Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration<br /> <br /> cros_typec_register_thunderbolt() missed initializing the `adata-&gt;lock`<br /> mutex. This leads to a NULL dereference when the mutex is later<br /> acquired (e.g. in cros_typec_altmode_work()).<br /> <br /> Initialize the mutex in cros_typec_register_thunderbolt() to fix the<br /> issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete<br /> <br /> KASAN reproduces a slab-use-after-free in __xfrm_state_delete()&amp;#39;s<br /> hlist_del_rcu calls under syzkaller load on linux-6.12.y stable<br /> (reproduced on 6.12.47, also reachable via the same code path on<br /> torvalds/master and on the ipsec tree). Nine unique signatures cluster<br /> in the xfrm_state lifecycle, the load-bearing one being:<br /> <br /> BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]<br /> BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]<br /> BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c<br /> Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435<br /> <br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> __hlist_del / hlist_del_rcu<br /> __xfrm_state_delete<br /> xfrm_state_delete<br /> xfrm_state_flush<br /> xfrm_state_fini<br /> ops_exit_list<br /> cleanup_net<br /> <br /> The other observed signatures hit the same slab object from<br /> __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB<br /> write variant of __xfrm_state_delete, all on the byseq/byspi<br /> hash chains.<br /> <br /> __xfrm_state_delete() guards its byseq and byspi unhashes with<br /> value-based predicates:<br /> <br /> if (x-&gt;km.seq)<br /> hlist_del_rcu(&amp;x-&gt;byseq);<br /> if (x-&gt;id.spi)<br /> hlist_del_rcu(&amp;x-&gt;byspi);<br /> <br /> while everywhere else in the file (e.g. state_cache, state_cache_input)<br /> the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets<br /> x-&gt;id.spi = newspi inside xfrm_state_lock and then immediately inserts<br /> into byspi, but a path that observes x-&gt;id.spi != 0 outside of<br /> xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently<br /> with whether x is actually on the list. The same holds for x-&gt;km.seq<br /> versus byseq, and the bydst/bysrc unhashes have no predicate at all,<br /> so a second __xfrm_state_delete() on the same object writes through<br /> LIST_POISON pprev.<br /> <br /> The defensive change here:<br /> <br /> - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,<br /> bysrc, byseq and byspi so a second deletion is a no-op rather<br /> than a write through LIST_POISON pprev. The byseq/byspi nodes<br /> are already initialised in xfrm_state_alloc().<br /> - Test hlist_unhashed() rather than the value predicate for<br /> byseq/byspi, so the unhash decision tracks list state rather than<br /> mutable scalar fields.<br /> <br /> Empirical verification: applied this patch on top of v6.12.47, rebuilt,<br /> and re-ran the same syzkaller harness for 1h16m on a previously-crashy<br /> configuration that produced ~100 hits each of slab-use-after-free<br /> Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in<br /> __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at<br /> ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo<br /> confirms the xfrm_state slab is actively allocated and freed during<br /> the run (~143 KiB resident), so the fuzzer is still exercising those<br /> code paths -- they just no longer crash.<br /> <br /> Reproduction:<br /> <br /> - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV<br /> - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db<br /> - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal<br /> - 9 unique signatures collected in ~9h, all within xfrm_state<br /> lifecycle

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()<br /> <br /> Sashiko points out that the user can specify WQs sharing the same CQ as a<br /> part of the uAPI and this will trigger the WARN_ON() then go on to corrupt<br /> the kernel.<br /> <br /> Just reject it outright and fail the QP creation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: Fix slab-out-of-bounds access in auth message processing<br /> <br /> If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY<br /> contains a positive value in its result field, it is treated as an<br /> error code by ceph_handle_auth_reply() and returned to<br /> handle_auth_reply(). Thereafter, an attempt is made to send the<br /> preallocated message of type CEPH_MSG_AUTH, where the returned value is<br /> interpreted as the size of the front segment to send. If the result<br /> value in the message is greater than the size of the memory buffer<br /> allocated for the front segment, an out-of-bounds access occurs, and<br /> the content of the memory region beyond this buffer is sent out.<br /> <br /> This patch fixes the issue by treating only negative values in the<br /> result field as errors. Positive values are therefore treated as success<br /> in the same way as a zero value. Additionally, a BUG_ON is added to<br /> __send_prepared_auth_request() comparing the len parameter to<br /> front_alloc_len to prevent sending the message if it exceeds the bounds<br /> of the allocation and to make it easier to catch any logic flaws leading<br /> to this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6_gre: Use cached t-&gt;net in ip6erspan_changelink().<br /> <br /> After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of<br /> rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns<br /> ip6gre hash via link_net. ip6erspan_changelink() was not converted in<br /> that series and still uses dev_net(dev), which diverges from the<br /> device&amp;#39;s creation netns after IFLA_NET_NS_FD migration.<br /> <br /> This re-inserts the tunnel into the wrong per-netns hash. The<br /> original netns keeps a stale entry. When that netns is later<br /> destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a<br /> slab-use-after-free reported by KASAN, followed by a kernel BUG at<br /> net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().<br /> <br /> Reachable from an unprivileged user namespace (unshare --user<br /> --map-root-user --net).<br /> <br /> ip6gre_changelink() earlier in the same file already uses the cached<br /> t-&gt;net; only ip6erspan_changelink() has the wrong shape.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: virtio_bt: clamp rx length before skb_put<br /> <br /> virtbt_rx_work() calls skb_put(skb, len) where len comes directly<br /> from virtqueue_get_buf() with no validation against the buffer we<br /> posted to the device. The RX skb is allocated in virtbt_add_inbuf()<br /> and exposed to virtio as exactly 1000 bytes via sg_init_one().<br /> <br /> Checking len against skb_tailroom(skb) is not sufficient because<br /> alloc_skb() can leave more tailroom than the 1000 bytes actually<br /> handed to the device. A malicious or buggy backend can therefore<br /> report used.len between 1001 and skb_tailroom(skb), causing skb_put()<br /> to include uninitialized kernel heap bytes that were never written by<br /> the device.<br /> <br /> The same path also accepts len == 0, in which case skb_put(skb, 0)<br /> leaves the skb empty but virtbt_rx_handle() still reads the pkt_type<br /> byte from skb-&gt;data, consuming uninitialized memory.<br /> <br /> Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and<br /> sg_init_one(), and gate virtbt_rx_work() on that same constant so<br /> the bound checked matches the buffer actually exposed to the device.<br /> Reject used.len == 0 in the same gate so an empty completion can<br /> no longer reach virtbt_rx_handle().<br /> <br /> Use bt_dev_err_ratelimited() because the length value comes from an<br /> untrusted backend that can otherwise flood the kernel log.<br /> <br /> Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer<br /> overflow in USB transport layer"), which hardened the USB 9p<br /> transport against unchecked device-reported length.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> isofs: validate block number from NFS file handle in isofs_export_iget<br /> <br /> isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-<br /> controlled block number (ifid-&gt;block or ifid-&gt;parent_block) from<br /> the NFS file handle to isofs_export_iget(), which only rejects<br /> block == 0 before calling isofs_iget() and ultimately sb_bread().<br /> A crafted file handle with fh_len sufficient to pass the check<br /> added by commit 0405d4b63d08 ("isofs: Prevent the use of too small<br /> fid") can still drive the server to read any in-range block on the<br /> backing device as if it were an iso_directory_record. That earlier<br /> fix was assigned CVE-2025-37780.<br /> <br /> sb_bread() on an out-of-range block returns NULL cleanly via the<br /> EIO path, so there is no memory-safety violation. For in-range<br /> reads of adjacent-partition data on the same block device, the<br /> unrelated bytes end up in iso_inode_info fields that reach the NFS<br /> client as dentry metadata. The deployment surface (isofs exported<br /> over NFS from loop-mounted images) is narrow and requires an<br /> authenticated NFS peer, but the malformed-file-handle class is<br /> reportable as hardening next to the existing CVE-2025-37780 fix.<br /> <br /> Reject block &gt;= ISOFS_SB(sb)-&gt;s_nzones in isofs_export_iget() so<br /> the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()<br /> call sites with a single line.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()<br /> <br /> commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"),<br /> changed the create handle to FD_PREPARE(), but it caused kernel<br /> null-ptr-deref because after call to retain_and_null_ptr(src_info),<br /> src_info is re-used for adding it to the global list.<br /> <br /> Getting the following kernel panic in papr_hvpipe_dev_create_handle()<br /> when trying to add src_info to the list.<br /> Kernel attempted to write user page (0) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on write at 0x00000000<br /> Faulting instruction address: 0xc0000000001b44a0<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> ...<br /> Call Trace:<br /> papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)<br /> sys_ioctl+0x528/0x1064<br /> system_call_exception+0x128/0x360<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> Now, the error handling with FD_PREPARE&amp;#39;s file cleanup and __free(kfree) auto<br /> cleanup is getting too convoluted. This is mainly because we need to<br /> ensure only 1 user get the srcID handle. To simplify this, we allocate<br /> prepare the src_info in the beginning and add it to the global list<br /> under a spinlock after checking that no duplicates exist.<br /> <br /> This simplify the error handling where if the FD_ADD fails, we can<br /> simply remove the src_info from the list and consume any pending msg in<br /> hvpipe to be cleared, after src_info became visible in the global list.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock<br /> <br /> Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".<br /> <br /> Reads of &amp;#39;memcg_path&amp;#39; and &amp;#39;path&amp;#39; files in DAMON sysfs interface could race<br /> with their writes, results in use-after-free. Fix those.<br /> <br /> <br /> This patch (of 2):<br /> <br /> damon_sysfs_scheme_filter-&gt;mmecg_path can be read and written by users,<br /> via DAMON sysfs memcg_path file. It can also be indirectly read, for the<br /> parameters {on,off}line committing to DAMON. The reads for parameters<br /> committing are protected by damon_sysfs_lock to avoid the sysfs files<br /> being destroyed while any of the parameters are being read. But the<br /> user-driven direct reads and writes are not protected by any lock, while<br /> the write is deallocating the memcg_path-pointing buffer. As a result,<br /> the readers could read the already freed buffer (user-after-free). Note<br /> that the user-reads don&amp;#39;t race when the same open file is used by the<br /> writer, due to kernfs&amp;#39;s open file locking. Nonetheless, doing the reads<br /> and writes with separate open files would be common. Fix it by protecting<br /> both the user-direct reads and writes with damon_sysfs_lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: b43: enforce bounds check on firmware key index in b43_rx()<br /> <br /> The firmware-controlled key index in b43_rx() can exceed the dev-&gt;key[]<br /> array size (58 entries). The existing B43_WARN_ON is non-enforcing in<br /> production builds, allowing an out-of-bounds read.<br /> <br /> Make the B43_WARN_ON check enforcing by dropping the frame when the<br /> firmware returns an invalid key index.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-thin: fix metadata refcount underflow<br /> <br /> There&amp;#39;s a bug in dm-thin in the function rebalance_children. If the<br /> internal btree node has one entry, the code tries to copy all btree<br /> entries from the node&amp;#39;s child to the node itself and then decrement the<br /> child&amp;#39;s reference count.<br /> <br /> If the child node is shared (it has reference count &gt; 1), we won&amp;#39;t free<br /> it, so there would be two pointers to each of the grandchildren nodes.<br /> But the reference counts of the grandchildren is not increased, thus the<br /> reference count doesn&amp;#39;t match the number of pointers that point to the<br /> grandchildren. This results in "device mapper: space map common: unable<br /> to decrement block" errors.<br /> <br /> Fix this bug by incrementing reference counts on the grandchildren if the<br /> btree node is shared.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: Prevent NULL deref when RX memory exhausted<br /> <br /> The CPU receives frames from the MAC through conventional DMA: the CPU<br /> allocates buffers for the MAC, then the MAC fills them and returns<br /> ownership to the CPU. For each hardware RX queue, the CPU and MAC<br /> coordinate through a shared ring array of DMA descriptors: one<br /> descriptor per DMA buffer. Each descriptor includes the buffer&amp;#39;s<br /> physical address and a status flag ("OWN") indicating which side owns<br /> the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set<br /> the flag and the MAC is only allowed to clear it, and both must move<br /> through the ring in sequence: thus the ring is used for both<br /> "submissions" and "completions."<br /> <br /> In the stmmac driver, stmmac_rx() bookmarks its position in the ring<br /> with the `cur_rx` index. The main receive loop in that function checks<br /> for rx_descs[cur_rx].own=0, gives the corresponding buffer to the<br /> network stack (NULLing the pointer), and increments `cur_rx` modulo the<br /> ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its<br /> position with `dirty_rx`, allocates fresh buffers and rearms the<br /> descriptors (setting OWN=1). If it fails any allocation, it simply stops<br /> early (leaving OWN=0) and will retry where it left off when next called.<br /> <br /> This means descriptors have a three-stage lifecycle (terms my own):<br /> - `empty` (OWN=1, buffer valid)<br /> - `full` (OWN=0, buffer valid and populated)<br /> - `dirty` (OWN=0, buffer NULL)<br /> <br /> But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In<br /> the past (see &amp;#39;Fixes:&amp;#39;), there was a bug where the loop could cycle<br /> `cur_rx` all the way back to the first descriptor it dirtied, resulting<br /> in a NULL dereference when mistaken for `full`. The aforementioned<br /> commit resolved that *specific* failure by capping the loop&amp;#39;s iteration<br /> limit at `dma_rx_size - 1`, but this is only a partial fix: if the<br /> previous stmmac_rx_refill() didn&amp;#39;t complete, then there are leftover<br /> `dirty` descriptors that the loop might encounter without needing to<br /> cycle fully around. The current code therefore panics (see &amp;#39;Closes:&amp;#39;)<br /> when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to<br /> catch up to `dirty_rx`.<br /> <br /> Fix this by explicitly checking, before advancing `cur_rx`, if the next<br /> entry is dirty; exit the loop if so. This prevents processing of the<br /> final, used descriptor until stmmac_rx_refill() succeeds, but<br /> fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix<br /> intended: so remove the clamp as well. Since stmmac_rx_zc() is a<br /> copy-paste-and-tweak of stmmac_rx() and the code structure is identical,<br /> any fix to stmmac_rx() will also need a corresponding fix for<br /> stmmac_rx_zc(). Therefore, apply the same check there.<br /> <br /> In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the<br /> MAC sets OWN=0 on the final descriptor, it will be unable to send any<br /> further DMA-complete IRQs until it&amp;#39;s given more `empty` descriptors.<br /> Currently, the driver simply *hopes* that the next stmmac_rx_refill()<br /> succeeds, risking an indefinite stall of the receive process if not. But<br /> this is not a regression, so it can be addressed in a future change.