [] ksys_read+0x6e/0xe0 [42022.022073] [] do_syscall_64+0x6a/0xa0 [42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-39728", "url": "https://ubuntu.com/security/CVE-2025-39728", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: samsung: Fix UBSAN panic in samsung_clk_init() With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to dereferencing `ctx->clk_data.hws` before setting `ctx->clk_data.num = nr_clks`. Move that up to fix the crash. UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP Call trace: samsung_clk_init+0x110/0x124 (P) samsung_clk_init+0x48/0x124 (L) samsung_cmu_register_one+0x3c/0xa0 exynos_arm64_register_cmu+0x54/0x64 __gs101_cmu_top_of_clk_init_declare+0x28/0x60 ...", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22090", "url": "https://ubuntu.com/security/CVE-2025-22090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not copied. The easiest fix would be to simply clear the VM_PAT flag of the dst VMA if track_pfn_copy() fails. However, the whole thing is about \"simply\" clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() and performed a reservation, but copying the page tables fails, we'll simply clear the VM_PAT flag, not properly undoing the reservation ... which is also wrong. So let's fix it properly: set the VM_PAT flag only if the reservation succeeded (leaving it clear initially), and undo the reservation if anything goes wrong while copying the page tables: clearing the VM_PAT flag after undoing the reservation. Note that any copied page table entries will get zapped when the VMA will get removed later, after copy_page_range() succeeded; as VM_PAT is not set then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be happy. Note that leaving these page tables in place without a reservation is not a problem, as we are aborting fork(); this process will never run. A reproducer can trigger this usually at the first try: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 Modules linked in: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Call Trace: ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Likely this case was missed in: d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\") ... and instead of undoing the reservation we simply cleared the VM_PAT flag. Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-38152", "url": "https://ubuntu.com/security/CVE-2025-38152", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Clear table_sz when rproc_shutdown There is case as below could trigger kernel dump: Use U-Boot to start remote processor(rproc) with resource table published to a fixed address by rproc. After Kernel boots up, stop the rproc, load a new firmware which doesn't have resource table ,and start rproc. When starting rproc with a firmware not have resource table, `memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will trigger dump, because rproc->cache_table is set to NULL during the last stop operation, but rproc->table_sz is still valid. This issue is found on i.MX8MP and i.MX9. Dump as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x110/0x22c lr : rproc_start+0x88/0x1e0 Call trace: __pi_memcpy_generic+0x110/0x22c (P) rproc_boot+0x198/0x57c state_store+0x40/0x104 dev_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x120/0x1cc vfs_write+0x240/0x378 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xcc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c Clear rproc->table_sz to address the issue.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-38240", "url": "https://ubuntu.com/security/CVE-2025-38240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr The function mtk_dp_wait_hpd_asserted() may be called before the `mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach(). Specifically it can be called via this callpath: - mtk_edp_wait_hpd_asserted - [panel probe] - dp_aux_ep_probe Using \"drm\" level prints anywhere in this callpath causes a NULL pointer dereference. Change the error message directly in mtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the error messages in mtk_dp_parse_capabilities(), which is called by mtk_dp_wait_hpd_asserted(). While touching these prints, also add the error code to them to make future debugging easier.", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" }, { "cve": "CVE-2025-22095", "url": "https://ubuntu.com/security/CVE-2025-22095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While at it, print the error value, as we cannot return an error upwards as the kernel will WARN() on an error from add_bus(). [kwilczynski: commit log, use comma in the message to match style with other similar messages]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-22097", "url": "https://ubuntu.com/security/CVE-2025-22097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded.", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-23136", "url": "https://ubuntu.com/security/CVE-2025-23136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: Add NULL check for adev Not all devices have an ACPI companion fwnode, so adev might be NULL. This is similar to the commit cd2fd6eab480 (\"platform/x86: int3472: Check for adev == NULL\"). Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in int3402_thermal_probe(). Note, under the same directory, int3400_thermal_probe() has such a check. [ rjw: Subject edit, added Fixes: ]", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-23138", "url": "https://ubuntu.com/security/CVE-2025-23138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?)", "cve_priority": "medium", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-39682", "url": "https://ubuntu.com/security/CVE-2025-39682", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length.", "cve_priority": "medium", "cve_public_date": "2025-09-05 18:15:00 UTC" }, { "cve": "CVE-2025-38500", "url": "https://ubuntu.com/security/CVE-2025-38500", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] ", "cve_priority": "medium", "cve_public_date": "2025-08-12 16:15:00 UTC" }, { "cve": "CVE-2025-37756", "url": "https://ubuntu.com/security/CVE-2025-37756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38477", "url": "https://ubuntu.com/security/CVE-2025-38477", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.", "cve_priority": "medium", "cve_public_date": "2025-07-28 12:15:00 UTC" }, { "cve": "CVE-2025-38618", "url": "https://ubuntu.com/security/CVE-2025-38618", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-38617", "url": "https://ubuntu.com/security/CVE-2025-38617", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 (\"net/packet: fix a race in packet_bind() and packet_notifier()\"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-37785", "url": "https://ubuntu.com/security/CVE-2025-37785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-04-18 07:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-86.87 -proposed tracker (LP: #2125391)", " - Fix FTBS caused by incorrect pick/backport of", " \"perf dso: fix dso__is_kallsyms() check\"", "", " * noble ubuntu_ftrace_smoke_test:mmiotrace timeout on aws:r5.metal", " (LP: #2121673)", " - mm: memcg: add NULL check to obj_cgroup_put()", " - memcg: drain obj stock on cpu hotplug teardown", "", " * [25.04 FEAT] [post announcement] [KRN2304] CPU-MF Counters for new IBM Z", " hardware - perf part (LP: #2103415)", " - perf list: Add IBM z17 event descriptions", "", " * memory leaks when configuring a small rate limit in audit (LP: #2122554)", " - audit: fix skb leak when audit rate limit is exceeded", "", " * [UBUNTU 24.04] PAI/NNPA support for new IBM z17 (LP: #2121956)", " - s390/pai: export number of sysfs attribute files", " - s390/pai_crypto: Add support for MSA 10 and 11 pai counters", " - s390/pai_ext: Update PAI extension 1 counters", "", " * [UBUNTU 24.04] s390/pci: Don't abort recovery for user-space drivers", " (LP: #2121150)", " - s390/pci: Allow automatic recovery with minimal driver support", "", " * [UBUNTU 24.04] s390/pci: Fix stale function handles in error handling", " (LP: #2121149)", " - s390/pci: Fix stale function handles in error handling", " - s390/pci: Do not try re-enabling load/store if device is disabled", "", " * [UBUNTU 24.04] vfio/pci: fix 8-byte PCI loads and stores (LP: #2121146)", " - vfio/pci: Extract duplicated code into macro", " - vfio/pci: Support 8-byte PCI loads and stores", " - vfio/pci: Fix typo in macro to declare accessors", "", " * x86 systems with PCIe BAR addresses located outside a certain range see", " P2PDMA allocation failures and CUDA initialization errors (LP: #2120209)", " - x86/kaslr: Reduce KASLR entropy on most x86 systems", " - x86/mm/init: Handle the special case of device private pages in", " add_pages(), to not increase max_pfn and trigger", " dma_addressing_limited() bounce buffers", "", " * sources list generation using dwarfdump takes up to 0.5hr in build process", " (LP: #2104911)", " - [Packaging] Don't generate list of source files", "", " * [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user", " namespaces (LP: #2121257)", " - apparmor: shift ouid when mediating hard links in userns", " - apparmor: shift uid when mediating af_unix in userns", "", " * UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:452:16", " (LP: #2119713)", " - EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller", "", " * [IdeaPad Slim 5 13ARP10 , 83J2] Microphone on AMD Ryzen 7 7735HS does not", " work (LP: #2102749)", " - ASoC: amd: yc: update quirk data for new Lenovo model", "", " * Fix compilation failure because of incomplete backport (LP: #2120561)", " - SAUCE: netfilter: ctnetlink: Fix -Wuninitialized in", " ctnetlink_secctx_size()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716)", " - x86/mm/pat: cpa-test: fix length for CPA_ARRAY test", " - cpufreq: scpi: compare kHz instead of Hz", " - smack: dont compile ipv6 code unless ipv6 is configured", " - cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()", " - EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald", " Rapids", " - x86/fpu: Fix guest FPU state buffer allocation size", " - x86/fpu: Avoid copying dynamic FP state from init_task in", " arch_dup_task_struct()", " - x86/platform: Only allow CONFIG_EISA for 32-bit", " - [Config] updateconfigs after disabling CONFIG_EISA for amd64", " - x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()", " - lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock", " - PM: sleep: Adjust check before setting power.must_resume", " - RISC-V: KVM: Disable the kernel perf counter during configure", " - selinux: Chain up tool resolving errors in install_policy.sh", " - EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer", " - EDAC/ie31200: Fix the DIMM size mask for several SoCs", " - EDAC/ie31200: Fix the error path order of ie31200_init()", " - PM: sleep: Fix handling devices with direct_complete set on errors", " - lockdep: Don't disable interrupts on RT in", " disable_irq_nosync_lockdep.*()", " - perf/ring_buffer: Allow the EPOLLRDNORM flag for poll", " - x86/traps: Make exc_double_fault() consistently noreturn", " - x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures", " - media: verisilicon: HEVC: Initialize start_bit field", " - media: platform: allgro-dvt: unregister v4l2_device on the error path", " - platform/x86: dell-ddv: Fix temperature calculation", " - ASoC: cs35l41: check the return value from spi_setup()", " - HID: remove superfluous (and wrong) Makefile entry for", " CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER", " - dt-bindings: vendor-prefixes: add GOcontroll", " - ALSA: hda/realtek: Always honor no_shutup_pins", " - ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio", " compatible", " - drm/bridge: ti-sn65dsi86: Fix multiple instances", " - drm/dp_mst: Fix drm RAD print", " - drm: xlnx: zynqmp: Fix max dma segment size", " - PCI: Use downstream bridges for distributing resources", " - drm/mediatek: mtk_hdmi: Unregister audio platform device on failure", " - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member", " - drm/msm/dpu: don't use active in atomic_check()", " - drm/msm/dsi: Use existing per-interface slice count in DSC timing", " - drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host", " - drm/amdkfd: Fix Circular Locking Dependency in", " 'svm_range_cpu_invalidate_pagetables'", " - PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data", " payload", " - PCI: brcmstb: Use internal register to change link capability", " - PCI: brcmstb: Fix potential premature regulator disabling", " - PCI/portdrv: Only disable pciehp interrupts early when needed", " - drm/amd/display: fix type mismatch in", " CalculateDynamicMetadataParameters()", " - PCI: Remove stray put_device() in pci_register_host_bridge()", " - PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe", " - drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()", " - drm/amd/display: avoid NPD when ASIC does not support DMUB", " - PCI: histb: Fix an error handling path in histb_pcie_probe()", " - PCI: pciehp: Don't enable HPIE when resuming in poll mode", " - fbdev: au1100fb: Move a variable assignment behind a null pointer check", " - mdacon: rework dependency list", " - fbdev: sm501fb: Add some geometry checks.", " - clk: amlogic: gxbb: drop incorrect flag on 32k clock", " - crypto: hisilicon/sec2 - fix for aead authsize alignment", " - crypto: hisilicon/sec2 - fix for sec spec check", " - of: property: Increase NR_FWNODE_REFERENCE_ARGS", " - remoteproc: qcom_q6v5_pas: Make single-PD handling more robust", " - libbpf: Fix hypothetical STT_SECTION extern NULL deref case", " - selftests/bpf: Fix string read in strncmp benchmark", " - clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock", " - RDMA/mana_ib: Ensure variable err is initialized", " - remoteproc: qcom_q6v5_pas: Use resource with CX PD for MSM8226", " - bpf: Use preempt_count() directly in bpf_send_signal_common()", " - lib: 842: Improve error handling in sw842_compress()", " - pinctrl: renesas: rza2: Fix missing of_node_put() call", " - pinctrl: renesas: rzg2l: Fix missing of_node_put() call", " - clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent", " - RDMA/mlx5: Fix calculation of total invalidated pages", " - remoteproc: qcom_q6v5_mss: Handle platforms with one power domain", " - IB/mad: Check available slots before posting receive WRs", " - pinctrl: tegra: Set SFIO mode to Mux Register", " - clk: amlogic: g12b: fix cluster A parent data", " - clk: amlogic: gxbb: drop non existing 32k clock parent", " - selftests/bpf: Select NUMA_NO_NODE to create map", " - clk: clk-imx8mp-audiomix: fix dsp/ocram_a clock parents", " - clk: amlogic: g12a: fix mmc A peripheral clock", " - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1", " - power: supply: max77693: Fix wrong conversion of charge input threshold", " value", " - crypto: nx - Fix uninitialised hv_nxc on error", " - pinctrl: renesas: rzv2m: Fix missing of_node_put() call", " - mfd: sm501: Switch to BIT() to mitigate integer overflows", " - leds: Fix LED_OFF brightness race", " - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to", " misplaced assignment", " - crypto: hisilicon/sec2 - fix for aead auth key length", " - pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm()", " - clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock", " - perf stat: Fix find_stat for mixed legacy/non-legacy events", " - isofs: fix KMSAN uninit-value bug in do_isofs_readdir()", " - soundwire: slave: fix an OF node reference leak in soundwire slave", " device", " - coresight: catu: Fix number of pages while using 64k pages", " - coresight-etm4x: add isb() before reading the TRCSTATR", " - perf pmu: Don't double count common sysfs and json events", " - ucsi_ccg: Don't show failed to get FW build information error", " - iio: accel: mma8452: Ensure error return on failure to matching", " oversampling ratio", " - iio: accel: msa311: Fix failure to release runtime pm if direct mode", " claim fails.", " - perf arm-spe: Fix load-store operation checking", " - perf bench: Fix perf bench syscall loop count", " - usb: xhci: correct debug message page size calculation", " - dmaengine: fsl-edma: cleanup chan after dma_async_device_unregister", " - iio: adc: ad4130: Fix comparison of channel setups", " - iio: adc: ad7124: Fix comparison of channel configs", " - perf evlist: Add success path to evlist__create_syswide_maps", " - perf units: Fix insufficient array space", " - kernel/events/uprobes: handle device-exclusive entries correctly in", " __replace_page()", " - kexec: initialize ELF lowest address to ULONG_MAX", " - arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig", " - NFSv4: Don't trigger uneccessary scans for return-on-close delegations", " - fuse: fix dax truncate/punch_hole fault path", " - selftests/mm/cow: fix the incorrect error handling", " - um: remove copy_from_kernel_nofault_allowed", " - um: hostfs: avoid issues on inode number reuse by host", " - i3c: master: svc: Fix missing the IBI rules", " - perf python: Fixup description of sample.id event member", " - perf python: Decrement the refcount of just created event on failure", " - perf python: Don't keep a raw_data pointer to consumed ring buffer space", " - perf python: Check if there is space to copy all the event", " - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES", " - tty: n_tty: use uint for space returned by tty_write_room()", " - fs/procfs: fix the comment above proc_pid_wchan()", " - perf tools: annotate asm_pure_loop.S", " - NFS: Shut down the nfs_client only after all the superblocks", " - exfat: fix the infinite loop in exfat_find_last_cluster()", " - ksmbd: fix multichannel connection failure", " - net/mlx5e: SHAMPO, Make reserved size independent of page size", " - ring-buffer: Fix bytes_dropped calculation issue", " - objtool: Fix segfault in ignore_unreachable_insn()", " - LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig", " - LoongArch: Rework the arch_kgdb_breakpoint() implementation", " - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states", " are invalid", " - octeontx2-af: Fix mbox INTR handler when num VFs > 64", " - octeontx2-af: Free NIX_AF_INT_VEC_GEN irq", " - objtool: Fix verbose disassembly if CROSS_COMPILE isn't set", " - sched/smt: Always inline sched_smt_active()", " - context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()", " - rcu-tasks: Always inline rcu_irq_work_resched()", " - wifi: iwlwifi: fw: allocate chained SG tables for dump", " - wifi: iwlwifi: mvm: use the right version of the rate API", " - nvme-tcp: fix possible UAF in nvme_tcp_poll", " - nvme-pci: clean up CMBMSC when registering CMB fails", " - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA", " - wifi: brcmfmac: keep power during suspend if board requires it", " - affs: generate OFS sequence numbers starting at 1", " - affs: don't write overlarge OFS data block size fields", " - ALSA: hda/realtek: Fix Asus Z13 2025 audio", " - ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0", " - perf/core: Fix perf_pmu_register() vs. perf_init_event()", " - cifs: fix incorrect validation for num_aces field of smb_acl", " - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4", " tablet", " - platform/x86/intel/vsec: Add Diamond Rapids support", " - HID: i2c-hid: improve i2c_hid_get_report error message", " - ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using", " CS35L41 HDA", " - ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using", " CS35L41 HDA", " - sched/deadline: Use online cpus for validating runtime", " - x86/hyperv/vtl: Stop kernel from probing VTL0 low memory", " - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED", " state", " - locking/semaphore: Use wake_q to wake up processes outside lock critical", " section", " - x86/hyperv: Fix output argument to hypercall that changes page", " visibility", " - x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled", " - nvme-pci: fix stuck reset on concurrent DPC and HP", " - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx", " - can: statistics: use atomic access in hot path", " - memory: omap-gpmc: drop no compatible check", " - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}", " - riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and", " make_call_ra", " - ntb: intel: Fix using link status DB's", " - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success", " - RISC-V: errata: Use medany for relocatable builds", " - x86/uaccess: Improve performance by aligning writes to 8 bytes in", " copy_user_generic(), on non-FSRM/ERMS CPUs", " - ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe()", " - riscv: Fix hugetlb retrieval of number of ptes in case of !present pte", " - netfilter: nft_set_hash: GC reaps elements with conncount for dynamic", " sets only", " - vsock: avoid timeout during connect() if the socket is closing", " - tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().", " - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS", " - net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy", " - ipv6: Start path selection from the first nexthop", " - ipv6: Do not consider link down nexthops in path selection", " - drm/amdgpu/gfx11: fix num_mec", " - perf/core: Fix child_total_time_enabled accounting bug at task exit", " - tracing: Switch trace_events_hist.c code over to use guard()", " - tracing/hist: Add poll(POLLIN) support on hist file", " - tracing/hist: Support POLLPRI event for poll on histogram", " - tracing: Correct the refcount if the hist/hist_debug file fails to open", " - LoongArch: Increase ARCH_DMA_MINALIGN up to 16", " - LoongArch: BPF: Fix off-by-one error in build_prologue()", " - LoongArch: BPF: Don't override subprog's return value", " - LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC", " - x86/hyperv: Fix check of return value from snp_set_vmsa()", " - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value", " - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers", " - platform/x86: ISST: Correct command storage data length", " - ntb_perf: Delete duplicate dmaengine_unmap_put() call in", " perf_copy_chunk()", " - perf/x86/intel: Apply static call for drain_pebs", " - perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read", " - x86/tsc: Always save/restore TSC sched_clock() on suspend/resume", " - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP", " - mmc: omap: Fix memory leak in mmc_omap_new_slot", " - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability", " - mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD", " - tracing: Ensure module defining synth event cannot be unloaded while", " tracing", " - tracing: Fix synth event printk format for str fields", " - tracing/osnoise: Fix possible recursive locking for cpus_read_lock()", " - ext4: don't over-report free space or inodes in statvfs", " - jfs: add index corruption check to DT_GETPAGE()", " - exec: fix the racy usage of fs_struct->in_exec", " - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up", " - tracing: Do not use PERF enums when perf is not defined", " - smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label", " - sched: Cancel the slice protection of the idle entity", " - cpufreq: tegra194: Allow building for Tegra234", " - kunit/stackinit: Use fill byte different from Clang i386 pattern", " - watchdog/hardlockup/perf: Fix perf_event memory leak", " - x86/entry: Add __init to ia32_emulation_override_cmdline()", " - regulator: pca9450: Fix enable register for LDO5", " - auxdisplay: panel: Fix an API misuse in panel.c", " - ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry", " - drm/ssd130x: Set SPI .id_table to prevent an SPI core warning", " - drm/ssd130x: fix ssd132x encoding", " - drm/ssd130x: ensure ssd132x pitch is correct", " - gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines", " - drm/panel: ilitek-ili9882t: fix GPIO name in error message", " - drm/msm/dsi/phy: Program clock inverters in correct register", " - PCI: brcmstb: Set generation limit before PCIe link up", " - drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump", " - powerpc/kexec: fix physical address calculation in clear_utlb_entry()", " - drm/mediatek: Fix config_updating flag never false when no mbox channel", " - PCI: dwc: ep: Return -ENOMEM for allocation failures", " - PCI/sysfs: Demacrofy pci_dev_resource_resize_attr(n) functions", " - PCI: Fix BAR resizing when VF BARs are assigned", " - dummycon: fix default rows/cols", " - crypto: iaa - Test the correct request flag", " - crypto: qat - set parity error mask for qat_420xx", " - pinctrl: renesas: rzg2l: Suppress binding attributes", " - clk: renesas: r8a08g045: Check the source of the CPU PLL settings", " - remoteproc: qcom: pas: add minidump_id to SC7280 WPSS", " - pinctrl: nuvoton: npcm8xx: Fix error handling in npcm8xx_gpio_fw()", " - s390: Remove ioremap_wt() and pgprot_writethrough()", " - clk: qcom: gcc-x1e80100: Unregister GCC_GPU_CFG_AHB_CLK/GCC_DISP_XO_CLK", " - RDMA/mlx5: Fix MR cache initialization error flow", " - power: supply: bq27xxx_battery: do not update cached flags prematurely", " - pinctrl: npcm8xx: Fix incorrect struct npcm8xx_pincfg assignment", " - crypto: qat - remove access to parity register for QAT GEN4", " - clk: qcom: gcc-sm8650: Do not turn off USB GDSCs during gdsc_disable()", " - perf report: Switch data file correctly in TUI", " - perf debug: Avoid stack overflow in recursive error message", " - NFSv4: Avoid unnecessary scans of filesystems for returning delegations", " - NFSv4: Avoid unnecessary scans of filesystems for expired delegations", " - NFSv4: Avoid unnecessary scans of filesystems for delayed delegations", " - um: Pass the correct Rust target and options with gcc", " - perf dso: fix dso__is_kallsyms() check", " - staging: vchiq_arm: Register debugfs after cdev", " - perf vendor events arm64 AmpereOneX: Fix frontend_bound calculation", " - LoongArch: Fix device node refcount leak in fdt_cpu_clk_init()", " - net: phy: broadcom: Correct BCM5221 PHY model detection", " - wifi: mac80211: Cleanup sta TXQs on flush", " - wifi: mac80211: remove debugfs dir for virtual monitor", " - smb: common: change the data type of num_aces to le16", " - platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-", " TA", " - exfat: add a check for invalid data size", " - ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using", " CS35L41 HDA", " - ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using", " CS35L41 HDA", " - ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41", " HDA", " - ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using", " CS35L41 HDA", " - ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using", " CS35L41 HDA", " - wifi: mac80211: fix SA Query processing in MLO", " - riscv/kexec_file: Handle R_RISCV_64 in purgatory relocator", " - riscv/purgatory: 4B align purgatory_start", " - nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer", " - spi: bcm2835: Do not call gpiod_put() on invalid descriptor", " - spi: bcm2835: Restore native CS probing when pinctrl-bcm2835 is absent", " - kbuild: deb-pkg: don't set KBUILD_BUILD_VERSION unconditionally", " - tty: serial: fsl_lpuart: Use u32 and u8 for register variables", " - tty: serial: fsl_lpuart: use port struct directly to simply code", " - tty: serial: fsl_lpuart: Fix unused variable 'sport' build warning", " - tty: serial: lpuart: only disable CTS instead of overwriting the whole", " UARTMODIR register", " - wifi: mac80211: Fix sparse warning for monitor_sdata", " - LoongArch: Increase MAX_IO_PICS up to 8", " - x86/tdx: Fix arch_safe_halt() execution for TDX VMs", " - x86/Kconfig: Add cmpxchg8b support back to Geode CPUs", " - wifi: mt76: mt7925: remove unused acpi function for clc", " - media: omap3isp: Handle ARM dma_iommu_mapping", " - Remove unnecessary firmware version check for gc v9_4_2", " - exfat: fix potential wrong error return from get_block", " - media: subdev: Fix use of sd->enabled_streams in call_s_stream()", " - media: subdev: Improve v4l2_subdev_enable/disable_streams_fallback", " - media: subdev: Add v4l2_subdev_is_streaming()", " - NFSD: nfsd_unlink() clobbers non-zero status returned from", " fh_fill_pre_attrs()", " - NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory", " - platform/x86/amd/pmf: fix cleanup in amd_pmf_init_smart_pc()", " - Upstream stable to v6.6.87, v6.12.23", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22028", " - media: vimc: skip .s_stream() for stopped entities", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22036", " - exfat: fix random stack corruption after get_block", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22039", " - ksmbd: fix overflow in dacloffset bounds check", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22062", " - sctp: add mutual exclusion in proc_sctp_do_udp_port()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22065", " - idpf: fix adapter NULL pointer dereference on reboot", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22068", " - ublk: make sure ubq->canceling is set when queue is frozen", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22070", " - fs/9p: fix NULL pointer dereference on mkdir", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-40114", " - iio: light: Add check for array bounds in veml6075_read_int_time_ms", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22025", " - nfsd: put dl_stid if fail to queue dl_recall", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22027", " - media: streamzap: fix race between device disconnection and urb callback", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-39735", " - jfs: fix slab-out-of-bounds read in ea_get()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22033", " - arm64: Don't call NULL in do_compat_alignment_fixup()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22035", " - tracing: Fix use-after-free in print_graph_function_flags during tracer", " switching", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22038", " - ksmbd: validate zero num_subauth before sub_auth is accessed", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22040", " - ksmbd: fix session use-after-free in multichannel connection", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22041", " - ksmbd: fix use-after-free in ksmbd_sessions_deregister()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22042", " - ksmbd: add bounds check for create lease context", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22044", " - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22045", " - x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22050", " - usbnet:fix NPE during rx_complete", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22053", " - net: ibmveth: make veth_pool_store stop hanging", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22054", " - arcnet: Add NULL check in com20020pci_probe()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22055", " - net: fix geneve_opt length integer overflow", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22056", " - netfilter: nft_tunnel: fix geneve_opt type confusion addition", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22057", " - net: decrease cached dst counters in dst_release", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22058", " - udp: Fix memory accounting leak.", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22060", " - net: mvpp2: Prevent parser TCAM memory corruption", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-38637", " - net_sched: skbprio: Remove overly strict queue assertions", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22063", " - netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22064", " - netfilter: nf_tables: don't unregister hook when table is dormant", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22066", " - ASoC: imx-card: Add NULL check in imx_card_probe()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2023-53034", " - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22071", " - spufs: fix a leak in spufs_create_context()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22072", " - spufs: fix gang directory lifetimes", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22073", " - spufs: fix a leak on spufs_new_file() failure", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-38575", " - ksmbd: use aead_request_free to match aead_request_alloc", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22075", " - rtnetlink: Allocate vfinfo size for VF GUIDs when supported", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-37937", " - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22079", " - ocfs2: validate l_tree_depth to avoid out-of-bounds access", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22080", " - fs/ntfs3: Prevent integer overflow in hdr_first_de()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22081", " - fs/ntfs3: Fix a couple integer overflows on 32bit systems", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22083", " - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22086", " - RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22089", " - RDMA/core: Don't expose hw_counters outside of init net namespace", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-39728", " - clk: samsung: Fix UBSAN panic in samsung_clk_init()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22090", " - x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-38152", " - remoteproc: core: Clear table_sz when rproc_shutdown", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-38240", " - drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22095", " - PCI: brcmstb: Fix error path after a call to regulator_bulk_get()", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-22097", " - drm/vkms: Fix use after free and double free on init error", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-23136", " - thermal: int340x: Add NULL check for adev", "", " * Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //", " CVE-2025-23138", " - watch_queue: fix pipe accounting mismatch", "", " * Noble update: upstream stable patchset 2025-08-18 (LP: #2120877)", " - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names", " - HID: hid-plantronics: Add mic mute mapping and generalize quirks", " - atm: Fix NULL pointer dereference", " - ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()", " - ARM: 9351/1: fault: Add \"cut here\" line for prefetch aborts", " - ARM: Remove address checking for MMUless devices", " - drm/dp_mst: Factor out function to queue a topology probe work", " - drm/dp_mst: Add a helper to queue a topology probe", " - drm/amd/display: Don't write DP_MSTM_CTRL after LT", " - mm/page_alloc: fix memory accept before watermarks gets initialized", " - netfilter: socket: Lookup orig tuple for IPv6 SNAT", " - ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx", " - counter: stm32-lptimer-cnt: fix error handling when enabling", " - counter: microchip-tcb-capture: Fix undefined counter channel state on", " probe", " - tty: serial: 8250: Add some more device IDs", " - tty: serial: 8250: Add Brainboxes XC devices", " - tty: serial: fsl_lpuart: disable transmitter before changing RS485", " related registers", " - net: usb: qmi_wwan: add Telit Cinterion FN990B composition", " - net: usb: qmi_wwan: add Telit Cinterion FE990B composition", " - net: usb: usbnet: restore usb%d name exception for local mac addresses", " - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove", " - nfsd: fix legacy client tracking initialization", " - tty: serial: 8250: Add some more device IDs", " - tty: serial: 8250: Add Brainboxes XC devices", " - perf tools: Fix up some comments and code to properly use the", " event_source bus", " - bcachefs: bch2_ioctl_subvolume_destroy() fixes", " - Upstream stable to v6.6.86, v6.12.22", "", " * CVE-2025-39682", " - tls: fix handling of zero-length records on the rx_list", "", " * CVE-2025-38500", " - xfrm: interface: fix use-after-free after changing collect_md xfrm", " interface", "", " * TLS socket disconnection causes various issues (LP: #2120516) //", " CVE-2025-37756", " - net: tls: explicitly disallow disconnect", "", " * CVE-2025-38477", " - net/sched: sch_qfq: Fix race condition on qfq_aggregate", " - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in", " qfq_delete_class", "", " * CVE-2025-38618", " - vsock: Do not allow binding to VMADDR_PORT_ANY", "", " * CVE-2025-38617", " - net/packet: fix a race in packet_set_ring() and packet_notifier()", "", " * CVE-2025-37785", " - ext4: fix OOB read when checking dotdot dir", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux", "version": "6.8.0-86.87", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125391, 2121673, 2103415, 2122554, 2121956, 2121150, 2121149, 2121146, 2120209, 2104911, 2121257, 2119713, 2102749, 2120561, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2121716, 2120877, 2120516, 1786013 ], "author": "Stefan Bader ", "date": "Mon, 22 Sep 2025 17:42:28 +0200" } ], "notes": "linux-modules-6.8.0-87-generic version '6.8.0-87.88' (source package linux version '6.8.0-87.88') was added. linux-modules-6.8.0-87-generic version '6.8.0-87.88' has the same source package name, linux, as removed package linux-modules-6.8.0-85-generic. As such we can use the source package version of the removed package, '6.8.0-85.85', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.8.0-85-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-85.85", "version": "6.8.0-85.85" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-85-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-85.85", "version": "6.8.0-85.85" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20251001 to 20251112", "from_series": "noble", "to_series": "noble", "from_serial": "20251001", "to_serial": "20251112", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }