Report Name: Linux Patch Wednesday April 2025
Generated: 2025-04-30 17:08:18

Vulristics Vulnerability Scores
Basic Vulnerability Scores
Products

Product NamePrevalenceUCHMLAComment
Linux Kernel0.99965164The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
.NET Core0.811.NET Core
Chromium0.85510Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GLPI0.8336GLPI is an open source IT Asset Management, issue tracking system and service desk system
Mozilla Firefox0.833Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Netty0.811Netty is a non-blocking I/O client-server framework for the development of Java network applications such as protocol servers and clients
PHP0.811PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
Safari0.8178Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
MariaDB0.711MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system, intended to remain free and open-source software under the GNU General Public License
MediaWiki0.7415MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
Exim0.6112Exim is a mail transfer agent (MTA) used on Unix-like operating systems
Libsoup0.6145libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
MongoDB0.6112MongoDB is a source-available, cross-platform, document-oriented database program
Nextcloud0.611Nextcloud server is a self hosted personal cloud system
Nokogiri0.611Nokogiri is an open source XML and HTML library for the Ruby programming language
Oracle Java SE0.633Oracle Java SE
Perl0.611Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
Vault0.611Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing
Opensearch0.5134Product detected by a:amazon:opensearch (exists in CPE dict)
TLS0.511TLS
smartdns0.522Product detected by a:pymumu:smartdns (does NOT exist in CPE dict)
Git0.411Git
GitHub0.211GitHub, Inc. is an Internet hosting service for software development and version control using Git
Unknown Product0161026Unknown Product


Vulnerability Types

Vulnerability TypeCriticalityUCHMLA
Remote Code Execution1.0213
Authentication Bypass0.98347
Code Injection0.9722
Command Injection0.9711
Security Feature Bypass0.9448
Elevation of Privilege0.85112
Information Disclosure0.83189
Cross Site Scripting0.899
Denial of Service0.7310316
Path Traversal0.722
Incorrect Calculation0.566
Memory Corruption0.5373278
Spoofing0.433
Unknown Vulnerability Type03372105


Comments

SourceUCHMLA
almalinux510116
debian117733121
oraclelinux512118
redhat514120
redos2716227
ubuntu57845128


Vulnerabilities

Urgent (0)

Critical (2)

1. Code Injection - Exim (CVE-2025-26794) - Critical [689]

Description: Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:OSCARBATAILLE:CVE-2025-26794, Vulners:PublicExploit:1337DAY-ID-39931, Vulners:PublicExploit:PACKETSTORM:189388, BDU:PublicExploit websites
Criticality of Vulnerability Type0.9715Code Injection
Vulnerable Product is Common0.614Exim is a mail transfer agent (MTA) used on Unix-like operating systems
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile1.010EPSS Probability is 0.42904, EPSS Percentile is 0.97284

redos: CVE-2025-26794 was patched at 2025-04-03

2. Code Injection - MariaDB (CVE-2023-39593) - Critical [635]

Description: Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:ANT1SEC-OPS:CVE-2023-39593, BDU:PublicExploit websites
Criticality of Vulnerability Type0.9715Code Injection
Vulnerable Product is Common0.714MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system, intended to remain free and open-source software under the GNU General Public License
CVSS Base Score0.610CVSS Base Score is 5.6. According to NVD data source
EPSS Percentile0.610EPSS Probability is 0.00358, EPSS Percentile is 0.57047

redos: CVE-2023-39593 was patched at 2025-03-26

High (18)

3. Information Disclosure - GLPI (CVE-2025-21626) - High [591]

Description: GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00081, EPSS Percentile is 0.24982

redos: CVE-2025-21626 was patched at 2025-04-02

4. Security Feature Bypass - GLPI (CVE-2025-23024) - High [555]

Description: GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.410CVSS Base Score is 4.3. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08304

redos: CVE-2025-23024 was patched at 2025-04-02

5. Denial of Service - Perl (CVE-2024-56406) - High [546]

Description: A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.614Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
CVSS Base Score0.910CVSS Base Score is 8.6. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00038, EPSS Percentile is 0.10712

debian: CVE-2024-56406 was patched at 2025-04-13, 2025-04-23

ubuntu: CVE-2024-56406 was patched at 2025-04-14, 2025-04-23

6. Memory Corruption - Mozilla Firefox (CVE-2025-3028) - High [544]

Description: JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability affects Firefox < 137, Firefox ESR < 115.22, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on NVD:PublicExploit:bugzilla.mozilla.org website
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00109, EPSS Percentile is 0.30521

almalinux: CVE-2025-3028 was patched at 2025-04-03, 2025-04-24

debian: CVE-2025-3028 was patched at 2025-04-02, 2025-04-03, 2025-04-23

oraclelinux: CVE-2025-3028 was patched at 2025-04-03, 2025-04-22, 2025-04-24

redhat: CVE-2025-3028 was patched at 2025-04-03, 2025-04-07, 2025-04-23, 2025-04-24

redos: CVE-2025-3028 was patched at 2025-04-17

7. Memory Corruption - Chromium (CVE-2025-2476) - High [526]

Description: Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists0.517The existence of a private exploit is mentioned on BDU:PrivateExploit website
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.810EPSS Probability is 0.02587, EPSS Percentile is 0.8472

debian: CVE-2025-2476 was patched at 2025-03-20, 2025-04-23

redos: CVE-2025-2476 was patched at 2025-04-24

8. Command Injection - Nextcloud (CVE-2022-24838) - High [499]

Description: Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL> ` SMTP command and begin injecting arbitrary SMTP commands. It is recommended that Calendar is upgraded to 3.2.2. There are no workaround available.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9715Command Injection
Vulnerable Product is Common0.614Nextcloud server is a self hosted personal cloud system
CVSS Base Score1.010CVSS Base Score is 9.8. According to NVD data source
EPSS Percentile0.910EPSS Probability is 0.06027, EPSS Percentile is 0.90165

redos: CVE-2022-24838 was patched at 2025-03-26

9. Memory Corruption - Libsoup (CVE-2025-32050) - High [486]

Description: A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists1.017The existence of a publicly available exploit is mentioned on BDU:PublicExploit website
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.614libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
CVSS Base Score0.610CVSS Base Score is 5.9. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00052, EPSS Percentile is 0.16391

debian: CVE-2025-32050 was patched at 2025-04-23

ubuntu: CVE-2025-32050 was patched at 2025-04-10

10. Remote Code Execution - PHP (CVE-2024-11235) - High [478]

Description: In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type1.015Remote Code Execution
Vulnerable Product is Common0.814PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
CVSS Base Score0.910CVSS Base Score is 9.2. According to Vulners data source
EPSS Percentile0.510EPSS Probability is 0.00269, EPSS Percentile is 0.50065

ubuntu: CVE-2024-11235 was patched at 2025-03-31

11. Denial of Service - .NET Core (CVE-2025-26682) - High [448]

Description: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.814.NET Core
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.810EPSS Probability is 0.0214, EPSS Percentile is 0.83232

ubuntu: CVE-2025-26682 was patched at 2025-04-08

12. Security Feature Bypass - Chromium (CVE-2025-3068) - High [436]

Description: Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00086, EPSS Percentile is 0.26054

debian: CVE-2025-3068 was patched at 2025-04-03, 2025-04-23

13. Security Feature Bypass - Chromium (CVE-2025-3069) - High [436]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00086, EPSS Percentile is 0.26202

almalinux: CVE-2025-30691 was patched at 2025-04-16

almalinux: CVE-2025-30698 was patched at 2025-04-16

debian: CVE-2025-3069 was patched at 2025-04-03, 2025-04-23

debian: CVE-2025-30691 was patched at 2025-04-23

debian: CVE-2025-30698 was patched at 2025-04-23

oraclelinux: CVE-2025-30691 was patched at 2025-04-17

oraclelinux: CVE-2025-30698 was patched at 2025-04-17

redhat: CVE-2025-30691 was patched at 2025-04-16

redhat: CVE-2025-30698 was patched at 2025-04-16

14. Remote Code Execution - Mozilla Firefox (CVE-2025-3030) - High [430]

Description: Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type1.015Remote Code Execution
Vulnerable Product is Common0.814Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
CVSS Base Score0.810CVSS Base Score is 8.1. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.0007, EPSS Percentile is 0.22185

almalinux: CVE-2025-3030 was patched at 2025-04-03, 2025-04-24

debian: CVE-2025-3030 was patched at 2025-04-02, 2025-04-03, 2025-04-23

oraclelinux: CVE-2025-3030 was patched at 2025-04-03, 2025-04-22, 2025-04-24

redhat: CVE-2025-3030 was patched at 2025-04-03, 2025-04-07, 2025-04-23, 2025-04-24

15. Authentication Bypass - GLPI (CVE-2025-23046) - High [427]

Description: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00066, EPSS Percentile is 0.21093

redos: CVE-2025-23046 was patched at 2025-04-02

16. Authentication Bypass - Mozilla Firefox (CVE-2025-3029) - High [427]

Description: A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.814Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
CVSS Base Score0.710CVSS Base Score is 7.3. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00091, EPSS Percentile is 0.2718

almalinux: CVE-2025-3029 was patched at 2025-04-03, 2025-04-24

debian: CVE-2025-3029 was patched at 2025-04-02, 2025-04-03, 2025-04-23

oraclelinux: CVE-2025-3029 was patched at 2025-04-03, 2025-04-22, 2025-04-24

redhat: CVE-2025-3029 was patched at 2025-04-03, 2025-04-07, 2025-04-23, 2025-04-24

17. Elevation of Privilege - Chromium (CVE-2025-3067) - High [427]

Description: Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app. (Chromium security severity: Medium)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8515Elevation of Privilege
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00083, EPSS Percentile is 0.25375

debian: CVE-2025-3067 was patched at 2025-04-03, 2025-04-23

18. Authentication Bypass - Opensearch (CVE-2023-23612) - High [401]

Description: OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.514Product detected by a:amazon:opensearch (exists in CPE dict)
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00093, EPSS Percentile is 0.27635

redos: CVE-2023-23612 was patched at 2025-04-03

19. Denial of Service - Safari (CVE-2024-54551) - High [401]

Description: The issue was addressed with improved memory handling. This issue is fixed in watchOS 10.6, tvOS 17.6, Safari 17.6, macOS Sonoma 14.6, visionOS 1.3, iOS 17.6 and iPadOS 17.6. Processing web content may lead to a denial-of-service.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00182, EPSS Percentile is 0.40568

almalinux: CVE-2024-54551 was patched at 2025-04-08, 2025-04-17

debian: CVE-2024-54551 was patched at 2025-04-10, 2025-04-23

oraclelinux: CVE-2024-54551 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2024-54551 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2024-54551 was patched at 2025-04-14

20. Security Feature Bypass - Chromium (CVE-2025-3070) - High [401]

Description: Insufficient validation of untrusted input in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00064, EPSS Percentile is 0.20364

debian: CVE-2025-3070 was patched at 2025-04-03, 2025-04-23

Medium (154)

21. Information Disclosure - GLPI (CVE-2025-25192) - Medium [388]

Description: GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00051, EPSS Percentile is 0.15824

redos: CVE-2025-25192 was patched at 2025-04-02

22. Path Traversal - GLPI (CVE-2025-27147) - Medium [377]

Description: The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Path Traversal
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.810CVSS Base Score is 8.2. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.0006, EPSS Percentile is 0.19101

redos: CVE-2025-27147 was patched at 2025-04-03

23. Information Disclosure - Safari (CVE-2024-54467) - Medium [376]

Description: A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.1107

almalinux: CVE-2024-54467 was patched at 2025-04-08, 2025-04-17

debian: CVE-2024-54467 was patched at 2025-03-23, 2025-04-23

oraclelinux: CVE-2024-54467 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2024-54467 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2024-54467 was patched at 2025-03-31

24. Cross Site Scripting - GLPI (CVE-2025-21627) - Medium [371]

Description: GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common0.814GLPI is an open source IT Asset Management, issue tracking system and service desk system
CVSS Base Score0.610CVSS Base Score is 6.1. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00058, EPSS Percentile is 0.18319

redos: CVE-2025-21627 was patched at 2025-04-02

25. Authentication Bypass - Oracle Java SE (CVE-2025-21587) - Medium [370]

Description: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.614Oracle Java SE
CVSS Base Score0.710CVSS Base Score is 7.4. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.11123

almalinux: CVE-2025-21587 was patched at 2025-04-16

debian: CVE-2025-21587 was patched at 2025-04-23

oraclelinux: CVE-2025-21587 was patched at 2025-04-17

redhat: CVE-2025-21587 was patched at 2025-04-16

26. Memory Corruption - Chromium (CVE-2025-3066) - Medium [365]

Description: Use after free in Site Isolation in Google Chrome prior to 135.0.7049.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.910CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00113, EPSS Percentile is 0.31139

debian: CVE-2025-3066 was patched at 2025-04-09, 2025-04-23

27. Information Disclosure - Opensearch (CVE-2023-23613) - Medium [362]

Description: OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.514Product detected by a:amazon:opensearch (exists in CPE dict)
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00191, EPSS Percentile is 0.41528

redos: CVE-2023-23613 was patched at 2025-04-03

28. Cross Site Scripting - Safari (CVE-2025-24208) - Medium [359]

Description: A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.610CVSS Base Score is 6.1. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00043, EPSS Percentile is 0.1285

almalinux: CVE-2025-24208 was patched at 2025-04-08, 2025-04-17

debian: CVE-2025-24208 was patched at 2025-04-10, 2025-04-23

oraclelinux: CVE-2025-24208 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2025-24208 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2025-24208 was patched at 2025-04-14

29. Authentication Bypass - Oracle Java SE (CVE-2025-30698) - Medium [358]

Description: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.614Oracle Java SE
CVSS Base Score0.610CVSS Base Score is 5.6. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00047, EPSS Percentile is 0.1438

almalinux: CVE-2025-30698 was patched at 2025-04-16

debian: CVE-2025-30698 was patched at 2025-04-23

oraclelinux: CVE-2025-30698 was patched at 2025-04-17

redhat: CVE-2025-30698 was patched at 2025-04-16

30. Denial of Service - Linux Kernel (CVE-2024-56649) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: net: enetc: Do not configure preemptible TCs if SIs do not support Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows. root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]--- In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56649 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

31. Elevation of Privilege - Exim (CVE-2025-30232) - Medium [358]

Description: A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8515Elevation of Privilege
Vulnerable Product is Common0.614Exim is a mail transfer agent (MTA) used on Unix-like operating systems
CVSS Base Score0.810CVSS Base Score is 8.1. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06322

debian: CVE-2025-30232 was patched at 2025-03-26, 2025-04-23

redos: CVE-2025-30232 was patched at 2025-04-17

ubuntu: CVE-2025-30232 was patched at 2025-03-26

32. Denial of Service - Safari (CVE-2024-44192) - Medium [353]

Description: The issue was addressed with improved checks. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to an unexpected process crash.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00037, EPSS Percentile is 0.10113

almalinux: CVE-2024-44192 was patched at 2025-04-08, 2025-04-17

debian: CVE-2024-44192 was patched at 2025-03-23, 2025-04-23

oraclelinux: CVE-2024-44192 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2024-44192 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2024-44192 was patched at 2025-03-31

33. Security Feature Bypass - Chromium (CVE-2025-3071) - Medium [353]

Description: Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.510CVSS Base Score is 5.4. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01359

debian: CVE-2025-3071 was patched at 2025-04-03, 2025-04-23

34. Information Disclosure - Opensearch (CVE-2023-25806) - Medium [350]

Description: OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.514Product detected by a:amazon:opensearch (exists in CPE dict)
CVSS Base Score0.510CVSS Base Score is 5.3. According to NVD data source
EPSS Percentile0.510EPSS Probability is 0.00227, EPSS Percentile is 0.45468

redos: CVE-2023-25806 was patched at 2025-04-03

35. Authentication Bypass - Oracle Java SE (CVE-2025-30691) - Medium [346]

Description: Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common0.614Oracle Java SE
CVSS Base Score0.510CVSS Base Score is 4.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00035, EPSS Percentile is 0.0872

almalinux: CVE-2025-30691 was patched at 2025-04-16

debian: CVE-2025-30691 was patched at 2025-04-23

oraclelinux: CVE-2025-30691 was patched at 2025-04-17

redhat: CVE-2025-30691 was patched at 2025-04-16

36. Memory Corruption - Linux Kernel (CVE-2024-56561) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy() pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI domain ID, but there are two issues: - 'epc->dev' is passed to pci_bus_release_domain_nr() which was already freed by device_unregister(), leading to a use-after-free issue. - Domain ID corresponds to the EPC device parent, so passing 'epc->dev' is also wrong. Fix these issues by passing 'epc->dev.parent' to pci_bus_release_domain_nr() and also do it before device_unregister(). [mani: reworded subject and description]

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05375

ubuntu: CVE-2024-56561 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24

37. Memory Corruption - Linux Kernel (CVE-2024-56652) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Remove register pool That pool implementation doesn't really work: if the krealloc happens to move the memory and return another address, the entries in the xarray become invalid, leading to use-after-free later: BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe] Read of size 4 at addr ffff8881244b2590 by task modprobe/2753 Allocated by task 2753: kasan_save_stack+0x39/0x70 kasan_save_track+0x14/0x40 kasan_save_alloc_info+0x37/0x60 __kasan_kmalloc+0xc3/0xd0 __kmalloc_node_track_caller_noprof+0x200/0x6d0 krealloc_noprof+0x229/0x380 Simplify the code to fix the bug. A better pooling strategy may be added back later if needed. (cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05375

ubuntu: CVE-2024-56652 was patched at 2025-03-27, 2025-04-01

38. Memory Corruption - Linux Kernel (CVE-2024-56653) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump hci_devcd_append may lead to the release of the skb, so it cannot be accessed once it is called. ================================================================== BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 Workqueue: events btusb_rx_work [btusb] Call Trace: <TASK> dump_stack_lvl+0xfd/0x150 print_report+0x131/0x780 kasan_report+0x177/0x1c0 btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 82: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 __kasan_slab_alloc+0x4e/0x60 kmem_cache_alloc+0x19f/0x360 skb_clone+0x132/0xf70 btusb_recv_acl_mtk+0x104/0x1a0 [btusb] btusb_rx_work+0x9e/0xe0 [btusb] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 Freed by task 1733: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 kasan_save_free_info+0x28/0xb0 ____kasan_slab_free+0xfd/0x170 kmem_cache_free+0x183/0x3f0 hci_devcd_rx+0x91a/0x2060 [bluetooth] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 The buggy address belongs to the object at ffff888033cfab40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 112 bytes inside of freed 232-byte region [ffff888033cfab40, ffff888033cfac28) The buggy address belongs to the physical page: page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4000000000000840(slab|head|zone=1) page_type: 0xffffffff() raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Check if we need to call hci_devcd_complete before calling hci_devcd_append. That requires that we check data->cd_info.cnt >= MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we increment data->cd_info.cnt only once the call to hci_devcd_append succeeds.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00038, EPSS Percentile is 0.10696

ubuntu: CVE-2024-56653 was patched at 2025-03-27, 2025-04-01

39. Memory Corruption - Linux Kernel (CVE-2024-56669) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove cache tags before disabling ATS The current implementation removes cache tags after disabling ATS, leading to potential memory leaks and kernel crashes. Specifically, CACHE_TAG_DEVTLB type cache tags may still remain in the list even after the domain is freed, causing a use-after-free condition. This issue really shows up when multiple VFs from different PFs passed through to a single user-space process via vfio-pci. In such cases, the kernel may crash with kernel messages like: BUG: kernel NULL pointer dereference, address: 0000000000000014 PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2 RIP: 0010:cache_tag_flush_range+0x9b/0x250 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x163/0x590 ? exc_page_fault+0x72/0x190 ? asm_exc_page_fault+0x22/0x30 ? cache_tag_flush_range+0x9b/0x250 ? cache_tag_flush_range+0x5d/0x250 intel_iommu_tlb_sync+0x29/0x40 intel_iommu_unmap_pages+0xfe/0x160 __iommu_unmap+0xd8/0x1a0 vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1] vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1] Move cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix it.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05375

ubuntu: CVE-2024-56669 was patched at 2025-03-27, 2025-04-01

40. Memory Corruption - Linux Kernel (CVE-2025-21652) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated---

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06048

ubuntu: CVE-2025-21652 was patched at 2025-03-27, 2025-04-01

41. Memory Corruption - Libsoup (CVE-2025-2784) - Medium [344]

Description: A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.614libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
CVSS Base Score0.710CVSS Base Score is 7.0. According to NVD data source
EPSS Percentile0.610EPSS Probability is 0.00491, EPSS Percentile is 0.64262

debian: CVE-2025-2784 was patched at 2025-04-23

ubuntu: CVE-2025-2784 was patched at 2025-04-10

42. Denial of Service - Netty (CVE-2024-47535) - Medium [341]

Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.814Netty is a non-blocking I/O client-server framework for the development of Java network applications such as protocol servers and clients
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.1091

redhat: CVE-2024-47535 was patched at 2025-03-27, 2025-04-01

43. Memory Corruption - Safari (CVE-2025-24209) - Medium [341]

Description: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. Processing maliciously crafted web content may lead to an unexpected process crash.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.710CVSS Base Score is 7.0. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.0011, EPSS Percentile is 0.30555

almalinux: CVE-2025-24209 was patched at 2025-04-08, 2025-04-17

debian: CVE-2025-24209 was patched at 2025-04-10, 2025-04-23

oraclelinux: CVE-2025-24209 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2025-24209 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2025-24209 was patched at 2025-04-14

44. Denial of Service - TLS (CVE-2025-2704) - Medium [339]

Description: OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.514TLS
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00096, EPSS Percentile is 0.28164

debian: CVE-2025-2704 was patched at 2025-04-23

ubuntu: CVE-2025-2704 was patched at 2025-04-03

45. Memory Corruption - Linux Kernel (CVE-2024-53185) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00018, EPSS Percentile is 0.0306

redos: CVE-2024-53185 was patched at 2025-04-09

ubuntu: CVE-2024-53185 was patched at 2025-04-23, 2025-04-24

46. Memory Corruption - Linux Kernel (CVE-2024-56635) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: net: avoid potential UAF in default_operstate() syzbot reported an UAF in default_operstate() [1] Issue is a race between device and netns dismantles. After calling __rtnl_unlock() from netdev_run_todo(), we can not assume the netns of each device is still alive. Make sure the device is not in NETREG_UNREGISTERED state, and add an ASSERT_RTNL() before the call to __dev_get_by_index(). We might move this ASSERT_RTNL() in __dev_get_by_index() in the future. [1] BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339 CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __dev_get_by_index+0x5d/0x110 net/core/dev.c:852 default_operstate net/core/link_watch.c:51 [inline] rfc2863_policy+0x224/0x300 net/core/link_watch.c:67 linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170 netdev_run_todo+0x461/0x1000 net/core/dev.c:10894 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock include/linux/rtnetlink.h:133 [inline] rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a3cb80809 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008 RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8 </TASK> Allocated by task 5339: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kmalloc_array_noprof include/linux/slab.h:945 [inline] netdev_create_hash net/core/dev.c:11870 [inline] netdev_init+0x10c/0x250 net/core/dev.c:11890 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3314 __do_sys_unshare kernel/fork.c:3385 [inline] __se_sys_unshare kernel/fork.c:3383 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x8 ---truncated---

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00023, EPSS Percentile is 0.0438

ubuntu: CVE-2024-56635 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

47. Memory Corruption - Linux Kernel (CVE-2024-56764) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03282

ubuntu: CVE-2024-56764 was patched at 2025-03-27, 2025-04-01

48. Memory Corruption - Linux Kernel (CVE-2024-56772) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: kunit: string-stream: Fix a UAF bug in kunit_init_suite() In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the kunit_suite_for_each_test_case() loop, the "suite->log = stream" has assigned before, and the error path only free the suite->log's stream memory but not set it to NULL, so the later string_stream_clear() of suite->log in kunit_init_suite() will cause below UAF bug. Set stream pointer to NULL after free to fix it. Unable to handle kernel paging request at virtual address 006440150000030d Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [006440150000030d] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts] CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458 Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST Hardware name: linux,dummy-virt (DT) pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : string_stream_clear+0x54/0x1ac lr : string_stream_clear+0x1a8/0x1ac sp : ffffffc080b47410 x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98 x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003 x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000 x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4 x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75 x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000 x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001 x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000 Call trace: string_stream_clear+0x54/0x1ac __kunit_test_suites_init+0x108/0x1d8 kunit_exec_run_tests+0xb8/0x100 kunit_module_notify+0x400/0x55c notifier_call_chain+0xfc/0x3b4 blocking_notifier_call_chain+0x68/0x9c do_init_module+0x24c/0x5c8 load_module+0x4acc/0x4e90 init_module_from_file+0xd4/0x128 idempotent_init_module+0x2d4/0x57c __arm64_sys_finit_module+0xac/0x100 invoke_syscall+0x6c/0x258 el0_svc_common.constprop.0+0x160/0x22c do_el0_svc+0x44/0x5c el0_svc+0x48/0xb8 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03282

ubuntu: CVE-2024-56772 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

49. Memory Corruption - Linux Kernel (CVE-2024-57801) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03988

ubuntu: CVE-2024-57801 was patched at 2025-03-27, 2025-04-01

50. Memory Corruption - Linux Kernel (CVE-2024-57926) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err The pointer need to be set to NULL, otherwise KASAN complains about use-after-free. Because in mtk_drm_bind, all private's drm are set as follows. private->all_drm_private[i]->drm = drm; And drm will be released by drm_dev_put in case mtk_drm_kms_init returns failure. However, the shutdown path still accesses the previous allocated memory in drm_atomic_helper_shutdown. [ 84.874820] watchdog: watchdog0: watchdog did not stop! [ 86.512054] ================================================================== [ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378 [ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1 [ 86.515213] [ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55 [ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022 [ 86.517960] Call trace: [ 86.518333] show_stack+0x20/0x38 (C) [ 86.518891] dump_stack_lvl+0x90/0xd0 [ 86.519443] print_report+0xf8/0x5b0 [ 86.519985] kasan_report+0xb4/0x100 [ 86.520526] __asan_report_load8_noabort+0x20/0x30 [ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378 [ 86.521966] mtk_drm_shutdown+0x54/0x80 [ 86.522546] platform_shutdown+0x64/0x90 [ 86.523137] device_shutdown+0x260/0x5b8 [ 86.523728] kernel_restart+0x78/0xf0 [ 86.524282] __do_sys_reboot+0x258/0x2f0 [ 86.524871] __arm64_sys_reboot+0x90/0xd8 [ 86.525473] invoke_syscall+0x74/0x268 [ 86.526041] el0_svc_common.constprop.0+0xb0/0x240 [ 86.526751] do_el0_svc+0x4c/0x70 [ 86.527251] el0_svc+0x4c/0xc0 [ 86.527719] el0t_64_sync_handler+0x144/0x168 [ 86.528367] el0t_64_sync+0x198/0x1a0 [ 86.528920] [ 86.529157] The buggy address belongs to the physical page: [ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc [ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff) [ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000 [ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000 [ 86.534511] page dumped because: kasan: bad access detected [ 86.535323] [ 86.535559] Memory state around the buggy address: [ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.544733] ^ [ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 86.563928] ================================================================== [ 86.571093] Disabling lock debugging due to kernel taint [ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b [ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f] ...

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03988

ubuntu: CVE-2024-57926 was patched at 2025-03-27, 2025-04-01

51. Memory Corruption - Linux Kernel (CVE-2025-21633) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: io_uring/sqpoll: zero sqd->thread on tctx errors Syzkeller reports: BUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 Read of size 8 at addr ffff88803578c510 by task syz.2.3223/27552 Call Trace: <TASK> ... kasan_report+0x143/0x180 mm/kasan/report.c:602 thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639 getrusage+0x1000/0x1340 kernel/sys.c:1863 io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197 seq_show+0x608/0x770 fs/proc/fd.c:68 ... That's due to sqd->task not being cleared properly in cases where SQPOLL task tctx setup fails, which can essentially only happen with fault injection to insert allocation errors.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03282

ubuntu: CVE-2025-21633 was patched at 2025-03-27, 2025-04-01

52. Memory Corruption - Linux Kernel (CVE-2025-21650) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs 1024-1279 are in different BAR space addresses. However, hclge_fetch_pf_reg does not distinguish the tqp space information when reading the tqp space information. When the number of TQPs is greater than 1024, access bar space overwriting occurs. The problem of different segments has been considered during the initialization of tqp.io_base. Therefore, tqp.io_base is directly used when the queue is read in hclge_fetch_pf_reg. The error message: Unable to handle kernel paging request at virtual address ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03282

ubuntu: CVE-2025-21650 was patched at 2025-03-27, 2025-04-01

53. Memory Corruption - Linux Kernel (CVE-2025-21867) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01442

debian: CVE-2025-21867 was patched at 2025-04-12, 2025-04-23

54. Memory Corruption - Linux Kernel (CVE-2025-21887) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.01084

debian: CVE-2025-21887 was patched at 2025-04-12, 2025-04-23

55. Memory Corruption - Linux Kernel (CVE-2025-21919) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.0152

debian: CVE-2025-21919 was patched at 2025-04-12, 2025-04-23

56. Memory Corruption - Linux Kernel (CVE-2025-21928) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21928 was patched at 2025-04-12, 2025-04-23

57. Memory Corruption - Linux Kernel (CVE-2025-21934) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21934 was patched at 2025-04-12, 2025-04-23

58. Memory Corruption - Linux Kernel (CVE-2025-21945) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_lock If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.01057

debian: CVE-2025-21945 was patched at 2025-04-12, 2025-04-23

59. Memory Corruption - Linux Kernel (CVE-2025-21968) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.0107

debian: CVE-2025-21968 was patched at 2025-04-12, 2025-04-23

60. Memory Corruption - Linux Kernel (CVE-2025-21979) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.01057

debian: CVE-2025-21979 was patched at 2025-04-12, 2025-04-23

61. Memory Corruption - Linux Kernel (CVE-2025-21999) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01441

debian: CVE-2025-21999 was patched at 2025-04-12, 2025-04-23

62. Memory Corruption - Linux Kernel (CVE-2025-22004) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01441

debian: CVE-2025-22004 was patched at 2025-04-12, 2025-04-23

63. Security Feature Bypass - Linux Kernel (CVE-2025-21877) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00061, EPSS Percentile is 0.19332

debian: CVE-2025-21877 was patched at 2025-04-12, 2025-04-23

64. Information Disclosure - MediaWiki (CVE-2025-32698) - Medium [324]

Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/LogPager.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.714MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
CVSS Base Score0.210CVSS Base Score is 2.1. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00083, EPSS Percentile is 0.2534

debian: CVE-2025-32698 was patched at 2025-04-13, 2025-04-23

65. Memory Corruption - Linux Kernel (CVE-2024-56577) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix null-ptr-deref during unload module The workqueue should be destroyed in mtk_jpeg_core.c since commit 09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise the below calltrace can be easily triggered. [ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023 [ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] ... [ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17 ... [ 677.882838] pc : destroy_workqueue+0x3c/0x770 [ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.884314] sp : ffff80008ad974f0 [ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070 [ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690 [ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000 [ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0 [ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10 [ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d [ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90 [ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001 [ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000 [ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118 [ 677.893977] Call trace: [ 677.894297] destroy_workqueue+0x3c/0x770 [ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.895677] devm_action_release+0x50/0x90 [ 677.896211] release_nodes+0xe8/0x170 [ 677.896688] devres_release_all+0xf8/0x178 [ 677.897219] device_unbind_cleanup+0x24/0x170 [ 677.897785] device_release_driver_internal+0x35c/0x480 [ 677.898461] device_release_driver+0x20/0x38 ... [ 677.912665] ---[ end trace 0000000000000000 ]---

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56577 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

66. Memory Corruption - Linux Kernel (CVE-2024-56580) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: fix error path on configuration of power domains There is a chance to meet runtime issues during configuration of CAMSS power domains, because on the error path dev_pm_domain_detach() is unexpectedly called with NULL or error pointer. One of the simplest ways to reproduce the problem is to probe CAMSS driver before registration of CAMSS power domains, for instance if a platform CAMCC driver is simply not built. Warning backtrace example: Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a2 <snip> pc : dev_pm_domain_detach+0x8/0x48 lr : camss_probe+0x374/0x9c0 <snip> Call trace: dev_pm_domain_detach+0x8/0x48 platform_probe+0x70/0xf0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x1c/0x30 bus_probe_device+0xb4/0xc0 deferred_probe_work_func+0x90/0xd0 process_one_work+0x164/0x3e0 worker_thread+0x310/0x420 kthread+0x120/0x130 ret_from_fork+0x10/0x20

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

ubuntu: CVE-2024-56580 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

67. Memory Corruption - Linux Kernel (CVE-2024-56613) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56613 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

68. Memory Corruption - Linux Kernel (CVE-2024-56617) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU Commit 5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU") adds functionality that architectures can use to optionally allocate and build cacheinfo early during boot. Commit 6539cffa9495 ("cacheinfo: Add arch specific early level initializer") lets secondary CPUs correct (and reallocate memory) cacheinfo data if needed. If the early build functionality is not used and cacheinfo does not need correction, memory for cacheinfo is never allocated. x86 does not use the early build functionality. Consequently, during the cacheinfo CPU hotplug callback, last_level_cache_is_valid() attempts to dereference a NULL pointer: BUG: kernel NULL pointer dereference, address: 0000000000000100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not present page PGD 0 P4D 0 Oops: 0000 [#1] PREEPMT SMP NOPTI CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1 RIP: 0010: last_level_cache_is_valid+0x95/0xe0a Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback if not done earlier. Moreover, before determining the validity of the last-level cache info, ensure that it has been allocated. Simply checking for non-zero cache_leaves() is not sufficient, as some architectures (e.g., Intel processors) have non-zero cache_leaves() before allocation. Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size(). This function iterates over all online CPUs. However, a CPU may have come online recently, but its cacheinfo may not have been allocated yet. While here, remove an unnecessary indentation in allocate_cache_info(). [ bp: Massage. ]

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56617 was patched at 2025-03-27, 2025-04-01

69. Memory Corruption - Linux Kernel (CVE-2024-56620) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Otherwise, it will result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: mutex_lock+0xc/0x54 platform_device_msi_free_irqs_all+0x14/0x20 ufs_qcom_remove+0x34/0x48 [ufs_qcom] platform_remove+0x28/0x44 device_remove+0x4c/0x80 device_release_driver_internal+0xd8/0x178 driver_detach+0x50/0x9c bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] __arm64_sys_delete_module+0x180/0x260 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xdc el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x190/0x194

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56620 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

70. Memory Corruption - Linux Kernel (CVE-2024-56621) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Cancel RTC work during ufshcd_remove() Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to this, any further trigger of the RTC work after ufshcd_remove() would result in a NULL pointer dereference as below: Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4 Workqueue: events ufshcd_rtc_work Call trace: _raw_spin_lock_irqsave+0x34/0x8c pm_runtime_get_if_active+0x24/0xb4 ufshcd_rtc_work+0x124/0x19c process_scheduled_works+0x18c/0x2d8 worker_thread+0x144/0x280 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Since RTC work accesses the ufshcd internal structures, it should be cancelled when ufshcd is removed. So do that in ufshcd_remove(), as per the order in ufshcd_init().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56621 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

71. Memory Corruption - Linux Kernel (CVE-2024-56646) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in modify_prefix_route() syzbot found a NULL deref [1] in modify_prefix_route(), caused by one fib6_info without a fib6_table pointer set. This can happen for net->ipv6.fib6_null_entry [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089 Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84 RSP: 0018:ffffc900035d7268 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030 R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831 inet6_addr_modify net/ipv6/addrconf.c:4923 [inline] inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637 __sys_sendmsg+0x16e/0x220 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd1dcef8b79 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79 RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 </TASK>

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

ubuntu: CVE-2024-56646 was patched at 2025-03-27, 2025-04-01

72. Memory Corruption - Linux Kernel (CVE-2024-56667) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL pointer dereference in capture_engine When the intel_context structure contains NULL, it raises a NULL pointer dereference error in drm_info(). (cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56667 was patched at 2025-03-27, 2025-04-01

73. Memory Corruption - Linux Kernel (CVE-2025-21905) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.710CVSS Base Score is 7.1. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21905 was patched at 2025-04-12, 2025-04-23

74. Memory Corruption - Linux Kernel (CVE-2025-21917) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06291

debian: CVE-2025-21917 was patched at 2025-04-12, 2025-04-23

75. Memory Corruption - Linux Kernel (CVE-2025-21920) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.710CVSS Base Score is 7.1. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21920 was patched at 2025-04-12, 2025-04-23

76. Memory Corruption - Linux Kernel (CVE-2025-21993) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.710CVSS Base Score is 7.1. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21993 was patched at 2025-04-12, 2025-04-23

ubuntu: CVE-2025-21993 was patched at 2025-04-23, 2025-04-24, 2025-04-25, 2025-04-28

77. Denial of Service - Libsoup (CVE-2025-32051) - Medium [320]

Description: A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service (DoS).

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.614libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
CVSS Base Score0.610CVSS Base Score is 5.9. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00052, EPSS Percentile is 0.16327

debian: CVE-2025-32051 was patched at 2025-04-23

ubuntu: CVE-2025-32051 was patched at 2025-04-10

78. Memory Corruption - Safari (CVE-2025-24213) - Medium [317]

Description: This issue was addressed with improved handling of floats. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A type confusion issue could lead to memory corruption.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00018, EPSS Percentile is 0.03061

debian: CVE-2025-24213 was patched at 2025-04-10, 2025-04-23

ubuntu: CVE-2025-24213 was patched at 2025-04-14

79. Cross Site Scripting - Nokogiri (CVE-2024-53985) - Medium [314]

Description: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both both "svg" and "style" elements. This vulnerability is fixed in 1.6.1.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common0.614Nokogiri is an open source XML and HTML library for the Ruby programming language
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.410EPSS Probability is 0.00147, EPSS Percentile is 0.36319

redos: CVE-2024-53985 was patched at 2025-04-02

80. Incorrect Calculation - Linux Kernel (CVE-2024-57919) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix divide error in DM plane scale calcs dm_get_plane_scale doesn't take into account plane scaled size equal to zero, leading to a kernel oops due to division by zero. Fix by setting out-scale size as zero when the dst size is zero, similar to what is done by drm_calc_scale(). This issue started with the introduction of cursor ovelay mode that uses this function to assess cursor mode changes via dm_crtc_get_cursor_mode() before checking plane state. [Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI [ +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231 [ +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 <41> f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66 [ +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246 [ +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500 [ +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4 [ +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00 [ +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010 [ +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0 [ +0.000004] FS: 00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000 [ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0 [ +0.000004] Call Trace: [ +0.000007] <TASK> [ +0.000006] ? __die_body.cold+0x19/0x27 [ +0.000009] ? die+0x2e/0x50 [ +0.000007] ? do_trap+0xca/0x110 [ +0.000007] ? do_error_trap+0x6a/0x90 [ +0.000006] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000504] ? exc_divide_error+0x38/0x50 [ +0.000005] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000488] ? asm_exc_divide_error+0x1a/0x20 [ +0.000011] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000593] dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu] [ +0.000562] amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu] [ +0.000501] drm_atomic_check_only+0x5e1/0xa30 [drm] [ +0.000047] drm_mode_atomic_ioctl+0x832/0xcb0 [drm] [ +0.000050] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000047] drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000062] drm_ioctl+0x27a/0x4f0 [drm] [ +0.000049] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000055] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ +0.000360] __x64_sys_ioctl+0x97/0xd0 [ +0.000010] do_syscall_64+0x82/0x190 [ +0.000008] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000044] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000040] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __check_object_size+0x50/0x220 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? drm_ioctl+0x2a4/0x4f0 [drm] [ +0.000039] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000043] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __pm_runtime_suspend+0x69/0xc0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu] [ +0.000366] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? syscall_exit_to_user_mode+0x77/0x210 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000008] RIP: 0033:0x55bb7cd962bc [ +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64 ---truncated---

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-57919 was patched at 2025-03-27, 2025-04-01

81. Incorrect Calculation - Linux Kernel (CVE-2025-21898) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21898 was patched at 2025-04-12, 2025-04-23

82. Incorrect Calculation - Linux Kernel (CVE-2025-21962) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing closetimeo mount option User-provided mount parameter closetimeo of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02545

debian: CVE-2025-21962 was patched at 2025-04-12, 2025-04-23

83. Incorrect Calculation - Linux Kernel (CVE-2025-21963) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02545

debian: CVE-2025-21963 was patched at 2025-04-12, 2025-04-23

84. Incorrect Calculation - Linux Kernel (CVE-2025-21964) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acregmax mount option User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02545

debian: CVE-2025-21964 was patched at 2025-04-12, 2025-04-23

85. Incorrect Calculation - Linux Kernel (CVE-2025-21997) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Incorrect Calculation
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02506

debian: CVE-2025-21997 was patched at 2025-04-12, 2025-04-23

86. Memory Corruption - Linux Kernel (CVE-2024-48873) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: check return value of ieee80211_probereq_get() for RNR The return value of ieee80211_probereq_get() might be NULL, so check it before using to avoid NULL pointer access. Addresses-Coverity-ID: 1529805 ("Dereference null return value")

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03966

ubuntu: CVE-2024-48873 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

87. Memory Corruption - Linux Kernel (CVE-2024-56711) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference drm_mode_duplicate() could return NULL due to lack of memory, which will then call NULL pointer dereference. Add a check to prevent it.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-56711 was patched at 2025-03-27, 2025-04-01

88. Memory Corruption - Linux Kernel (CVE-2024-56773) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: kunit: Fix potential null dereference in kunit_device_driver_test() kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-56773 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

89. Memory Corruption - Linux Kernel (CVE-2024-57799) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM In some cases, rk_hdptx_phy_runtime_resume() may be invoked before platform_set_drvdata() is executed in ->probe(), leading to a NULL pointer dereference when using the return of dev_get_drvdata(). Ensure platform_set_drvdata() is called before devm_pm_runtime_enable().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-57799 was patched at 2025-03-27, 2025-04-01

90. Memory Corruption - Linux Kernel (CVE-2024-57881) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() In split_large_buddy(), we might call pfn_to_page() on a PFN that might not exist. In corner cases, such as when freeing the highest pageblock in the last memory section, this could result with CONFIG_SPARSEMEM && !CONFIG_SPARSEMEM_EXTREME in __pfn_to_section() returning NULL and and __section_mem_map_addr() dereferencing that NULL pointer. Let's fix it, and avoid doing a pfn_to_page() call for the first iteration, where we already have the page. So far this was found by code inspection, but let's just CC stable as the fix is easy.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-57881 was patched at 2025-03-27, 2025-04-01

91. Memory Corruption - Linux Kernel (CVE-2024-57933) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: gve: guard XSK operations on the existence of queues This patch predicates the enabling and disabling of XSK pools on the existence of queues. As it stands, if the interface is down, disabling or enabling XSK pools would result in a crash, as the RX queue pointer would be NULL. XSK pool registration will occur as part of the next interface up. Similarly, xsk_wakeup needs be guarded against queues disappearing while the function is executing, so a check against the GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the disabling of the bit and the synchronize_net() in gve_turndown.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03966

ubuntu: CVE-2024-57933 was patched at 2025-03-27, 2025-04-01

92. Memory Corruption - Linux Kernel (CVE-2024-57944) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads1298: Add NULL check in ads1298_init devm_kasprintf() can return a NULL pointer on failure. A check on the return value of such a call in ads1298_init() is missing. Add it.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-57944 was patched at 2025-03-27, 2025-04-01

93. Memory Corruption - Linux Kernel (CVE-2025-21642) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: mptcp: sysctl: sched: avoid using current->nsproxy Using the 'net' structure via 'current' is not recommended for different reasons. First, if the goal is to use it to read or write per-netns data, this is inconsistent with how the "generic" sysctl entries are doing: directly by only using pointers set to the table entry, e.g. table->data. Linked to that, the per-netns data should always be obtained from the table linked to the netns it had been created for, which may not coincide with the reader's or writer's netns. Another reason is that access to current->nsproxy->netns can oops if attempted when current->nsproxy had been dropped when the current task is exiting. This is what syzbot found, when using acct(2): Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 __kernel_write+0xf6/0x140 fs/read_write.c:632 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539 acct_pin_kill+0x2d/0x100 kernel/acct.c:192 pin_kill+0x194/0x7c0 fs/fs_pin.c:44 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366 task_work_run+0x14e/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 get_signal+0x2576/0x2610 kernel/signal.c:3017 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fee3cb87a6a Code: Unable to access opcode bytes at 0x7fee3cb87a40. RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037 RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7 R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500 R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ---truncated---

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03966

ubuntu: CVE-2025-21642 was patched at 2025-03-27, 2025-04-01

94. Memory Corruption - Linux Kernel (CVE-2025-21644) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix tlb invalidation when wedging If GuC fails to load, the driver wedges, but in the process it tries to do stuff that may not be initialized yet. This moves the xe_gt_tlb_invalidation_init() to be done earlier: as its own doc says, it's a software-only initialization and should had been named with the _early() suffix. Move it to be called by xe_gt_init_early(), so the locks and seqno are initialized, avoiding a NULL ptr deref when wedging: xe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01 xe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed xe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged. ... BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G U W 6.13.0-rc4-xe+ #3 Tainted: [U]=USER, [W]=WARN Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022 RIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe] This can be easily triggered by poking the GuC binary to force a signature failure. There will still be an extra message, xe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100 but that's better than a NULL ptr deref. (cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2025-21644 was patched at 2025-03-27, 2025-04-01

95. Memory Corruption - Linux Kernel (CVE-2025-21661) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix missing lookup table cleanups When a virtuser device is created via configfs and the probe fails due to an incorrect lookup table, the table is not removed. This prevents subsequent probe attempts from succeeding, even if the issue is corrected, unless the device is released. Additionally, cleanup is also needed in the less likely case of platform_device_register_full() failure. Besides, a consistent memory leak in lookup_table->dev_id was spotted using kmemleak by toggling the live state between 0 and 1 with a correct lookup table. Introduce gpio_virtuser_remove_lookup_table() as the counterpart to the existing gpio_virtuser_make_lookup_table() and call it from all necessary points to ensure proper cleanup.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2025-21661 was patched at 2025-03-27, 2025-04-01

96. Memory Corruption - Linux Kernel (CVE-2025-21904) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: caif_virtio: fix wrong pointer check in cfv_probe() del_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked for NULL before calling it, not cfv->vdev. Also the current implementation is redundant because the pointer cfv->vdev is dereferenced before it is checked for NULL. Fix this by checking cfv->vq_tx for NULL instead of cfv->vdev before calling del_vqs().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21904 was patched at 2025-04-12, 2025-04-23

97. Memory Corruption - Linux Kernel (CVE-2025-21918) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02506

debian: CVE-2025-21918 was patched at 2025-04-12, 2025-04-23

98. Memory Corruption - Linux Kernel (CVE-2025-21936) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() in mgmt_device_connected() to prevent null pointer dereference.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02506

debian: CVE-2025-21936 was patched at 2025-04-12, 2025-04-23

99. Memory Corruption - Linux Kernel (CVE-2025-21937) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02506

debian: CVE-2025-21937 was patched at 2025-04-12, 2025-04-23

100. Memory Corruption - Linux Kernel (CVE-2025-21941) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Null pointer dereference issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not null before accessing. This prevents a null pointer dereference. Found by code review. (cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02545

debian: CVE-2025-21941 was patched at 2025-04-12, 2025-04-23

101. Memory Corruption - Linux Kernel (CVE-2025-21948) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21948 was patched at 2025-04-12, 2025-04-23

102. Memory Corruption - Linux Kernel (CVE-2025-21957) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21957 was patched at 2025-04-12, 2025-04-23

103. Memory Corruption - Linux Kernel (CVE-2025-21980) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: sched: address a potential NULL pointer dereference in the GRED scheduler. If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash. When table->opt is NULL in gred_init(), gred_change_table_def() is not called yet, so it is not necessary to call ->ndo_setup_tc() in gred_offload().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02506

debian: CVE-2025-21980 was patched at 2025-04-12, 2025-04-23

104. Memory Corruption - Linux Kernel (CVE-2025-21981) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allocated resources. This led to the memory leak with the following signature: [root@os-delivery ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xff3c1ca7252e6000 (size 8192): comm "kworker/0:0", pid 8, jiffies 4296833052 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340 [<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice] [<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice] [<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice] [<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice] [<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice] [<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0 [<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20 [<ffffffff98f0b6d9>] process_one_work+0x179/0x390 [<ffffffff98f0c1e9>] worker_thread+0x239/0x340 [<ffffffff98f14abc>] kthread+0xcc/0x100 [<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50 [<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30 ...

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.02545

debian: CVE-2025-21981 was patched at 2025-04-12, 2025-04-23

105. Memory Corruption - Linux Kernel (CVE-2025-22007) - Medium [310]

Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01385

debian: CVE-2025-22007 was patched at 2025-04-12, 2025-04-23

106. Information Disclosure - Unknown Product (CVE-2025-31492) - Medium [302]

Description: {'nvd_cve_data_all': 'mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd. oidc_content_handler has a number of checks for when it intervenes, but it doesn't check for this case, so the handler returns DECLINED. Consequently, httpd appends the protected content to the response. The issue has been patched in mod_auth_openidc versions >= 2.4.16.11.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 8.2. According to Vulners data source
EPSS Percentile0.510EPSS Probability is 0.00237, EPSS Percentile is 0.46553

almalinux: CVE-2025-31492 was patched at 2025-04-17

debian: CVE-2025-31492 was patched at 2025-04-17, 2025-04-23

oraclelinux: CVE-2025-31492 was patched at 2025-04-22

redhat: CVE-2025-31492 was patched at 2025-04-16, 2025-04-23, 2025-04-24, 2025-04-28

ubuntu: CVE-2025-31492 was patched at 2025-04-23

107. Security Feature Bypass - MediaWiki (CVE-2025-32696) - Medium [301]

Description: Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.714MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00053, EPSS Percentile is 0.16437

debian: CVE-2025-32696 was patched at 2025-04-13, 2025-04-23

108. Security Feature Bypass - MediaWiki (CVE-2025-32697) - Medium [301]

Description: Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php. This issue affects MediaWiki: before 1.42.6, 1.43.1.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.915Security Feature Bypass
Vulnerable Product is Common0.714MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.0005, EPSS Percentile is 0.15409

debian: CVE-2025-32697 was patched at 2025-04-13, 2025-04-23

109. Denial of Service - Linux Kernel (CVE-2025-21925) - Medium [298]

Description: In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() uses in net/llc. [1] kernel BUG at net/core/skbuff.c:2178 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178 Call Trace: <TASK> __skb_pad+0x18a/0x610 net/core/skbuff.c:2466 __skb_put_padto include/linux/skbuff.h:3843 [inline] skb_put_padto include/linux/skbuff.h:3862 [inline] eth_skb_pad include/linux/etherdevice.h:656 [inline] e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3806 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:4045 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621 dev_queue_xmit include/linux/netdevice.h:3313 [inline] llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209 llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993 sock_sendmsg_nosec net/socket.c:718 [inline]

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21925 was patched at 2025-04-12, 2025-04-23

110. Memory Corruption - Git (CVE-2025-31115) - Medium [298]

Description: XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.414Git
CVSS Base Score0.910CVSS Base Score is 8.7. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00117, EPSS Percentile is 0.3178

debian: CVE-2025-31115 was patched at 2025-04-05, 2025-04-23

ubuntu: CVE-2025-31115 was patched at 2025-04-03

111. Memory Corruption - Linux Kernel (CVE-2024-57934) - Medium [298]

Description: In the Linux kernel, the following vulnerability has been resolved: fgraph: Add READ_ONCE() when accessing fgraph_array[] In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[] elements, which are fgraph_ops. The loop checks if an element is a fgraph_stub to prevent using a fgraph_stub afterward. However, if the compiler reloads fgraph_array[] after this check, it might race with an update to fgraph_array[] that introduces a fgraph_stub. This could result in the stub being processed, but the stub contains a null "func_hash" field, leading to a NULL pointer dereference. To ensure that the gops compared against the fgraph_stub matches the gops processed later, add a READ_ONCE(). A similar patch appears in commit 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]").

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.510CVSS Base Score is 4.7. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-57934 was patched at 2025-03-27, 2025-04-01

112. Memory Corruption - Linux Kernel (CVE-2025-21947) - Medium [298]

Description: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix type confusion via race condition when using ipc_msg_send_request req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on ida_alloc. req->handle from ksmbd_ipc_login_request and FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion between messages, resulting in access to unexpected parts of memory after an incorrect delivery. ksmbd check type of ipc response but missing add continue to check next ipc reponse.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.510CVSS Base Score is 4.7. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01956

debian: CVE-2025-21947 was patched at 2025-04-12, 2025-04-23

113. Cross Site Scripting - MediaWiki (CVE-2025-3469) - Medium [295]

Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common0.714MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.310EPSS Probability is 0.00093, EPSS Percentile is 0.27492

debian: CVE-2025-3469 was patched at 2025-04-13, 2025-04-23

114. Memory Corruption - Safari (CVE-2025-24216) - Medium [294]

Description: The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.410CVSS Base Score is 4.3. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00066, EPSS Percentile is 0.20822

almalinux: CVE-2025-24216 was patched at 2025-04-08, 2025-04-17

debian: CVE-2025-24216 was patched at 2025-04-10, 2025-04-23

oraclelinux: CVE-2025-24216 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2025-24216 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2025-24216 was patched at 2025-04-14

115. Memory Corruption - Safari (CVE-2025-30427) - Medium [294]

Description: A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.814Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
CVSS Base Score0.410CVSS Base Score is 4.3. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00079, EPSS Percentile is 0.24454

almalinux: CVE-2025-30427 was patched at 2025-04-08, 2025-04-17

debian: CVE-2025-30427 was patched at 2025-04-10, 2025-04-23

oraclelinux: CVE-2025-30427 was patched at 2025-04-08, 2025-04-17

redhat: CVE-2025-30427 was patched at 2025-04-08, 2025-04-09, 2025-04-17

ubuntu: CVE-2025-30427 was patched at 2025-04-14

116. Spoofing - Chromium (CVE-2025-3072) - Medium [288]

Description: Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.415Spoofing
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.510CVSS Base Score is 5.4. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00066, EPSS Percentile is 0.20892

debian: CVE-2025-3072 was patched at 2025-04-03, 2025-04-23

117. Spoofing - Chromium (CVE-2025-3073) - Medium [288]

Description: Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.415Spoofing
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.510CVSS Base Score is 5.4. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00066, EPSS Percentile is 0.20892

debian: CVE-2025-3073 was patched at 2025-04-03, 2025-04-23

118. Spoofing - Chromium (CVE-2025-3074) - Medium [288]

Description: Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.415Spoofing
Vulnerable Product is Common0.814Chromium is a free and open-source web browser project, mainly developed and maintained by Google
CVSS Base Score0.510CVSS Base Score is 5.4. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00066, EPSS Percentile is 0.20892

debian: CVE-2025-3074 was patched at 2025-04-03, 2025-04-23

119. Memory Corruption - Linux Kernel (CVE-2024-56710) - Medium [286]

Description: In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leak in ceph_direct_read_write() The bvecs array which is allocated in iter_get_bvecs_alloc() is leaked and pages remain pinned if ceph_alloc_sparse_ext_map() fails. There is no need to delay the allocation of sparse_ext map until after the bvecs array is set up, so fix this by moving sparse_ext allocation a bit earlier. Also, make a similar adjustment in __ceph_sync_read() for consistency (a leak of the same kind in __ceph_sync_read() has been addressed differently).

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.310CVSS Base Score is 3.3. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06025

ubuntu: CVE-2024-56710 was patched at 2025-03-27, 2025-04-01

120. Remote Code Execution - Unknown Product (CVE-2025-30219) - Medium [285]

Description: {'nvd_cve_data_all': 'RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions\nwill display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type1.015Remote Code Execution
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.610CVSS Base Score is 6.1. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.0011, EPSS Percentile is 0.30666

debian: CVE-2025-30219 was patched at 2025-04-23

ubuntu: CVE-2025-30219 was patched at 2025-03-31

121. Information Disclosure - GitHub (CVE-2024-53859) - Medium [276]

Description: go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common0.214GitHub, Inc. is an Internet hosting service for software development and version control using Git
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00031, EPSS Percentile is 0.07217

ubuntu: CVE-2024-53859 was patched at 2025-03-20

122. Authentication Bypass - Unknown Product (CVE-2025-23367) - Medium [270]

Description: {'nvd_cve_data_all': 'A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.9815Authentication Bypass
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00036, EPSS Percentile is 0.09236

redhat: CVE-2025-23367 was patched at 2025-04-01

123. Denial of Service - Unknown Product (CVE-2024-42643) - Medium [267]

Description: {'nvd_cve_data_all': 'Integer Overflow in fast_ping.c in SmartDNS Release46 allows remote attackers to cause a Denial of Service via misaligned memory access.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Integer Overflow in fast_ping.c in SmartDNS Release46 allows remote attackers to cause a Denial of Service via misaligned memory access.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00206, EPSS Percentile is 0.43274

ubuntu: CVE-2024-42643 was patched at 2025-03-25

124. Unknown Vulnerability Type - Vault (CVE-2022-40186) - Medium [266]

Description: {'nvd_cve_data_all': 'An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.614Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing
CVSS Base Score0.910CVSS Base Score is 9.1. According to NVD data source
EPSS Percentile0.510EPSS Probability is 0.00318, EPSS Percentile is 0.54038

redos: CVE-2022-40186 was patched at 2025-04-02

125. Memory Corruption - Linux Kernel (CVE-2025-21975) - Medium [263]

Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and return error pointer.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21975 was patched at 2025-04-12, 2025-04-23

126. Memory Corruption - Opensearch (CVE-2023-23933) - Medium [255]

Description: OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.514Product detected by a:amazon:opensearch (exists in CPE dict)
CVSS Base Score0.410CVSS Base Score is 4.3. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00085, EPSS Percentile is 0.2584

redos: CVE-2023-23933 was patched at 2025-04-03

127. Memory Corruption - Linux Kernel (CVE-2024-51729) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: mm: use aligned address in copy_user_gigantic_page() In current kernel, hugetlb_wp() calls copy_user_large_folio() with the fault address. Where the fault address may be not aligned with the huge page size. Then, copy_user_large_folio() may call copy_user_gigantic_page() with the address, while copy_user_gigantic_page() requires the address to be huge page size aligned. So, this may cause memory corruption or information leak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for copy_user_gigantic_page().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-51729 was patched at 2025-03-27, 2025-04-01

128. Memory Corruption - Linux Kernel (CVE-2024-52319) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: mm: use aligned address in clear_gigantic_page() In current kernel, hugetlb_no_page() calls folio_zero_user() with the fault address. Where the fault address may be not aligned with the huge page size. Then, folio_zero_user() may call clear_gigantic_page() with the address, while clear_gigantic_page() requires the address to be huge page size aligned. So, this may cause memory corruption or information leak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for clear_gigantic_page().

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-52319 was patched at 2025-03-27, 2025-04-01

129. Memory Corruption - Linux Kernel (CVE-2024-57921) - Medium [251]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add a lock when accessing the buddy trim function When running YouTube videos and Steam games simultaneously, the tester found a system hang / race condition issue with the multi-display configuration setting. Adding a lock to the buddy allocator's trim function would be the solution. <log snip> [ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108 [ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250470] Call Trace: [ 7197.250472] <TASK> [ 7197.250475] ? show_regs+0x6d/0x80 [ 7197.250481] ? die_addr+0x37/0xa0 [ 7197.250483] ? exc_general_protection+0x1db/0x480 [ 7197.250488] ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper] [ 7197.250493] ? asm_exc_general_protection+0x27/0x30 [ 7197.250498] ? __alloc_range+0x8b/0x340 [amddrm_buddy] [ 7197.250501] ? __alloc_range+0x109/0x340 [amddrm_buddy] [ 7197.250506] amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy] [ 7197.250511] amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu] [ 7197.250682] amdttm_resource_alloc+0x46/0xb0 [amdttm] [ 7197.250689] ttm_bo_alloc_resource+0xe4/0x370 [amdttm] [ 7197.250696] amdttm_bo_validate+0x9d/0x180 [amdttm] [ 7197.250701] amdgpu_bo_pin+0x15a/0x2f0 [amdgpu] [ 7197.250831] amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu] [ 7197.251025] ? try_wait_for_completion+0x59/0x70 [ 7197.251030] drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0 [ 7197.251035] drm_atomic_helper_prepare_planes+0x5d/0x70 [ 7197.251037] drm_atomic_helper_commit+0x84/0x160 [ 7197.251040] drm_atomic_nonblocking_commit+0x59/0x70 [ 7197.251043] drm_mode_atomic_ioctl+0x720/0x850 [ 7197.251047] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251049] drm_ioctl_kernel+0xb9/0x120 [ 7197.251053] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251056] drm_ioctl+0x2d4/0x550 [ 7197.251058] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [ 7197.251063] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ 7197.251186] __x64_sys_ioctl+0xa0/0xf0 [ 7197.251190] x64_sys_call+0x143b/0x25c0 [ 7197.251193] do_syscall_64+0x7f/0x180 [ 7197.251197] ? srso_alias_return_thunk+0x5/0xfbef5 [ 7197.251199] ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu] [ 7197.251329] ? drm_internal_framebuffer_create+0xb7/0x1a0 [ 7197.251332] ? srso_alias_return_thunk+0x5/0xfbef5 (cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516)

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57921 was patched at 2025-03-27, 2025-04-01

130. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21991) - Medium [245]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n "Some memory may share the same node as a CPU, and others are provided as\n memory only nodes."\n\nTherefore, some node CPU masks may be empty and wouldn't have a "first CPU".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n index 512 is out of range for type 'unsigned long[512]'\n [...]\n Call Trace:\n dump_stack\n __ubsan_handle_out_of_bounds\n load_microcode_amd\n request_microcode_amd\n reload_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n [ bp: Massage commit message, fix typo. ]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.810CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01704

debian: CVE-2025-21991 was patched at 2025-04-12, 2025-04-23

131. Denial of Service - Unknown Product (CVE-2025-30211) - Medium [244]

Description: {'nvd_cve_data_all': 'Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00057, EPSS Percentile is 0.17983

debian: CVE-2025-30211 was patched at 2025-04-20, 2025-04-23

ubuntu: CVE-2025-30211 was patched at 2025-04-08

132. Memory Corruption - Unknown Product (CVE-2025-32464) - Medium [244]

Description: {'nvd_cve_data_all': 'HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.710CVSS Base Score is 6.8. According to NVD data source
EPSS Percentile0.610EPSS Probability is 0.00356, EPSS Percentile is 0.56863

debian: CVE-2025-32464 was patched at 2025-04-23

ubuntu: CVE-2025-32464 was patched at 2025-04-10, 2025-04-23

133. Path Traversal - Unknown Product (CVE-2025-24965) - Medium [244]

Description: {'nvd_cve_data_all': 'crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'crun is an open source OCI Container Runtime fully written in C. In affected versions A malicious container image could trick the krun handler into escaping the root filesystem, allowing file creation or modification on the host. No special permissions are needed, only the ability for the current user to write to the target file. The problem is fixed in crun 1.20 and all users are advised to upgrade. There are no known workarounds for this vulnerability.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Path Traversal
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 8.5. According to Vulners data source
EPSS Percentile0.210EPSS Probability is 0.00076, EPSS Percentile is 0.23614

redos: CVE-2025-24965 was patched at 2025-04-03

134. Unknown Vulnerability Type - MongoDB (CVE-2024-6375) - Medium [242]

Description: {'nvd_cve_data_all': 'A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.614MongoDB is a source-available, cross-platform, document-oriented database program
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.510EPSS Probability is 0.00247, EPSS Percentile is 0.47943

redos: CVE-2024-6375 was patched at 2025-03-26

135. Memory Corruption - Linux Kernel (CVE-2025-22015) - Medium [239]

Description: In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.010EPSS Probability is 0.00024, EPSS Percentile is 0.04697

debian: CVE-2025-22015 was patched at 2025-04-12, 2025-04-23

136. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56618) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx: gpcv2: Adjust delay after power up handshake The udelay(5) is not enough, sometimes below kernel panic still be triggered: [ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt [ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1 [ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT) [ 4.012985] Call trace: [...] [ 4.013029] arm64_serror_panic+0x64/0x70 [ 4.013034] do_serror+0x3c/0x70 [ 4.013039] el1h_64_error_handler+0x30/0x54 [ 4.013046] el1h_64_error+0x64/0x68 [ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48 [ 4.013059] __genpd_runtime_resume+0x30/0x80 [ 4.013066] genpd_runtime_resume+0x114/0x29c [ 4.013073] __rpm_callback+0x48/0x1e0 [ 4.013079] rpm_callback+0x68/0x80 [ 4.013084] rpm_resume+0x3bc/0x6a0 [ 4.013089] __pm_runtime_resume+0x50/0x9c [ 4.013095] pm_runtime_get_suppliers+0x60/0x8c [ 4.013101] __driver_probe_device+0x4c/0x14c [ 4.013108] driver_probe_device+0x3c/0x120 [ 4.013114] __driver_attach+0xc4/0x200 [ 4.013119] bus_for_each_dev+0x7c/0xe0 [ 4.013125] driver_attach+0x24/0x30 [ 4.013130] bus_add_driver+0x110/0x240 [ 4.013135] driver_register+0x68/0x124 [ 4.013142] __platform_driver_register+0x24/0x30 [ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma] [ 4.013163] do_one_initcall+0x60/0x1e0 [ 4.013168] do_init_module+0x5c/0x21c [ 4.013175] load_module+0x1a98/0x205c [ 4.013181] init_module_from_file+0x88/0xd4 [ 4.013187] __arm64_sys_finit_module+0x258/0x350 [ 4.013194] invoke_syscall.constprop.0+0x50/0xe0 [ 4.013202] do_el0_svc+0xa8/0xe0 [ 4.013208] el0_svc+0x3c/0x140 [ 4.013215] el0t_64_sync_handler+0x120/0x12c [ 4.013222] el0t_64_sync+0x190/0x194 [ 4.013228] SMP: stopping secondary CPUs The correct way is to wait handshake, but it needs BUS clock of BLK-CTL be enabled, which is in separate driver. So delay is the only option here. The udelay(10) is a data got by experiment.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx: gpcv2: Adjust delay after power up handshake\n\nThe udelay(5) is not enough, sometimes below kernel panic\nstill be triggered:\n\n[ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt\n[ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1\n[ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT)\n[ 4.012985] Call trace:\n[...]\n[ 4.013029] arm64_serror_panic+0x64/0x70\n[ 4.013034] do_serror+0x3c/0x70\n[ 4.013039] el1h_64_error_handler+0x30/0x54\n[ 4.013046] el1h_64_error+0x64/0x68\n[ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48\n[ 4.013059] __genpd_runtime_resume+0x30/0x80\n[ 4.013066] genpd_runtime_resume+0x114/0x29c\n[ 4.013073] __rpm_callback+0x48/0x1e0\n[ 4.013079] rpm_callback+0x68/0x80\n[ 4.013084] rpm_resume+0x3bc/0x6a0\n[ 4.013089] __pm_runtime_resume+0x50/0x9c\n[ 4.013095] pm_runtime_get_suppliers+0x60/0x8c\n[ 4.013101] __driver_probe_device+0x4c/0x14c\n[ 4.013108] driver_probe_device+0x3c/0x120\n[ 4.013114] __driver_attach+0xc4/0x200\n[ 4.013119] bus_for_each_dev+0x7c/0xe0\n[ 4.013125] driver_attach+0x24/0x30\n[ 4.013130] bus_add_driver+0x110/0x240\n[ 4.013135] driver_register+0x68/0x124\n[ 4.013142] __platform_driver_register+0x24/0x30\n[ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma]\n[ 4.013163] do_one_initcall+0x60/0x1e0\n[ 4.013168] do_init_module+0x5c/0x21c\n[ 4.013175] load_module+0x1a98/0x205c\n[ 4.013181] init_module_from_file+0x88/0xd4\n[ 4.013187] __arm64_sys_finit_module+0x258/0x350\n[ 4.013194] invoke_syscall.constprop.0+0x50/0xe0\n[ 4.013202] do_el0_svc+0xa8/0xe0\n[ 4.013208] el0_svc+0x3c/0x140\n[ 4.013215] el0t_64_sync_handler+0x120/0x12c\n[ 4.013222] el0t_64_sync+0x190/0x194\n[ 4.013228] SMP: stopping secondary CPUs\n\nThe correct way is to wait handshake, but it needs BUS clock of\nBLK-CTL be enabled, which is in separate driver. So delay is the\nonly option here. The udelay(10) is a data got by experiment.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

ubuntu: CVE-2024-56618 was patched at 2025-03-27, 2025-04-01

137. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56632) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix the memleak while create new ctrl failed Now while we create new ctrl failed, we have not free the tagset occupied by admin_q, here try to fix it.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix the memleak while create new ctrl failed\n\nNow while we create new ctrl failed, we have not free the\ntagset occupied by admin_q, here try to fix it.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

ubuntu: CVE-2024-56632 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

138. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56654) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is not safe since for the most part entries fetched this way shall be treated as rcu_dereference: \tNote that the value returned by rcu_dereference() is valid \tonly within the enclosing RCU read-side critical section [1]_. \tFor example, the following is **not** legal:: \t\trcu_read_lock(); \t\tp = rcu_dereference(head.next); \t\trcu_read_unlock(); \t\tx = p->address;\t/* BUG!!! */ \t\trcu_read_lock(); \t\ty = p->data;\t/* BUG!!! */ \t\trcu_read_unlock();', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix using rcu_read_(un)lock while iterating\n\nThe usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is\nnot safe since for the most part entries fetched this way shall be\ntreated as rcu_dereference:\n\n\tNote that the value returned by rcu_dereference() is valid\n\tonly within the enclosing RCU read-side critical section [1]_.\n\tFor example, the following is **not** legal::\n\n\t\trcu_read_lock();\n\t\tp = rcu_dereference(head.next);\n\t\trcu_read_unlock();\n\t\tx = p->address;\t/* BUG!!! */\n\t\trcu_read_lock();\n\t\ty = p->data;\t/* BUG!!! */\n\t\trcu_read_unlock();', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56654 was patched at 2025-03-27, 2025-04-01

139. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56655) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not defer rule destruction via call_rcu nf_tables_chain_destroy can sleep, it can't be used from call_rcu callbacks. Moreover, nf_tables_rule_release() is only safe for error unwinding, while transaction mutex is held and the to-be-desroyed rule was not exposed to either dataplane or dumps, as it deactives+frees without the required synchronize_rcu() in-between. nft_rule_expr_deactivate() callbacks will change ->use counters of other chains/sets, see e.g. nft_lookup .deactivate callback, these must be serialized via transaction mutex. Also add a few lockdep asserts to make this more explicit. Calling synchronize_rcu() isn't ideal, but fixing this without is hard and way more intrusive. As-is, we can get: WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x.. Workqueue: events nf_tables_trans_destroy_work RIP: 0010:nft_set_destroy+0x3fe/0x5c0 Call Trace: <TASK> nf_tables_trans_destroy_work+0x6b7/0xad0 process_one_work+0x64a/0xce0 worker_thread+0x613/0x10d0 In case the synchronize_rcu becomes an issue, we can explore alternatives. One way would be to allocate nft_trans_rule objects + one nft_trans_chain object, deactivate the rules + the chain and then defer the freeing to the nft destroy workqueue. We'd still need to keep the synchronize_rcu path as a fallback to handle -ENOMEM corner cases though.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not defer rule destruction via call_rcu\n\nnf_tables_chain_destroy can sleep, it can't be used from call_rcu\ncallbacks.\n\nMoreover, nf_tables_rule_release() is only safe for error unwinding,\nwhile transaction mutex is held and the to-be-desroyed rule was not\nexposed to either dataplane or dumps, as it deactives+frees without\nthe required synchronize_rcu() in-between.\n\nnft_rule_expr_deactivate() callbacks will change ->use counters\nof other chains/sets, see e.g. nft_lookup .deactivate callback, these\nmust be serialized via transaction mutex.\n\nAlso add a few lockdep asserts to make this more explicit.\n\nCalling synchronize_rcu() isn't ideal, but fixing this without is hard\nand way more intrusive. As-is, we can get:\n\nWARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x..\nWorkqueue: events nf_tables_trans_destroy_work\nRIP: 0010:nft_set_destroy+0x3fe/0x5c0\nCall Trace:\n <TASK>\n nf_tables_trans_destroy_work+0x6b7/0xad0\n process_one_work+0x64a/0xce0\n worker_thread+0x613/0x10d0\n\nIn case the synchronize_rcu becomes an issue, we can explore alternatives.\n\nOne way would be to allocate nft_trans_rule objects + one nft_trans_chain\nobject, deactivate the rules + the chain and then defer the freeing to the\nnft destroy workqueue. We'd still need to keep the synchronize_rcu path as\na fallback to handle -ENOMEM corner cases though.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00029, EPSS Percentile is 0.06488

ubuntu: CVE-2024-56655 was patched at 2025-03-27, 2025-04-01

140. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56656) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of the previous generation (5750X or P5). However, the aggregation ID fields in the completion structures on P7 have been redefined from 16 bits to 12 bits. The freed up 4 bits are redefined for part of the metadata such as the VLAN ID. The aggregation ID mask was not modified when adding support for P7 chips. Including the extra 4 bits for the aggregation ID can potentially cause the driver to store or fetch the packet header of GRO/LRO packets in the wrong TPA buffer. It may hit the BUG() condition in __skb_pull() because the SKB contains no valid packet header: kernel BUG at include/linux/skbuff.h:2766! Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022 RIP: 0010:eth_type_trans+0xda/0x140 Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48 RSP: 0018:ff615003803fcc28 EFLAGS: 00010283 RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040 RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000 RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001 R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0 R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000 FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? eth_type_trans+0xda/0x140 ? do_error_trap+0x65/0x80 ? eth_type_trans+0xda/0x140 ? exc_invalid_op+0x4e/0x70 ? eth_type_trans+0xda/0x140 ? asm_exc_invalid_op+0x16/0x20 ? eth_type_trans+0xda/0x140 bnxt_tpa_end+0x10b/0x6b0 [bnxt_en] ? bnxt_tpa_start+0x195/0x320 [bnxt_en] bnxt_rx_pkt+0x902/0xd90 [bnxt_en] ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en] ? kmem_cache_free+0x343/0x440 ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en] __bnxt_poll_work+0x193/0x370 [bnxt_en] bnxt_poll_p5+0x9a/0x300 [bnxt_en] ? try_to_wake_up+0x209/0x670 __napi_poll+0x29/0x1b0 Fix it by redefining the aggregation ID mask for P5_PLUS chips to be 12 bits. This will work because the maximum aggregation ID is less than 4096 on all P5_PLUS chips.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips\n\nThe 5760X (P7) chip's HW GRO/LRO interface is very similar to that of\nthe previous generation (5750X or P5). However, the aggregation ID\nfields in the completion structures on P7 have been redefined from\n16 bits to 12 bits. The freed up 4 bits are redefined for part of the\nmetadata such as the VLAN ID. The aggregation ID mask was not modified\nwhen adding support for P7 chips. Including the extra 4 bits for the\naggregation ID can potentially cause the driver to store or fetch the\npacket header of GRO/LRO packets in the wrong TPA buffer. It may hit\nthe BUG() condition in __skb_pull() because the SKB contains no valid\npacket header:\n\nkernel BUG at include/linux/skbuff.h:2766!\nOops: invalid opcode: 0000 1 PREEMPT SMP NOPTI\nCPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022\nRIP: 0010:eth_type_trans+0xda/0x140\nCode: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48\nRSP: 0018:ff615003803fcc28 EFLAGS: 00010283\nRAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040\nRDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000\nRBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001\nR10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0\nR13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000\nFS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <IRQ>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? eth_type_trans+0xda/0x140\n ? do_error_trap+0x65/0x80\n ? eth_type_trans+0xda/0x140\n ? exc_invalid_op+0x4e/0x70\n ? eth_type_trans+0xda/0x140\n ? asm_exc_invalid_op+0x16/0x20\n ? eth_type_trans+0xda/0x140\n bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]\n ? bnxt_tpa_start+0x195/0x320 [bnxt_en]\n bnxt_rx_pkt+0x902/0xd90 [bnxt_en]\n ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]\n ? kmem_cache_free+0x343/0x440\n ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]\n __bnxt_poll_work+0x193/0x370 [bnxt_en]\n bnxt_poll_p5+0x9a/0x300 [bnxt_en]\n ? try_to_wake_up+0x209/0x670\n __napi_poll+0x29/0x1b0\n\nFix it by redefining the aggregation ID mask for P5_PLUS chips to be\n12 bits. This will work because the maximum aggregation ID is less\nthan 4096 on all P5_PLUS chips.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

oraclelinux: CVE-2024-56656 was patched at 2025-04-11

ubuntu: CVE-2024-56656 was patched at 2025-03-27, 2025-04-01

141. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56673) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Do not call pmd dtor on vmemmap page table teardown The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is *not* called, nor would it make sense to do so. Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case). This issue was found when running the HMM selftests: | tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070 | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e | [<ffffffff8032e698>] section_deactivate+0x220/0x452 | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58 | [<ffffffff802f8700>] __remove_pages+0x7e/0xba | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6 | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266 | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n | tools/testing/selftests/mm# ./test_hmm.sh smoke\n | ... # when unloading the test_hmm.ko module\n | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n | flags: 0x1000000000000000(node=0|zone=1)\n | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n | ------------[ cut here ]------------\n | kernel BUG at include/linux/mm.h:3080!\n | Kernel BUG [#1]\n | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2\n | Tainted: [W]=WARN\n | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n | epc : remove_pgd_mapping+0xbec/0x1070\n | ra : remove_pgd_mapping+0xbec/0x1070\n | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n | t5 : ff60000080244000 t6 : ff20000000a73708\n | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070\n | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e\n | [<ffffffff8032e698>] section_deactivate+0x220/0x452\n | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58\n | [<ffffffff802f8700>] __remove_pages+0x7e/0xba\n | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe\n | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6\n | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266\n | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2\n | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05344

ubuntu: CVE-2024-56673 was patched at 2025-03-27, 2025-04-01

142. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57905) - Medium [233]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-ads1119: fix information leak in triggered buffer The 'scan' local struct is used to push data to user space from a triggered buffer, but it has a hole between the sample (unsigned int) and the timestamp. This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads1119: fix information leak in triggered buffer\n\nThe 'scan' local struct is used to push data to user space from a\ntriggered buffer, but it has a hole between the sample (unsigned int)\nand the timestamp. This hole is never initialized.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.710CVSS Base Score is 7.1. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03282

ubuntu: CVE-2024-57905 was patched at 2025-03-27, 2025-04-01

143. Denial of Service - Unknown Product (CVE-2024-8447) - Medium [232]

Description: {'nvd_cve_data_all': 'A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.610CVSS Base Score is 5.9. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00102, EPSS Percentile is 0.29351

redhat: CVE-2024-8447 was patched at 2025-03-27

144. Memory Corruption - Unknown Product (CVE-2023-48183) - Medium [232]

Description: {'nvd_cve_data_all': 'QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00213, EPSS Percentile is 0.43992

ubuntu: CVE-2023-48183 was patched at 2025-04-15

145. Cross Site Scripting - Unknown Product (CVE-2025-2361) - Medium [226]

Description: {'nvd_cve_data_all': 'A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.410CVSS Base Score is 4.3. According to NVD data source
EPSS Percentile0.310EPSS Probability is 0.00082, EPSS Percentile is 0.25125

debian: CVE-2025-2361 was patched at 2025-03-22, 2025-04-23

146. Unknown Vulnerability Type - smartdns (CVE-2024-24198) - Medium [226]

Description: {'nvd_cve_data_all': 'smartdns commit 54b4dc was discovered to contain a misaligned address at smartdns/src/util.c.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'smartdns commit 54b4dc was discovered to contain a misaligned address at smartdns/src/util.c.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.514Product detected by a:pymumu:smartdns (does NOT exist in CPE dict)
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00191, EPSS Percentile is 0.41487

ubuntu: CVE-2024-24198 was patched at 2025-03-25

147. Unknown Vulnerability Type - smartdns (CVE-2024-24199) - Medium [226]

Description: {'nvd_cve_data_all': 'smartdns commit 54b4dc was discovered to contain a misaligned address at smartdns/src/dns.c.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'smartdns commit 54b4dc was discovered to contain a misaligned address at smartdns/src/dns.c.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.514Product detected by a:pymumu:smartdns (does NOT exist in CPE dict)
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.410EPSS Probability is 0.00222, EPSS Percentile is 0.44931

ubuntu: CVE-2024-24199 was patched at 2025-03-25

148. Unknown Vulnerability Type - Linux Kernel (CVE-2024-54191) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is always released before calling a function that locks hdev. [ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock. [ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] do_syscall_64+0x87/0x150 [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] lock_acquire+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] do_syscall_64+0x87/0x150 [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sock_recvmsg+0x1d5/0x240 [ 561.670725] sock_read_iter+0x27d/0x470 [ 561.670727] vfs_read+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64_sys_read+0x72/0xc0 [ 561.670736] x64_sys_call+0x1b12/0x25f0 [ 561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] other info that might help us debug this: [ 561.670745] Chain exists of: &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH [ 561.670751] Possible unsafe locking scenario: [ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] lock(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] lock(sk_lock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK ***', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[ 561.670344] ======================================================\n[ 561.670346] WARNING: possible circular locking dependency detected\n[ 561.670349] 6.12.0-rc6+ #26 Not tainted\n[ 561.670351] ------------------------------------------------------\n[ 561.670353] iso-tester/3289 is trying to acquire lock:\n[ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3},\n at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670405]\n but task is already holding lock:\n[ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[ 561.670450]\n which lock already depends on the new lock.\n\n[ 561.670452]\n the existing dependency chain (in reverse order) is:\n[ 561.670453]\n -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[ 561.670458] lock_acquire+0x7c/0xc0\n[ 561.670463] lock_sock_nested+0x3b/0xf0\n[ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth]\n[ 561.670547] do_accept+0x3dd/0x610\n[ 561.670550] __sys_accept4+0xd8/0x170\n[ 561.670553] __x64_sys_accept+0x74/0xc0\n[ 561.670556] x64_sys_call+0x17d6/0x25f0\n[ 561.670559] do_syscall_64+0x87/0x150\n[ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670567]\n -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[ 561.670571] lock_acquire+0x7c/0xc0\n[ 561.670574] lock_sock_nested+0x3b/0xf0\n[ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth]\n[ 561.670617] __sys_listen_socket+0xef/0x130\n[ 561.670620] __x64_sys_listen+0xe1/0x190\n[ 561.670623] x64_sys_call+0x2517/0x25f0\n[ 561.670626] do_syscall_64+0x87/0x150\n[ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670632]\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n[ 561.670636] __lock_acquire+0x32ad/0x6ab0\n[ 561.670639] lock_acquire.part.0+0x118/0x360\n[ 561.670642] lock_acquire+0x7c/0xc0\n[ 561.670644] __mutex_lock+0x18d/0x12f0\n[ 561.670647] mutex_lock_nested+0x1b/0x30\n[ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[ 561.670722] sock_recvmsg+0x1d5/0x240\n[ 561.670725] sock_read_iter+0x27d/0x470\n[ 561.670727] vfs_read+0x9a0/0xd30\n[ 561.670731] ksys_read+0x1a8/0x250\n[ 561.670733] __x64_sys_read+0x72/0xc0\n[ 561.670736] x64_sys_call+0x1b12/0x25f0\n[ 561.670738] do_syscall_64+0x87/0x150\n[ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670744]\n other info that might help us debug this:\n\n[ 561.670745] Chain exists of:\n&hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH\n\n[ 561.670751] Possible unsafe locking scenario:\n\n[ 561.670753] CPU0 CPU1\n[ 561.670754] ---- ----\n[ 561.670756] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670758] lock(sk_lock\n AF_BLUETOOTH-BTPROTO_ISO);\n[ 561.670761] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670764] lock(&hdev->lock);\n[ 561.670767]\n *** DEADLOCK ***', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01741

ubuntu: CVE-2024-54191 was patched at 2025-03-27, 2025-04-01

149. Unknown Vulnerability Type - Linux Kernel (CVE-2024-54460) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_listen_bis This fixes the circular locking dependency warning below, by releasing the socket lock before enterning iso_listen_bis, to avoid any potential deadlock with hdev lock. [ 75.307983] ====================================================== [ 75.307984] WARNING: possible circular locking dependency detected [ 75.307985] 6.12.0-rc6+ #22 Not tainted [ 75.307987] ------------------------------------------------------ [ 75.307987] kworker/u81:2/2623 is trying to acquire lock: [ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO) at: iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308021] but task is already holding lock: [ 75.308022] ffff8fdd61a10078 (&hdev->lock) at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308053] which lock already depends on the new lock. [ 75.308054] the existing dependency chain (in reverse order) is: [ 75.308055] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 75.308057] __mutex_lock+0xad/0xc50 [ 75.308061] mutex_lock_nested+0x1b/0x30 [ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth] [ 75.308085] __sys_listen_socket+0x49/0x60 [ 75.308088] __x64_sys_listen+0x4c/0x90 [ 75.308090] x64_sys_call+0x2517/0x25f0 [ 75.308092] do_syscall_64+0x87/0x150 [ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 75.308098] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 75.308100] __lock_acquire+0x155e/0x25f0 [ 75.308103] lock_acquire+0xc9/0x300 [ 75.308105] lock_sock_nested+0x32/0x90 [ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth] [ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth] [ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth] [ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth] [ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth] [ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth] [ 75.308254] process_one_work+0x212/0x740 [ 75.308256] worker_thread+0x1bd/0x3a0 [ 75.308258] kthread+0xe4/0x120 [ 75.308259] ret_from_fork+0x44/0x70 [ 75.308261] ret_from_fork_asm+0x1a/0x30 [ 75.308263] other info that might help us debug this: [ 75.308264] Possible unsafe locking scenario: [ 75.308264] CPU0 CPU1 [ 75.308265] ---- ---- [ 75.308265] lock(&hdev->lock); [ 75.308267] lock(sk_lock- AF_BLUETOOTH-BTPROTO_ISO); [ 75.308268] lock(&hdev->lock); [ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO); [ 75.308270] *** DEADLOCK *** [ 75.308271] 4 locks held by kworker/u81:2/2623: [ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x443/0x740 [ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)), at: process_one_work+0x1ce/0x740 [ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3} at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] [ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2}, at: hci_connect_cfm+0x29/0x190 [bluetooth]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_listen_bis\n\nThis fixes the circular locking dependency warning below, by\nreleasing the socket lock before enterning iso_listen_bis, to\navoid any potential deadlock with hdev lock.\n\n[ 75.307983] ======================================================\n[ 75.307984] WARNING: possible circular locking dependency detected\n[ 75.307985] 6.12.0-rc6+ #22 Not tainted\n[ 75.307987] ------------------------------------------------------\n[ 75.307987] kworker/u81:2/2623 is trying to acquire lock:\n[ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO)\n at: iso_connect_cfm+0x253/0x840 [bluetooth]\n[ 75.308021]\n but task is already holding lock:\n[ 75.308022] ffff8fdd61a10078 (&hdev->lock)\n at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[ 75.308053]\n which lock already depends on the new lock.\n\n[ 75.308054]\n the existing dependency chain (in reverse order) is:\n[ 75.308055]\n -> #1 (&hdev->lock){+.+.}-{3:3}:\n[ 75.308057] __mutex_lock+0xad/0xc50\n[ 75.308061] mutex_lock_nested+0x1b/0x30\n[ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth]\n[ 75.308085] __sys_listen_socket+0x49/0x60\n[ 75.308088] __x64_sys_listen+0x4c/0x90\n[ 75.308090] x64_sys_call+0x2517/0x25f0\n[ 75.308092] do_syscall_64+0x87/0x150\n[ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 75.308098]\n -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[ 75.308100] __lock_acquire+0x155e/0x25f0\n[ 75.308103] lock_acquire+0xc9/0x300\n[ 75.308105] lock_sock_nested+0x32/0x90\n[ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth]\n[ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth]\n[ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth]\n[ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth]\n[ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth]\n[ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth]\n[ 75.308254] process_one_work+0x212/0x740\n[ 75.308256] worker_thread+0x1bd/0x3a0\n[ 75.308258] kthread+0xe4/0x120\n[ 75.308259] ret_from_fork+0x44/0x70\n[ 75.308261] ret_from_fork_asm+0x1a/0x30\n[ 75.308263]\n other info that might help us debug this:\n\n[ 75.308264] Possible unsafe locking scenario:\n\n[ 75.308264] CPU0 CPU1\n[ 75.308265] ---- ----\n[ 75.308265] lock(&hdev->lock);\n[ 75.308267] lock(sk_lock-\n AF_BLUETOOTH-BTPROTO_ISO);\n[ 75.308268] lock(&hdev->lock);\n[ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);\n[ 75.308270]\n *** DEADLOCK ***\n\n[ 75.308271] 4 locks held by kworker/u81:2/2623:\n[ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0},\n at: process_one_work+0x443/0x740\n[ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)),\n at: process_one_work+0x1ce/0x740\n[ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3}\n at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2},\n at: hci_connect_cfm+0x29/0x190 [bluetooth]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01741

ubuntu: CVE-2024-54460 was patched at 2025-03-27, 2025-04-01

150. Unknown Vulnerability Type - Linux Kernel (CVE-2024-55642) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: block: Prevent potential deadlocks in zone write plug error recovery Zone write plugging for handling writes to zones of a zoned block device always execute a zone report whenever a write BIO to a zone fails. The intent of this is to ensure that the tracking of a zone write pointer is always correct to ensure that the alignment to a zone write pointer of write BIOs can be checked on submission and that we can always correctly emulate zone append operations using regular write BIOs. However, this error recovery scheme introduces a potential deadlock if a device queue freeze is initiated while BIOs are still plugged in a zone write plug and one of these write operation fails. In such case, the disk zone write plug error recovery work is scheduled and executes a report zone. This in turn can result in a request allocation in the underlying driver to issue the report zones command to the device. But with the device queue freeze already started, this allocation will block, preventing the report zone execution and the continuation of the processing of the plugged BIOs. As plugged BIOs hold a queue usage reference, the queue freeze itself will never complete, resulting in a deadlock. Avoid this problem by completely removing from the zone write plugging code the use of report zones operations after a failed write operation, instead relying on the device user to either execute a report zones, reset the zone, finish the zone, or give up writing to the device (which is a fairly common pattern for file systems which degrade to read-only after write failures). This is not an unreasonnable requirement as all well-behaved applications, FSes and device mapper already use report zones to recover from write errors whenever possible by comparing the current position of a zone write pointer with what their assumption about the position is. The changes to remove the automatic error recovery are as follows: - Completely remove the error recovery work and its associated resources (zone write plug list head, disk error list, and disk zone_wplugs_work work struct). This also removes the functions disk_zone_wplug_set_error() and disk_zone_wplug_clear_error(). - Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write plug whenever a write opration targetting the zone of the zone write plug fails. This flag indicates that the zone write pointer offset is not reliable and that it must be updated when the next report zone, reset zone, finish zone or disk revalidation is executed. - Modify blk_zone_write_plug_bio_endio() to set the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed write BIO. - Modify the function disk_zone_wplug_set_wp_offset() to clear this new flag, thus implementing recovery of a correct write pointer offset with the reset (all) zone and finish zone operations. - Modify blkdev_report_zones() to always use the disk_report_zones_cb() callback so that disk_zone_wplug_sync_wp_offset() can be called for any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag. This implements recovery of a correct write pointer offset for zone write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within the range of the report zones operation executed by the user. - Modify blk_revalidate_seq_zone() to call disk_zone_wplug_sync_wp_offset() for all sequential write required zones when a zoned block device is revalidated, thus always resolving any inconsistency between the write pointer offset of zone write plugs and the actual write pointer position of sequential zones.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Prevent potential deadlocks in zone write plug error recovery\n\nZone write plugging for handling writes to zones of a zoned block\ndevice always execute a zone report whenever a write BIO to a zone\nfails. The intent of this is to ensure that the tracking of a zone write\npointer is always correct to ensure that the alignment to a zone write\npointer of write BIOs can be checked on submission and that we can\nalways correctly emulate zone append operations using regular write\nBIOs.\n\nHowever, this error recovery scheme introduces a potential deadlock if a\ndevice queue freeze is initiated while BIOs are still plugged in a zone\nwrite plug and one of these write operation fails. In such case, the\ndisk zone write plug error recovery work is scheduled and executes a\nreport zone. This in turn can result in a request allocation in the\nunderlying driver to issue the report zones command to the device. But\nwith the device queue freeze already started, this allocation will\nblock, preventing the report zone execution and the continuation of the\nprocessing of the plugged BIOs. As plugged BIOs hold a queue usage\nreference, the queue freeze itself will never complete, resulting in a\ndeadlock.\n\nAvoid this problem by completely removing from the zone write plugging\ncode the use of report zones operations after a failed write operation,\ninstead relying on the device user to either execute a report zones,\nreset the zone, finish the zone, or give up writing to the device (which\nis a fairly common pattern for file systems which degrade to read-only\nafter write failures). This is not an unreasonnable requirement as all\nwell-behaved applications, FSes and device mapper already use report\nzones to recover from write errors whenever possible by comparing the\ncurrent position of a zone write pointer with what their assumption\nabout the position is.\n\nThe changes to remove the automatic error recovery are as follows:\n - Completely remove the error recovery work and its associated\n resources (zone write plug list head, disk error list, and disk\n zone_wplugs_work work struct). This also removes the functions\n disk_zone_wplug_set_error() and disk_zone_wplug_clear_error().\n\n - Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into\n BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write\n plug whenever a write opration targetting the zone of the zone write\n plug fails. This flag indicates that the zone write pointer offset is\n not reliable and that it must be updated when the next report zone,\n reset zone, finish zone or disk revalidation is executed.\n\n - Modify blk_zone_write_plug_bio_endio() to set the\n BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed\n write BIO.\n\n - Modify the function disk_zone_wplug_set_wp_offset() to clear this\n new flag, thus implementing recovery of a correct write pointer\n offset with the reset (all) zone and finish zone operations.\n\n - Modify blkdev_report_zones() to always use the disk_report_zones_cb()\n callback so that disk_zone_wplug_sync_wp_offset() can be called for\n any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag.\n This implements recovery of a correct write pointer offset for zone\n write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within\n the range of the report zones operation executed by the user.\n\n - Modify blk_revalidate_seq_zone() to call\n disk_zone_wplug_sync_wp_offset() for all sequential write required\n zones when a zoned block device is revalidated, thus always resolving\n any inconsistency between the write pointer offset of zone write\n plugs and the actual write pointer position of sequential zones.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00016, EPSS Percentile is 0.02279

ubuntu: CVE-2024-55642 was patched at 2025-03-27, 2025-04-01

151. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56671) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: gpio: graniterapids: Fix vGPIO driver crash Move setting irq_chip.name from probe() function to the initialization of "irq_chip" struct in order to fix vGPIO driver crash during bootup. Crash was caused by unauthorized modification of irq_chip.name field where irq_chip struct was initialized as const. This behavior is a consequence of suboptimal implementation of gpio_irq_chip_set_chip(), which should be changed to avoid casting away const qualifier. Crash log: BUG: unable to handle page fault for address: ffffffffc0ba81c0 /#PF: supervisor write access in kernel mode /#PF: error_code(0x0003) - permissions violation CPU: 33 UID: 0 PID: 1075 Comm: systemd-udevd Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 #1 Hardware name: Intel Corporation Kaseyville RP/Kaseyville RP, BIOS KVLDCRB1.PGS.0026.D73.2410081258 10/08/2024 RIP: 0010:gnr_gpio_probe+0x171/0x220 [gpio_graniterapids]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: graniterapids: Fix vGPIO driver crash\n\nMove setting irq_chip.name from probe() function to the initialization\nof "irq_chip" struct in order to fix vGPIO driver crash during bootup.\n\nCrash was caused by unauthorized modification of irq_chip.name field\nwhere irq_chip struct was initialized as const.\n\nThis behavior is a consequence of suboptimal implementation of\ngpio_irq_chip_set_chip(), which should be changed to avoid\ncasting away const qualifier.\n\nCrash log:\nBUG: unable to handle page fault for address: ffffffffc0ba81c0\n/#PF: supervisor write access in kernel mode\n/#PF: error_code(0x0003) - permissions violation\nCPU: 33 UID: 0 PID: 1075 Comm: systemd-udevd Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 #1\nHardware name: Intel Corporation Kaseyville RP/Kaseyville RP, BIOS KVLDCRB1.PGS.0026.D73.2410081258 10/08/2024\nRIP: 0010:gnr_gpio_probe+0x171/0x220 [gpio_graniterapids]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03465

ubuntu: CVE-2024-56671 was patched at 2025-03-27, 2025-04-01

152. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56760) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Handle lack of irqdomain gracefully Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a RISCV platform which does not provide PCI/MSI support: WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32 __pci_enable_msix_range+0x30c/0x596 pci_msi_setup_msi_irqs+0x2c/0x32 pci_alloc_irq_vectors_affinity+0xb8/0xe2 RISCV uses hierarchical interrupt domains and correctly does not implement the legacy fallback. The warning triggers from the legacy fallback stub. That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent domain is associated with the device or not. There is a check for MSI-X, which has a legacy assumption. But that legacy fallback assumption is only valid when legacy support is enabled, but otherwise the check should simply return -ENOTSUPP. Loongarch tripped over the same problem and blindly enabled legacy support without implementing the legacy fallbacks. There are weak implementations which return an error, so the problem was papered over. Correct pci_msi_domain_supports() to evaluate the legacy mode and add the missing supported check into the MSI enable path to complete it.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/MSI: Handle lack of irqdomain gracefully\n\nAlexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a\nRISCV platform which does not provide PCI/MSI support:\n\n WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32\n __pci_enable_msix_range+0x30c/0x596\n pci_msi_setup_msi_irqs+0x2c/0x32\n pci_alloc_irq_vectors_affinity+0xb8/0xe2\n\nRISCV uses hierarchical interrupt domains and correctly does not implement\nthe legacy fallback. The warning triggers from the legacy fallback stub.\n\nThat warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent\ndomain is associated with the device or not. There is a check for MSI-X,\nwhich has a legacy assumption. But that legacy fallback assumption is only\nvalid when legacy support is enabled, but otherwise the check should simply\nreturn -ENOTSUPP.\n\nLoongarch tripped over the same problem and blindly enabled legacy support\nwithout implementing the legacy fallbacks. There are weak implementations\nwhich return an error, so the problem was papered over.\n\nCorrect pci_msi_domain_supports() to evaluate the legacy mode and add\nthe missing supported check into the MSI enable path to complete it.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03966

oraclelinux: CVE-2024-56760 was patched at 2025-04-11

ubuntu: CVE-2024-56760 was patched at 2025-03-27, 2025-04-01

153. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56761) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary. When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the "kernel IBT no ENDBR" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue. Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn't preserve WFE and\nIRET doesn't set WFE. But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00023, EPSS Percentile is 0.0444

ubuntu: CVE-2024-56761 was patched at 2025-03-27, 2025-04-01

154. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56768) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP disabled can trigger the following bug, as pcpu_hot is unavailable: [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c [ 8.471849] #PF: supervisor read access in kernel mode [ 8.471881] #PF: error_code(0x0000) - not-present page Fix by inlining a return 0 in the !CONFIG_SMP case.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP\n\nOn x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP\ndisabled can trigger the following bug, as pcpu_hot is unavailable:\n\n [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c\n [ 8.471849] #PF: supervisor read access in kernel mode\n [ 8.471881] #PF: error_code(0x0000) - not-present page\n\nFix by inlining a return 0 in the !CONFIG_SMP case.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-56768 was patched at 2025-03-27, 2025-04-01

155. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56771) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information These four chips: * W25N512GW * W25N01GW * W25N01JW * W25N02JW all require a single bit of ECC strength and thus feature an on-die Hamming-like ECC engine. There is no point in filling a ->get_status() callback for them because the main ECC status bytes are located in standard places, and retrieving the number of bitflips in case of corrected chunk is both useless and unsupported (if there are bitflips, then there is 1 at most, so no need to query the chip for that). Without this change, a kernel warning triggers every time a bit flips.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spinand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information\n\nThese four chips:\n* W25N512GW\n* W25N01GW\n* W25N01JW\n* W25N02JW\nall require a single bit of ECC strength and thus feature an on-die\nHamming-like ECC engine. There is no point in filling a ->get_status()\ncallback for them because the main ECC status bytes are located in\nstandard places, and retrieving the number of bitflips in case of\ncorrected chunk is both useless and unsupported (if there are bitflips,\nthen there is 1 at most, so no need to query the chip for that).\n\nWithout this change, a kernel warning triggers every time a bit flips.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.03262

ubuntu: CVE-2024-56771 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

156. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57878) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained. Before this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 After this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn't initialize the temporary 'fpmr' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 6.1. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00018, EPSS Percentile is 0.02915

ubuntu: CVE-2024-57878 was patched at 2025-03-27, 2025-04-01

157. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21891) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb->head [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n ipv6_addr_type include/net/ipv6.h:555 [inline]\n ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n xmit_one net/core/dev.c:3735 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n qdisc_restart net/sched/sch_generic.c:408 [inline]\n __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n net_tx_action+0x78b/0x940 net/core/dev.c:5484\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3132 [inline]\n packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n sock_sendmsg_nosec net/socket.c:718 [inline]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00019, EPSS Percentile is 0.0343

debian: CVE-2025-21891 was patched at 2025-04-12, 2025-04-23

158. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21912) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: rcar: Use raw_spinlock to protect register access\n\nUse raw_spinlock in order to fix spurious messages about invalid context\nwhen spinlock debugging is enabled. The lock is only used to serialize\nregister access.\n\n [ 4.239592] =============================\n [ 4.239595] [ BUG: Invalid wait context ]\n [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted\n [ 4.239603] -----------------------------\n [ 4.239606] kworker/u8:5/76 is trying to lock:\n [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164\n [ 4.239641] other info that might help us debug this:\n [ 4.239643] context-{5:5}\n [ 4.239646] 5 locks held by kworker/u8:5/76:\n [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c\n [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value.\n [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c\n [ 4.254109] #2: ffff00000920c8f8\n [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value.\n [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc\n [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690\n [ 4.264840] #4:\n [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value.\n [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690\n [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz\n [ 4.304082] stack backtrace:\n [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35\n [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n [ 4.304097] Workqueue: async async_run_entry_fn\n [ 4.304106] Call trace:\n [ 4.304110] show_stack+0x14/0x20 (C)\n [ 4.304122] dump_stack_lvl+0x6c/0x90\n [ 4.304131] dump_stack+0x14/0x1c\n [ 4.304138] __lock_acquire+0xdfc/0x1584\n [ 4.426274] lock_acquire+0x1c4/0x33c\n [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80\n [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164\n [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8\n [ 4.444422] __irq_set_trigger+0x5c/0x178\n [ 4.448435] __setup_irq+0x2e4/0x690\n [ 4.452012] request_threaded_irq+0xc4/0x190\n [ 4.456285] devm_request_threaded_irq+0x7c/0xf4\n [ 4.459398] ata1: link resume succeeded after 1 retries\n [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0\n [ 4.470660] mmc_start_host+0x50/0xac\n [ 4.474327] mmc_add_host+0x80/0xe4\n [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440\n [ 4.482094] renesas_sdhi_probe+0x488/0x6f4\n [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78\n [ 4.491509] platform_probe+0x64/0xd8\n [ 4.495178] really_probe+0xb8/0x2a8\n [ 4.498756] __driver_probe_device+0x74/0x118\n [ 4.503116] driver_probe_device+0x3c/0x154\n [ 4.507303] __device_attach_driver+0xd4/0x160\n [ 4.511750] bus_for_each_drv+0x84/0xe0\n [ 4.515588] __device_attach_async_helper+0xb0/0xdc\n [ 4.520470] async_run_entry_fn+0x30/0xd8\n [ 4.524481] process_one_work+0x210/0x62c\n [ 4.528494] worker_thread+0x1ac/0x340\n [ 4.532245] kthread+0x10c/0x110\n [ 4.535476] ret_from_fork+0x10/0x20', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01974

debian: CVE-2025-21912 was patched at 2025-04-12, 2025-04-23

159. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21922) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nppp: Fix KMSAN uninit-value warning with bpf\n\nSyzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the\nppp driver not initializing a 2-byte header when using socket filter.\n\nThe following code can generate a PPP filter BPF program:\n'''\nstruct bpf_program fp;\npcap_t *handle;\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\npcap_compile(handle, &fp, "ip and outbound", 0, 0);\nbpf_dump(&fp, 1);\n'''\nIts output is:\n'''\n(000) ldh [2]\n(001) jeq #0x21 jt 2 jf 5\n(002) ldb [0]\n(003) jeq #0x1 jt 4 jf 5\n(004) ret #65535\n(005) ret #0\n'''\nWen can find similar code at the following link:\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\nThe maintainer of this code repository is also the original maintainer\nof the ppp driver.\n\nAs you can see the BPF program skips 2 bytes of data and then reads the\n'Protocol' field to determine if it's an IP packet. Then it read the first\nbyte of the first 2 bytes to determine the direction.\n\nThe issue is that only the first byte indicating direction is initialized\nin current ppp driver code while the second byte is not initialized.\n\nFor normal BPF programs generated by libpcap, uninitialized data won't be\nused, so it's not a problem. However, for carefully crafted BPF programs,\nsuch as those generated by syzkaller [2], which start reading from offset\n0, the uninitialized data will be used and caught by KMSAN.\n\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\n[2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21922 was patched at 2025-04-12, 2025-04-23

160. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21951) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock\n\nThere are multiple places from where the recovery work gets scheduled\nasynchronously. Also, there are multiple places where the caller waits\nsynchronously for the recovery to be completed. One such place is during\nthe PM shutdown() callback.\n\nIf the device is not alive during recovery_work, it will try to reset the\ndevice using pci_reset_function(). This function internally will take the\ndevice_lock() first before resetting the device. By this time, if the lock\nhas already been acquired, then recovery_work will get stalled while\nwaiting for the lock. And if the lock was already acquired by the caller\nwhich waits for the recovery_work to be completed, it will lead to\ndeadlock.\n\nThis is what happened on the X1E80100 CRD device when the device died\nbefore shutdown() callback. Driver core calls the driver's shutdown()\ncallback while holding the device_lock() leading to deadlock.\n\nAnd this deadlock scenario can occur on other paths as well, like during\nthe PM suspend() callback, where the driver core would hold the\ndevice_lock() before calling driver's suspend() callback. And if the\nrecovery_work was already started, it could lead to deadlock. This is also\nobserved on the X1E80100 CRD.\n\nSo to fix both issues, use pci_try_reset_function() in recovery_work. This\nfunction first checks for the availability of the device_lock() before\ntrying to reset the device. If the lock is available, it will acquire it\nand reset the device. Otherwise, it will return -EAGAIN. If that happens,\nrecovery_work will fail with the error message "Recovery failed" as not\nmuch could be done.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01974

debian: CVE-2025-21951 was patched at 2025-04-12, 2025-04-23

161. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21959) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()\n\nSince commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage\ncollection confirm race"), `cpu` and `jiffies32` were introduced to\nthe struct nf_conncount_tuple.\n\nThe commit made nf_conncount_add() initialize `conn->cpu` and\n`conn->jiffies32` when allocating the struct.\nIn contrast, count_tree() was not changed to initialize them.\n\nBy commit 34848d5c896e ("netfilter: nf_conncount: Split insert and\ntraversal"), count_tree() was split and the relevant allocation\ncode now resides in insert_tree().\nInitialize `conn->cpu` and `conn->jiffies32` in insert_tree().\n\nBUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]\nBUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n find_or_evict net/netfilter/nf_conncount.c:117 [inline]\n __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n count_tree net/netfilter/nf_conncount.c:438 [inline]\n nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669\n __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]\n __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983\n __netif_receive_skb_list net/core/dev.c:6035 [inline]\n netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126\n netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178\n xdp_recv_frames net/bpf/test_run.c:280 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316\n bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813\n __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]\n __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900\n ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4121 [inline]\n slab_alloc_node mm/slub.c:4164 [inline]\n kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171\n insert_tree net/netfilter/nf_conncount.c:372 [inline]\n count_tree net/netfilter/nf_conncount.c:450 [inline]\n nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ip\n---truncated---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21959 was patched at 2025-04-12, 2025-04-23

162. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21996) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()\n\nOn the off chance that command stream passed from userspace via\nioctl() call to radeon_vce_cs_parse() is weirdly crafted and\nfirst command to execute is to encode (case 0x03000001), the function\nin question will attempt to call radeon_vce_cs_reloc() with size\nargument that has not been properly initialized. Specifically, 'size'\nwill point to 'tmp' variable before the latter had a chance to be\nassigned any value.\n\nPlay it safe and init 'tmp' with 0, thus ensuring that\nradeon_vce_cs_reloc() will catch an early error in cases like these.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.\n\n(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03875

debian: CVE-2025-21996 was patched at 2025-04-12, 2025-04-23

163. Unknown Vulnerability Type - Linux Kernel (CVE-2025-22005) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().\n\nfib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything\nwhen it fails.\n\nCommit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh")\nmoved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()\nbut forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in\ncase it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.\n\nLet's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the\nerror path.\n\nNote that we can remove the fib6_nh_release() call in nh_create_ipv6()\nlater in net-next.git.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00013, EPSS Percentile is 0.01385

debian: CVE-2025-22005 was patched at 2025-04-12, 2025-04-23

164. Unknown Vulnerability Type - Linux Kernel (CVE-2025-22010) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... Call trace: hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2] hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2] hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2] alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2] hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x118/0x290 watchdog: BUG: soft lockup - CPU#35 stuck for 23s! ... Call trace: hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2] mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2] hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2] alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2] hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x120/0x2bc Add a cond_resched() to fix soft lockup during these loops. In order not to affect the allocation performance of normal-size buffer, set the loop count of a 100GB MR as the threshold to call cond_resched().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup during bt pages loop\n\nDriver runs a for-loop when allocating bt pages and mapping them with\nbuffer pages. When a large buffer (e.g. MR over 100GB) is being allocated,\nit may require a considerable loop count. This will lead to soft lockup:\n\n watchdog: BUG: soft lockup - CPU#27 stuck for 22s!\n ...\n Call trace:\n hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2]\n hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2]\n hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2]\n alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2]\n hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2]\n ib_uverbs_reg_mr+0x118/0x290\n\n watchdog: BUG: soft lockup - CPU#35 stuck for 23s!\n ...\n Call trace:\n hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2]\n mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2]\n hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2]\n alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2]\n hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2]\n ib_uverbs_reg_mr+0x120/0x2bc\n\nAdd a cond_resched() to fix soft lockup during these loops. In order not\nto affect the allocation performance of normal-size buffer, set the loop\ncount of a 100GB MR as the threshold to call cond_resched().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.01109

debian: CVE-2025-22010 was patched at 2025-04-12, 2025-04-23

165. Unknown Vulnerability Type - Linux Kernel (CVE-2025-22014) - Medium [221]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d\\n", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: Fix the potential deadlock\n\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr->locator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi->wq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\n\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\n\n Process A Process B\n\n process_scheduled_works()\npdr_add_lookup() qmi_data_ready_work()\n process_scheduled_works() pdr_locator_new_server()\n pdr->locator_init_complete=true;\n pdr_locator_work()\n mutex_lock(&pdr->list_lock);\n\n pdr_locate_service() mutex_lock(&pdr->list_lock);\n\n pdr_get_domain_list()\n pr_err("PDR: %s get domain list\n txn wait failed: %d\\n",\n req->service_name,\n ret);\n\nTimeout error log due to deadlock:\n\n"\n PDR: tms/servreg get domain list txn wait failed: -110\n PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n"\n\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.610CVSS Base Score is 5.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00012, EPSS Percentile is 0.01109

debian: CVE-2025-22014 was patched at 2025-04-12, 2025-04-23

166. Denial of Service - Unknown Product (CVE-2025-27144) - Medium [220]

Description: {'nvd_cve_data_all': 'Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.710CVSS Base Score is 6.6. According to Vulners data source
EPSS Percentile0.110EPSS Probability is 0.00026, EPSS Percentile is 0.05577

redhat: CVE-2025-27144 was patched at 2025-03-25, 2025-03-27, 2025-04-03

167. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21943) - Medium [209]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems: #!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait Starting with the following warning, several kinds of warnings will appear and the system may become unstable: ------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: <TASK> ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: aggregator: protect driver attr handlers against module unload\n\nBoth new_device_store and delete_device_store touch module global\nresources (e.g. gpio_aggregator_lock). To prevent race conditions with\nmodule unload, a reference needs to be held.\n\nAdd try_module_get() in these handlers.\n\nFor new_device_store, this eliminates what appears to be the most dangerous\nscenario: if an id is allocated from gpio_aggregator_idr but\nplatform_device_register has not yet been called or completed, a concurrent\nmodule unload could fail to unregister/delete the device, leaving behind a\ndangling platform device/GPIO forwarder. This can result in various issues.\nThe following simple reproducer demonstrates these problems:\n\n #!/bin/bash\n while :; do\n # note: whether 'gpiochip0 0' exists or not does not matter.\n echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device\n done &\n while :; do\n modprobe gpio-aggregator\n modprobe -r gpio-aggregator\n done &\n wait\n\n Starting with the following warning, several kinds of warnings will appear\n and the system may become unstable:\n\n ------------[ cut here ]------------\n list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100)\n WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120\n [...]\n RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120\n [...]\n Call Trace:\n <TASK>\n ? __list_del_entry_valid_or_report+0xa3/0x120\n ? __warn.cold+0x93/0xf2\n ? __list_del_entry_valid_or_report+0xa3/0x120\n ? report_bug+0xe6/0x170\n ? __irq_work_queue_local+0x39/0xe0\n ? handle_bug+0x58/0x90\n ? exc_invalid_op+0x13/0x60\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_del_entry_valid_or_report+0xa3/0x120\n gpiod_remove_lookup_table+0x22/0x60\n new_device_store+0x315/0x350 [gpio_aggregator]\n kernfs_fop_write_iter+0x137/0x1f0\n vfs_write+0x262/0x430\n ksys_write+0x60/0xd0\n do_syscall_64+0x6c/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n </TASK>\n ---[ end trace 0000000000000000 ]---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.510CVSS Base Score is 4.7. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00015, EPSS Percentile is 0.01974

debian: CVE-2025-21943 was patched at 2025-04-12, 2025-04-23

168. Information Disclosure - Unknown Product (CVE-2025-32700) - Medium [207]

Description: {'nvd_cve_data_all': 'Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php. This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.\n\nThis issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.8315Information Disclosure
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00083, EPSS Percentile is 0.2534

debian: CVE-2025-32700 was patched at 2025-04-13, 2025-04-23

169. Unknown Vulnerability Type - Libsoup (CVE-2025-32052) - Medium [207]

Description: {'nvd_cve_data_all': 'A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.614libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00049, EPSS Percentile is 0.15061

debian: CVE-2025-32052 was patched at 2025-04-23

ubuntu: CVE-2025-32052 was patched at 2025-04-10

170. Unknown Vulnerability Type - Libsoup (CVE-2025-32053) - Medium [207]

Description: {'nvd_cve_data_all': 'A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.614libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
CVSS Base Score0.710CVSS Base Score is 6.5. According to NVD data source
EPSS Percentile0.210EPSS Probability is 0.00049, EPSS Percentile is 0.15061

debian: CVE-2025-32053 was patched at 2025-04-23

ubuntu: CVE-2025-32053 was patched at 2025-04-10

171. Cross Site Scripting - Unknown Product (CVE-2024-53986) - Medium [202]

Description: {'nvd_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math" and "style" elements are both explicitly allowed. This vulnerability is fixed in 1.6.1.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math" and "style" elements are both explicitly allowed. This vulnerability is fixed in 1.6.1.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00113, EPSS Percentile is 0.31208

redos: CVE-2024-53986 was patched at 2025-04-02

172. Cross Site Scripting - Unknown Product (CVE-2024-53987) - Medium [202]

Description: {'nvd_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "style" element is explicitly allowed and the "svg" or "math" element is not allowed. This vulnerability is fixed in 1.6.1.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "style" element is explicitly allowed and the "svg" or "math" element is not allowed. This vulnerability is fixed in 1.6.1.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00113, EPSS Percentile is 0.31208

redos: CVE-2024-53987 was patched at 2025-04-02

173. Cross Site Scripting - Unknown Product (CVE-2024-53988) - Medium [202]

Description: {'nvd_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math", "mtext", "table", and "style" elements are allowed and either either "mglyph" or "malignmark" are allowed. This vulnerability is fixed in 1.6.1.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math", "mtext", "table", and "style" elements are allowed and either either "mglyph" or "malignmark" are allowed. This vulnerability is fixed in 1.6.1.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00113, EPSS Percentile is 0.31208

redos: CVE-2024-53988 was patched at 2025-04-02

174. Cross Site Scripting - Unknown Product (CVE-2024-53989) - Medium [202]

Description: {'nvd_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags for the the "noscript" element. This vulnerability is fixed in 1.6.1.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags for the the "noscript" element. This vulnerability is fixed in 1.6.1.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.815Cross Site Scripting
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.210CVSS Base Score is 2.3. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00113, EPSS Percentile is 0.31208

redos: CVE-2024-53989 was patched at 2025-04-02

Low (77)

175. Unknown Vulnerability Type - MediaWiki (CVE-2025-32699) - Low [176]

Description: {'nvd_cve_data_all': 'Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.714MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
CVSS Base Score0.210CVSS Base Score is 2.1. According to Vulners data source
EPSS Percentile0.310EPSS Probability is 0.00093, EPSS Percentile is 0.27492

debian: CVE-2025-32699 was patched at 2025-04-13, 2025-04-23

176. Unknown Vulnerability Type - Linux Kernel (CVE-2024-58090) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180 The corresponding interrupt flag trace: hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90 That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler: __cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180 This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end. Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time. The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account. Cure the problem by adding a corresponding check into cond_resched().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Prevent rescheduling when interrupts are disabled\n\nDavid reported a warning observed while loop testing kexec jump:\n\n Interrupts enabled after irqrouter_resume+0x0/0x50\n WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220\n kernel_kexec+0xf6/0x180\n __do_sys_reboot+0x206/0x250\n do_syscall_64+0x95/0x180\n\nThe corresponding interrupt flag trace:\n\n hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90\n hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90\n\nThat means __up_console_sem() was invoked with interrupts enabled. Further\ninstrumentation revealed that in the interrupt disabled section of kexec\njump one of the syscore_suspend() callbacks woke up a task, which set the\nNEED_RESCHED flag. A later callback in the resume path invoked\ncond_resched() which in turn led to the invocation of the scheduler:\n\n __cond_resched+0x21/0x60\n down_timeout+0x18/0x60\n acpi_os_wait_semaphore+0x4c/0x80\n acpi_ut_acquire_mutex+0x3d/0x100\n acpi_ns_get_node+0x27/0x60\n acpi_ns_evaluate+0x1cb/0x2d0\n acpi_rs_set_srs_method_data+0x156/0x190\n acpi_pci_link_set+0x11c/0x290\n irqrouter_resume+0x54/0x60\n syscore_resume+0x6a/0x200\n kernel_kexec+0x145/0x1c0\n __do_sys_reboot+0xeb/0x240\n do_syscall_64+0x95/0x180\n\nThis is a long standing problem, which probably got more visible with\nthe recent printk changes. Something does a task wakeup and the\nscheduler sets the NEED_RESCHED flag. cond_resched() sees it set and\ninvokes schedule() from a completely bogus context. The scheduler\nenables interrupts after context switching, which causes the above\nwarning at the end.\n\nQuite some of the code paths in syscore_suspend()/resume() can result in\ntriggering a wakeup with the exactly same consequences. They might not\nhave done so yet, but as they share a lot of code with normal operations\nit's just a question of time.\n\nThe problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling\nmodels. Full preemption is not affected as cond_resched() is disabled and\nthe preemption check preemptible() takes the interrupt disabled flag into\naccount.\n\nCure the problem by adding a corresponding check into cond_resched().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00061, EPSS Percentile is 0.19332

debian: CVE-2024-58090 was patched at 2025-04-12, 2025-04-23

177. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21871) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix supplicant wait loop\n\nOP-TEE supplicant is a user-space daemon and it's possible for it\nbe hung or crashed or killed in the middle of processing an OP-TEE\nRPC call. It becomes more complicated when there is incorrect shutdown\nordering of the supplicant process vs the OP-TEE client application which\ncan eventually lead to system hang-up waiting for the closure of the\nclient application.\n\nAllow the client process waiting in kernel for supplicant response to\nbe killed rather than indefinitely waiting in an unkillable state. Also,\na normal uninterruptible wait should not have resulted in the hung-task\nwatchdog getting triggered, but the endless loop would.\n\nThis fixes issues observed during system reboot/shutdown when supplicant\ngot hung for some reason or gets crashed/killed which lead to client\ngetting hung in an unkillable state. It in turn lead to system being in\nhung up state requiring hard power off/on to recover.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00061, EPSS Percentile is 0.19332

debian: CVE-2025-21871 was patched at 2025-04-12, 2025-04-23

178. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21875) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Modules linked in:\n CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <TASK>\n mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:733\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n ___sys_sendmsg net/socket.c:2627 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7e9998cde9\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00061, EPSS Percentile is 0.19332

debian: CVE-2025-21875 was patched at 2025-04-12, 2025-04-23

179. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21878) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds..', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[ 28.183351] Modules linked in:\n[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 28.208128] pc : __do_softirq+0xb0/0x368\n[ 28.212055] lr : __do_softirq+0x70/0x368\n[ 28.215972] sp : ffffff8035ebca00\n[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[ 28.290611] Call trace:\n[ 28.293052] __do_softirq+0xb0/0x368\n[ 28.296625] __irq_exit_rcu+0xe0/0x100\n[ 28.300374] irq_exit+0x14/0x20\n[ 28.303513] handle_domain_irq+0x68/0x90\n[ 28.307440] gic_handle_irq+0x78/0xb0\n[ 28.311098] call_on_irq_stack+0x20/0x38\n[ 28.315019] do_interrupt_handler+0x54/0x5c\n[ 28.319199] el1_interrupt+0x2c/0x4c\n[ 28.322777] el1h_64_irq_handler+0x14/0x20\n[ 28.326872] el1h_64_irq+0x74/0x78\n[ 28.330269] __setup_irq+0x454/0x780\n[ 28.333841] request_threaded_irq+0xd0/0x1b4\n[ 28.338107] devm_request_threaded_irq+0x84/0x100\n[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0\n[ 28.346990] platform_probe+0x6c/0xc4\n[ 28.350653] really_probe+0xcc/0x45c\n[ 28.354227] __driver_probe_device+0x8c/0x160\n[ 28.358578] driver_probe_device+0x44/0xe0\n[ 28.362670] __driver_attach+0x124/0x1d0\n[ 28.366589] bus_for_each_dev+0x7c/0xe0\n[ 28.370426] driver_attach+0x28/0x30\n[ 28.373997] bus_add_driver+0x124/0x240\n[ 28.377830] driver_register+0x7c/0x124\n[ 28.381662] __platform_driver_register+0x2c/0x34\n[ 28.386362] npcm_i2c_init+0x3c/0x5c\n[ 28.389937] do_one_initcall+0x74/0x230\n[ 28.393768] kernel_init_freeable+0x24c/0x2b4\n[ 28.398126] kernel_init+0x28/0x130\n[ 28.401614] ret_from_fork+0x10/0x20\n[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[ 28.411011] SMP: stopping secondary CPUs\n[ 28.414933] Kernel Offset: disabled\n[ 28.418412] CPU features: 0x00000000,00000802\n[ 28.427644] Rebooting in 20 seconds..', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00061, EPSS Percentile is 0.19332

debian: CVE-2025-21878 was patched at 2025-04-12, 2025-04-23

180. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21909) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing that bit. Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with other flags. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject cooked mode if it is set along with other flags\n\nIt is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE\nflags simultaneously on the same monitor interface from the userspace. This\ncauses a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit\nset because the monitor interface is in the cooked state and it takes\nprecedence over all other states. When the interface is then being deleted\nthe kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing\nthat bit.\n\nFix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with\nother flags.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21909 was patched at 2025-04-12, 2025-04-23

181. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21910) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: regulatory: improve invalid hints checking\n\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\nsent from userspace get through into user_alpha2[] via\nregulatory_hint_user() call. Such invalid regulatory hints should be\nrejected.\n\nWhile a sanity check from commit 47caf685a685 ("cfg80211: regulatory:\nreject invalid hints") looks to be enough to deter these very cases,\nthere is a way to get around it due to 2 reasons.\n\n1) The way isalpha() works, symbols other than latin lower and\nupper letters may be used to determine a country/domain.\nFor instance, greek letters will also be considered upper/lower\nletters and for such characters isalpha() will return true as well.\nHowever, ISO-3166-1 alpha2 codes should only hold latin\ncharacters.\n\n2) While processing a user regulatory request, between\nreg_process_hint_user() and regulatory_hint_user() there happens to\nbe a call to queue_regulatory_request() which modifies letters in\nrequest->alpha2[] with toupper(). This works fine for latin symbols,\nless so for weird letter characters from the second part of _ctype[].\n\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\nover an unexpected non-latin letter that gets malformed by toupper()\ninto a character that ends up failing isalpha() check.\n\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\nsymbols are latin letters and nothing else.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nUnexpected user alpha2: A�\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\nModules linked in:\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_power_efficient crda_timeout_work\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\n...\nCall Trace:\n <TASK>\n crda_timeout_work+0x27/0x50 net/wireless/reg.c:542\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21910 was patched at 2025-04-12, 2025-04-23

182. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21914) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: slimbus: messaging: Free transaction ID in delayed interrupt scenario In case of interrupt delay for any reason, slim_do_transfer() returns timeout error but the transaction ID (TID) is not freed. This results into invalid memory access inside qcom_slim_ngd_rx_msgq_cb() due to invalid TID. Fix the issue by freeing the TID in slim_do_transfer() before returning timeout error to avoid invalid memory access. Call trace: __memcpy_fromio+0x20/0x190 qcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl] vchan_complete+0x2a0/0x4a0 tasklet_action_common+0x274/0x700 tasklet_action+0x28/0x3c _stext+0x188/0x620 run_ksoftirqd+0x34/0x74 smpboot_thread_fn+0x1d8/0x464 kthread+0x178/0x238 ret_from_fork+0x10/0x20 Code: aa0003e8 91000429 f100044a 3940002b (3800150b) ---[ end trace 0fe00bec2b975c99 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: messaging: Free transaction ID in delayed interrupt scenario\n\nIn case of interrupt delay for any reason, slim_do_transfer()\nreturns timeout error but the transaction ID (TID) is not freed.\nThis results into invalid memory access inside\nqcom_slim_ngd_rx_msgq_cb() due to invalid TID.\n\nFix the issue by freeing the TID in slim_do_transfer() before\nreturning timeout error to avoid invalid memory access.\n\nCall trace:\n__memcpy_fromio+0x20/0x190\nqcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl]\nvchan_complete+0x2a0/0x4a0\ntasklet_action_common+0x274/0x700\ntasklet_action+0x28/0x3c\n_stext+0x188/0x620\nrun_ksoftirqd+0x34/0x74\nsmpboot_thread_fn+0x1d8/0x464\nkthread+0x178/0x238\nret_from_fork+0x10/0x20\nCode: aa0003e8 91000429 f100044a 3940002b (3800150b)\n---[ end trace 0fe00bec2b975c99 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21914 was patched at 2025-04-12, 2025-04-23

183. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21916) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ...', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix a flaw in existing endpoint checks\n\nSyzbot once again identified a flaw in usb endpoint checking, see [1].\nThis time the issue stems from a commit authored by me (2eabb655a968\n("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).\n\nWhile using usb_find_common_endpoints() may usually be enough to\ndiscard devices with wrong endpoints, in this case one needs more\nthan just finding and identifying the sufficient number of endpoints\nof correct types - one needs to check the endpoint's address as well.\n\nSince cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind,\nswitch the endpoint verification approach to usb_check_XXX_endpoints()\ninstead to fix incomplete ep testing.\n\n[1] Syzbot report:\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nRIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n <TASK>\n cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649\n cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline]\n cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223\n usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058\n cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377\n usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396\n really_probe+0x2b9/0xad0 drivers/base/dd.c:658\n __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800\n driver_probe_device+0x50/0x430 drivers/base/dd.c:830\n...', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21916 was patched at 2025-04-12, 2025-04-23

184. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21924) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error\n\nDuring the initialization of ptp, hclge_ptp_get_cycle might return an error\nand returned directly without unregister clock and free it. To avoid that,\ncall hclge_ptp_destroy_clock to unregist and free clock if\nhclge_ptp_get_cycle failed.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21924 was patched at 2025-04-12, 2025-04-23

185. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21926) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)\n RIP: 0010:ip_rcv_core+0x8b2/0xca0\n Call Trace:\n ip_rcv+0xab/0x6e0\n __netif_receive_skb_one_core+0x168/0x1b0\n process_backlog+0x384/0x1100\n __napi_poll.constprop.0+0xa1/0x370\n net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n goes through queue_gso_packets and then __udp_gso_segment, where its\n destructor is removed.\n2. The segments' data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21926 was patched at 2025-04-12, 2025-04-23

186. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21935) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: add check for rio_add_net() in rio_scan_alloc_net()\n\nThe return value of rio_add_net() should be checked. If it fails,\nput_device() should be called to free the memory and give up the reference\ninitialized in rio_add_net().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21935 was patched at 2025-04-12, 2025-04-23

187. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21950) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl\n\nIn the "pmcmd_ioctl" function, three memory objects allocated by\nkmalloc are initialized by "hcall_get_cpu_state", which are then\ncopied to user space. The initializer is indeed implemented in\n"acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of\ninformation leakage due to uninitialized bytes.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21950 was patched at 2025-04-12, 2025-04-23

188. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21956) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign normalized_pix_clk when color depth = 14\n\n[WHY & HOW]\nA warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397\ncalculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the\ndisplay_color_depth == COLOR_DEPTH_141414 is not handled. This is\nobserved in Radeon RX 6600 XT.\n\nIt is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.\n\nAlso fixes the indentation in get_norm_pix_clk.\n\n(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21956 was patched at 2025-04-12, 2025-04-23

189. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21970) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Bridge, fix the crash caused by LAG state check\n\nWhen removing LAG device from bridge, NETDEV_CHANGEUPPER event is\ntriggered. Driver finds the lower devices (PFs) to flush all the\noffloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns\nfalse if one of PF is unloaded. In such case,\nmlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of\nthe alive PF, and the flush is skipped.\n\nBesides, the bridge fdb entry's lastuse is updated in mlx5 bridge\nevent handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be\nignored in this case because the upper interface for bond is deleted,\nand the entry will never be aged because lastuse is never updated.\n\nTo make things worse, as the entry is alive, mlx5 bridge workqueue\nkeeps sending that event, which is then handled by kernel bridge\nnotifier. It causes the following crash when accessing the passed bond\nnetdev which is already destroyed.\n\nTo fix this issue, remove such checks. LAG state is already checked in\ncommit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding\nbond to bridge"), driver still need to skip offload if LAG becomes\ninvalid state after initialization.\n\n Oops: stack segment: 0000 [#1] SMP\n CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]\n RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]\n Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7\n RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297\n RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff\n RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0\n RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60\n R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n <TASK>\n ? __die_body+0x1a/0x60\n ? die+0x38/0x60\n ? do_trap+0x10b/0x120\n ? do_error_trap+0x64/0xa0\n ? exc_stack_segment+0x33/0x50\n ? asm_exc_stack_segment+0x22/0x30\n ? br_switchdev_event+0x2c/0x110 [bridge]\n ? sched_balance_newidle.isra.149+0x248/0x390\n notifier_call_chain+0x4b/0xa0\n atomic_notifier_call_chain+0x16/0x20\n mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]\n mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]\n process_scheduled_works+0x81/0x390\n worker_thread+0x106/0x250\n ? bh_worker+0x110/0x110\n kthread+0xb7/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n </TASK>', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21970 was patched at 2025-04-12, 2025-04-23

190. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21971) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21971 was patched at 2025-04-12, 2025-04-23

191. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21992) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff Add this device to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nHID: ignore non-functional sensor in HP 5MP Camera\n\nThe HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that\nis not actually implemented. Attempting to access this non-functional\nsensor via iio_info causes system hangs as runtime PM tries to wake up\nan unresponsive sensor.\n\n [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff\n [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff\n\nAdd this device to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00069, EPSS Percentile is 0.21825

debian: CVE-2025-21992 was patched at 2025-04-12, 2025-04-23

192. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21994) - Low [173]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix incorrect validation for num_aces field of smb_acl\n\nparse_dcal() validate num_aces to allocate posix_ace_state_array.\n\nif (num_aces > ULONG_MAX / sizeof(struct smb_ace *))\n\nIt is an incorrect validation that we can create an array of size ULONG_MAX.\nsmb_acl has ->size field to calculate actual number of aces in request buffer\nsize. Use this to check invalid num_aces.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.210EPSS Probability is 0.00056, EPSS Percentile is 0.17498

debian: CVE-2025-21994 was patched at 2025-04-12, 2025-04-23

193. Denial of Service - Unknown Product (CVE-2025-31160) - Low [172]

Description: {'nvd_cve_data_all': 'atop through 2.11.0 allows local users to cause a denial of service (e.g., assertion failure and application exit) or possibly have unspecified other impact by running certain types of unprivileged processes while a different user runs atop.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'atop through 2.11.0 allows local users to cause a denial of service (e.g., assertion failure and application exit) or possibly have unspecified other impact by running certain types of unprivileged processes while a different user runs atop.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.310CVSS Base Score is 2.9. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00046, EPSS Percentile is 0.13644

debian: CVE-2025-31160 was patched at 2025-04-03, 2025-04-23

194. Denial of Service - Unknown Product (CVE-2025-32364) - Low [172]

Description: {'nvd_cve_data_all': 'A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.410CVSS Base Score is 4.0. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.0273

debian: CVE-2025-32364 was patched at 2025-04-23

ubuntu: CVE-2025-32364 was patched at 2025-04-08, 2025-04-09

195. Unknown Vulnerability Type - Linux Kernel (CVE-2024-41932) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: sched: fix warning in sched_setaffinity Commit 8f9ea86fdf99b added some logic to sched_setaffinity that included a WARN when a per-task affinity assignment races with a cpuset update. Specifically, we can have a race where a cpuset update results in the task affinity no longer being a subset of the cpuset. That's fine; we have a fallback to instead use the cpuset mask. However, we have a WARN set up that will trigger if the cpuset mask has no overlap at all with the requested task affinity. This shouldn't be a warning condition; its trivial to create this condition. Reproduced the warning by the following setup: - $PID inside a cpuset cgroup - another thread repeatedly switching the cpuset cpus from 1-2 to just 1 - another thread repeatedly setting the $PID affinity (via taskset) to 2', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nsched: fix warning in sched_setaffinity\n\nCommit 8f9ea86fdf99b added some logic to sched_setaffinity that included\na WARN when a per-task affinity assignment races with a cpuset update.\n\nSpecifically, we can have a race where a cpuset update results in the\ntask affinity no longer being a subset of the cpuset. That's fine; we\nhave a fallback to instead use the cpuset mask. However, we have a WARN\nset up that will trigger if the cpuset mask has no overlap at all with\nthe requested task affinity. This shouldn't be a warning condition; its\ntrivial to create this condition.\n\nReproduced the warning by the following setup:\n\n- $PID inside a cpuset cgroup\n- another thread repeatedly switching the cpuset cpus from 1-2 to just 1\n- another thread repeatedly setting the $PID affinity (via taskset) to 2', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-41932 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

196. Unknown Vulnerability Type - Linux Kernel (CVE-2024-48876) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: stackdepot: fix stack_depot_save_flags() in NMI context Per documentation, stack_depot_save_flags() was meant to be usable from NMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still would try to take the pool_lock in an attempt to save a stack trace in the current pool (if space is available). This could result in deadlock if an NMI is handled while pool_lock is already held. To avoid deadlock, only try to take the lock in NMI context and give up if unsuccessful. The documentation is fixed to clearly convey this.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nstackdepot: fix stack_depot_save_flags() in NMI context\n\nPer documentation, stack_depot_save_flags() was meant to be usable from\nNMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still\nwould try to take the pool_lock in an attempt to save a stack trace in the\ncurrent pool (if space is available).\n\nThis could result in deadlock if an NMI is handled while pool_lock is\nalready held. To avoid deadlock, only try to take the lock in NMI context\nand give up if unsuccessful.\n\nThe documentation is fixed to clearly convey this.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-48876 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

197. Unknown Vulnerability Type - Linux Kernel (CVE-2024-53681) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: nvmet: Don't overflow subsysnqn nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size of the string. Create a new string with kstrndup instead of using the old buffer.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Don't overflow subsysnqn\n\nnvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed\nsize buffer, even though it is dynamically allocated to the size of the\nstring.\n\nCreate a new string with kstrndup instead of using the old buffer.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-53681 was patched at 2025-03-27, 2025-04-01

198. Unknown Vulnerability Type - Linux Kernel (CVE-2024-53682) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: regulator: axp20x: AXP717: set ramp_delay AXP717 datasheet says that regulator ramp delay is 15.625 us/step, which is 10mV in our case. Add a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to expand to AXP_DESC_RANGES_DELAY with ramp_delay = 0 For DCDC4, steps is 100mv Add a AXP_DESC_DELAY macro and update AXP_DESC macro to expand to AXP_DESC_DELAY with ramp_delay = 0 This patch fix crashes when using CPU DVFS.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: axp20x: AXP717: set ramp_delay\n\nAXP717 datasheet says that regulator ramp delay is 15.625 us/step,\nwhich is 10mV in our case.\n\nAdd a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to\nexpand to AXP_DESC_RANGES_DELAY with ramp_delay = 0\n\nFor DCDC4, steps is 100mv\n\nAdd a AXP_DESC_DELAY macro and update AXP_DESC macro to\nexpand to AXP_DESC_DELAY with ramp_delay = 0\n\nThis patch fix crashes when using CPU DVFS.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-53682 was patched at 2025-03-27, 2025-04-01

199. Unknown Vulnerability Type - Linux Kernel (CVE-2024-54193) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal() Move pm_runtime_set_active() to ivpu_pm_init() so when ivpu_ipc_send_receive_internal() is executed before ivpu_pm_enable() it already has correct runtime state, even if last resume was not successful.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal()\n\nMove pm_runtime_set_active() to ivpu_pm_init() so when\nivpu_ipc_send_receive_internal() is executed before ivpu_pm_enable()\nit already has correct runtime state, even if last resume was\nnot successful.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-54193 was patched at 2025-03-27, 2025-04-01

200. Unknown Vulnerability Type - Linux Kernel (CVE-2024-54455) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix general protection fault in ivpu_bo_list() Check if ctx is not NULL before accessing its fields.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix general protection fault in ivpu_bo_list()\n\nCheck if ctx is not NULL before accessing its fields.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-54455 was patched at 2025-03-27, 2025-04-01

201. Unknown Vulnerability Type - Linux Kernel (CVE-2024-55639) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: renesas: rswitch: avoid use-after-put for a device tree node The device tree node saved in the rswitch_device structure is used at several driver locations. So passing this node to of_node_put() after the first use is wrong. Move of_node_put() for this node to exit paths.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: renesas: rswitch: avoid use-after-put for a device tree node\n\nThe device tree node saved in the rswitch_device structure is used at\nseveral driver locations. So passing this node to of_node_put() after\nthe first use is wrong.\n\nMove of_node_put() for this node to exit paths.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2024-55639 was patched at 2025-03-27, 2025-04-01

202. Unknown Vulnerability Type - Linux Kernel (CVE-2024-55641) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: xfs: unlock inodes when erroring out of xfs_trans_alloc_dir Debugging a filesystem patch with generic/475 caused the system to hang after observing the following sequences in dmesg: XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x491520 len 32 error 5 XFS (dm-0): metadata I/O error in "xfs_btree_read_buf_block+0xba/0x160 [xfs]" at daddr 0x3445608 len 8 error 5 XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x138e1c0 len 32 error 5 XFS (dm-0): log I/O error -5 XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311). Shutting down filesystem. XFS (dm-0): Please unmount the filesystem and rectify the problem(s) XFS (dm-0): Internal error dqp->q_ino.reserved < dqp->q_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c. Caller xfs_trans_dqresv+0x236/0x440 [xfs] XFS (dm-0): Corruption detected. Unmount and run xfs_repair XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7 The system is stuck in unmount trying to lock a couple of inodes so that they can be purged. The dquot corruption notice above is a clue to what happened -- a link() call tried to set up a transaction to link a child into a directory. Quota reservation for the transaction failed after IO errors shut down the filesystem, but then we forgot to unlock the inodes on our way out. Fix that.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: unlock inodes when erroring out of xfs_trans_alloc_dir\n\nDebugging a filesystem patch with generic/475 caused the system to hang\nafter observing the following sequences in dmesg:\n\n XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x491520 len 32 error 5\n XFS (dm-0): metadata I/O error in "xfs_btree_read_buf_block+0xba/0x160 [xfs]" at daddr 0x3445608 len 8 error 5\n XFS (dm-0): metadata I/O error in "xfs_imap_to_bp+0x61/0xe0 [xfs]" at daddr 0x138e1c0 len 32 error 5\n XFS (dm-0): log I/O error -5\n XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311). Shutting down filesystem.\n XFS (dm-0): Please unmount the filesystem and rectify the problem(s)\n XFS (dm-0): Internal error dqp->q_ino.reserved < dqp->q_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c. Caller xfs_trans_dqresv+0x236/0x440 [xfs]\n XFS (dm-0): Corruption detected. Unmount and run xfs_repair\n XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7\n\nThe system is stuck in unmount trying to lock a couple of inodes so that\nthey can be purged. The dquot corruption notice above is a clue to what\nhappened -- a link() call tried to set up a transaction to link a child\ninto a directory. Quota reservation for the transaction failed after IO\nerrors shut down the filesystem, but then we forgot to unlock the inodes\non our way out. Fix that.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-55641 was patched at 2025-03-27, 2025-04-01

203. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56368) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix overflow in __rb_map_vma An overflow occurred when performing the following calculation: nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; Add a check before the calculation to avoid this problem. syzbot reported this as a slab-out-of-bounds in __rb_map_vma: BUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836 CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138 tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482 call_mmap include/linux/fs.h:2183 [inline] mmap_file mm/internal.h:124 [inline] __mmap_new_file_vma mm/vma.c:2291 [inline] __mmap_new_vma mm/vma.c:2355 [inline] __mmap_region+0x1786/0x2670 mm/vma.c:2456 mmap_region+0x127/0x320 mm/mmap.c:1348 do_mmap+0xc00/0xfc0 mm/mmap.c:496 vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The reproducer for this bug is: ------------------------8<------------------------- #include <fcntl.h> #include <stdlib.h> #include <unistd.h> #include <asm/types.h> #include <sys/mman.h> int main(int argc, char **argv) { \tint page_size = getpagesize(); \tint fd; \tvoid *meta; \tsystem("echo 1 > /sys/kernel/tracing/buffer_size_kb"); \tfd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY); \tmeta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5); } ------------------------>8-------------------------', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix overflow in __rb_map_vma\n\nAn overflow occurred when performing the following calculation:\n\n nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff;\n\nAdd a check before the calculation to avoid this problem.\n\nsyzbot reported this as a slab-out-of-bounds in __rb_map_vma:\n\nBUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058\nRead of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836\n\nCPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:489\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058\n ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138\n tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482\n call_mmap include/linux/fs.h:2183 [inline]\n mmap_file mm/internal.h:124 [inline]\n __mmap_new_file_vma mm/vma.c:2291 [inline]\n __mmap_new_vma mm/vma.c:2355 [inline]\n __mmap_region+0x1786/0x2670 mm/vma.c:2456\n mmap_region+0x127/0x320 mm/mmap.c:1348\n do_mmap+0xc00/0xfc0 mm/mmap.c:496\n vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580\n ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542\n __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]\n __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]\n __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe reproducer for this bug is:\n\n------------------------8<-------------------------\n #include <fcntl.h>\n #include <stdlib.h>\n #include <unistd.h>\n #include <asm/types.h>\n #include <sys/mman.h>\n\n int main(int argc, char **argv)\n {\n\tint page_size = getpagesize();\n\tint fd;\n\tvoid *meta;\n\n\tsystem("echo 1 > /sys/kernel/tracing/buffer_size_kb");\n\tfd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);\n\n\tmeta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);\n }\n------------------------>8-------------------------', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-56368 was patched at 2025-03-27, 2025-04-01

204. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56372) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: tun: fix tun_napi_alloc_frags() syzbot reported the following crash [1] Issue came with the blamed commit. Instead of going through all the iov components, we keep using the first one and end up with a malformed skb. [1] kernel BUG at net/core/skbuff.c:2849 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848 Code: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90004cbef30 EFLAGS: 00010293 RAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00 RDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000 RBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c R10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50 R13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80 FS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284 tipc_aead_decrypt net/tipc/crypto.c:894 [inline] tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844 tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109 tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668 __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline] __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762 __netif_receive_skb_list net/core/dev.c:5814 [inline] netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905 gro_normal_list include/net/gro.h:515 [inline] napi_complete_done+0x2b5/0x870 net/core/dev.c:6256 napi_complete include/linux/netdevice.h:567 [inline] tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_writev+0x1b6/0x360 fs/read_write.c:1096 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: fix tun_napi_alloc_frags()\n\nsyzbot reported the following crash [1]\n\nIssue came with the blamed commit. Instead of going through\nall the iov components, we keep using the first one\nand end up with a malformed skb.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2849 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848\nCode: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffc90004cbef30 EFLAGS: 00010293\nRAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00\nRDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000\nRBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c\nR10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50\nR13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80\nFS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284\n tipc_aead_decrypt net/tipc/crypto.c:894 [inline]\n tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844\n tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109\n tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668\n __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline]\n __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762\n __netif_receive_skb_list net/core/dev.c:5814 [inline]\n netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905\n gro_normal_list include/net/gro.h:515 [inline]\n napi_complete_done+0x2b5/0x870 net/core/dev.c:6256\n napi_complete include/linux/netdevice.h:567 [inline]\n tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982\n tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057\n do_iter_readv_writev+0x600/0x880\n vfs_writev+0x376/0xba0 fs/read_write.c:1050\n do_writev+0x1b6/0x360 fs/read_write.c:1096\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2024-56372 was patched at 2025-03-27, 2025-04-01

205. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56550) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: s390/stacktrace: Use break instead of return statement arch_stack_walk_user_common() contains a return statement instead of a break statement in case store_ip() fails while trying to store a callchain entry of a user space process. This may lead to a missing pagefault_enable() call. If this happens any subsequent page fault of the process won't be resolved by the page fault handler and this in turn will lead to the process being killed. Use a break instead of a return statement to fix this.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ns390/stacktrace: Use break instead of return statement\n\narch_stack_walk_user_common() contains a return statement instead of a\nbreak statement in case store_ip() fails while trying to store a callchain\nentry of a user space process.\nThis may lead to a missing pagefault_enable() call.\n\nIf this happens any subsequent page fault of the process won't be resolved\nby the page fault handler and this in turn will lead to the process being\nkilled.\n\nUse a break instead of a return statement to fix this.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56550 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

206. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56552) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc_submit: fix race around suspend_pending Currently in some testcases we can trigger: xe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed! .... WARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe] xe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57 Looking at a snippet of corresponding ftrace for this GuC id we can see: 162.673311: xe_sched_msg_add: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673317: xe_sched_msg_recv: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3 162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674089: xe_exec_queue_kill: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0 162.674108: xe_exec_queue_close: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0 162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0 It looks like we try to suspend the queue (opcode=3), setting suspend_pending and triggering a disable_scheduling. The user then closes the queue. However the close will also forcefully signal the suspend fence after killing the queue, later when the G2H response for disable_scheduling comes back we have now cleared suspend_pending when signalling the suspend fence, so the disable_scheduling now incorrectly tries to also deregister the queue. This leads to warnings since the queue has yet to even be marked for destruction. We also seem to trigger errors later with trying to double unregister the same queue. To fix this tweak the ordering when handling the response to ensure we don't race with a disable_scheduling that didn't actually intend to perform an unregister. The destruction path should now also correctly wait for any pending_disable before marking as destroyed. (cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc_submit: fix race around suspend_pending\n\nCurrently in some testcases we can trigger:\n\nxe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed!\n....\nWARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe]\nxe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57\n\nLooking at a snippet of corresponding ftrace for this GuC id we can see:\n\n162.673311: xe_sched_msg_add: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673317: xe_sched_msg_recv: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674089: xe_exec_queue_kill: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674108: xe_exec_queue_close: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0\n\nIt looks like we try to suspend the queue (opcode=3), setting\nsuspend_pending and triggering a disable_scheduling. The user then\ncloses the queue. However the close will also forcefully signal the\nsuspend fence after killing the queue, later when the G2H response for\ndisable_scheduling comes back we have now cleared suspend_pending when\nsignalling the suspend fence, so the disable_scheduling now incorrectly\ntries to also deregister the queue. This leads to warnings since the queue\nhas yet to even be marked for destruction. We also seem to trigger\nerrors later with trying to double unregister the same queue.\n\nTo fix this tweak the ordering when handling the response to ensure we\ndon't race with a disable_scheduling that didn't actually intend to\nperform an unregister. The destruction path should now also correctly\nwait for any pending_disable before marking as destroyed.\n\n(cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56552 was patched at 2025-03-27, 2025-04-01

207. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56559) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: combine all TLB flush operations of KASAN shadow virtual address into one operation When compiling kernel source 'make -j $(nproc)' with the up-and-running KASAN-enabled kernel on a 256-core machine, the following soft lockup is shown: watchdog: BUG: soft lockup - CPU#28 stuck for 22s! [kworker/28:1:1760] CPU: 28 PID: 1760 Comm: kworker/28:1 Kdump: loaded Not tainted 6.10.0-rc5 #95 Workqueue: events drain_vmap_area_work RIP: 0010:smp_call_function_many_cond+0x1d8/0xbb0 Code: 38 c8 7c 08 84 c9 0f 85 49 08 00 00 8b 45 08 a8 01 74 2e 48 89 f1 49 89 f7 48 c1 e9 03 41 83 e7 07 4c 01 e9 41 83 c7 03 f3 90 <0f> b6 01 41 38 c7 7c 08 84 c0 0f 85 d4 06 00 00 8b 45 08 a8 01 75 RSP: 0018:ffffc9000cb3fb60 EFLAGS: 00000202 RAX: 0000000000000011 RBX: ffff8883bc4469c0 RCX: ffffed10776e9949 RDX: 0000000000000002 RSI: ffff8883bb74ca48 RDI: ffffffff8434dc50 RBP: ffff8883bb74ca40 R08: ffff888103585dc0 R09: ffff8884533a1800 R10: 0000000000000004 R11: ffffffffffffffff R12: ffffed1077888d39 R13: dffffc0000000000 R14: ffffed1077888d38 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8883bc400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005577b5c8d158 CR3: 0000000004850000 CR4: 0000000000350ef0 Call Trace: <IRQ> ? watchdog_timer_fn+0x2cd/0x390 ? __pfx_watchdog_timer_fn+0x10/0x10 ? __hrtimer_run_queues+0x300/0x6d0 ? sched_clock_cpu+0x69/0x4e0 ? __pfx___hrtimer_run_queues+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? ktime_get_update_offsets_now+0x7f/0x2a0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? hrtimer_interrupt+0x2ca/0x760 ? __sysvec_apic_timer_interrupt+0x8c/0x2b0 ? sysvec_apic_timer_interrupt+0x6a/0x90 </IRQ> <TASK> ? asm_sysvec_apic_timer_interrupt+0x16/0x20 ? smp_call_function_many_cond+0x1d8/0xbb0 ? __pfx_do_kernel_range_flush+0x10/0x10 on_each_cpu_cond_mask+0x20/0x40 flush_tlb_kernel_range+0x19b/0x250 ? srso_return_thunk+0x5/0x5f ? kasan_release_vmalloc+0xa7/0xc0 purge_vmap_node+0x357/0x820 ? __pfx_purge_vmap_node+0x10/0x10 __purge_vmap_area_lazy+0x5b8/0xa10 drain_vmap_area_work+0x21/0x30 process_one_work+0x661/0x10b0 worker_thread+0x844/0x10e0 ? srso_return_thunk+0x5/0x5f ? __kthread_parkme+0x82/0x140 ? __pfx_worker_thread+0x10/0x10 kthread+0x2a5/0x370 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Debugging Analysis: 1. The following ftrace log shows that the lockup CPU spends too much time iterating vmap_nodes and flushing TLB when purging vm_area structures. (Some info is trimmed). kworker: funcgraph_entry: | drain_vmap_area_work() { kworker: funcgraph_entry: | mutex_lock() { kworker: funcgraph_entry: 1.092 us | __cond_resched(); kworker: funcgraph_exit: 3.306 us | } ... ... kworker: funcgraph_entry: | flush_tlb_kernel_range() { ... ... kworker: funcgraph_exit: # 7533.649 us | } ... ... kworker: funcgraph_entry: 2.344 us | mutex_unlock(); kworker: funcgraph_exit: $ 23871554 us | } The drain_vmap_area_work() spends over 23 seconds. There are 2805 flush_tlb_kernel_range() calls in the ftrace log. * One is called in __purge_vmap_area_lazy(). * Others are called by purge_vmap_node->kasan_release_vmalloc. purge_vmap_node() iteratively releases kasan vmalloc allocations and flushes TLB for each vmap_area. - [Rough calculation] Each flush_tlb_kernel_range() runs about 7.5ms. -- 2804 * 7.5ms = 21.03 seconds. -- That's why a soft lock is triggered. 2. Extending the soft lockup time can work around the issue (For example, # echo ---truncated---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: combine all TLB flush operations of KASAN shadow virtual address into one operation\n\nWhen compiling kernel source 'make -j $(nproc)' with the up-and-running\nKASAN-enabled kernel on a 256-core machine, the following soft lockup is\nshown:\n\nwatchdog: BUG: soft lockup - CPU#28 stuck for 22s! [kworker/28:1:1760]\nCPU: 28 PID: 1760 Comm: kworker/28:1 Kdump: loaded Not tainted 6.10.0-rc5 #95\nWorkqueue: events drain_vmap_area_work\nRIP: 0010:smp_call_function_many_cond+0x1d8/0xbb0\nCode: 38 c8 7c 08 84 c9 0f 85 49 08 00 00 8b 45 08 a8 01 74 2e 48 89 f1 49 89 f7 48 c1 e9 03 41 83 e7 07 4c 01 e9 41 83 c7 03 f3 90 <0f> b6 01 41 38 c7 7c 08 84 c0 0f 85 d4 06 00 00 8b 45 08 a8 01 75\nRSP: 0018:ffffc9000cb3fb60 EFLAGS: 00000202\nRAX: 0000000000000011 RBX: ffff8883bc4469c0 RCX: ffffed10776e9949\nRDX: 0000000000000002 RSI: ffff8883bb74ca48 RDI: ffffffff8434dc50\nRBP: ffff8883bb74ca40 R08: ffff888103585dc0 R09: ffff8884533a1800\nR10: 0000000000000004 R11: ffffffffffffffff R12: ffffed1077888d39\nR13: dffffc0000000000 R14: ffffed1077888d38 R15: 0000000000000003\nFS: 0000000000000000(0000) GS:ffff8883bc400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005577b5c8d158 CR3: 0000000004850000 CR4: 0000000000350ef0\nCall Trace:\n <IRQ>\n ? watchdog_timer_fn+0x2cd/0x390\n ? __pfx_watchdog_timer_fn+0x10/0x10\n ? __hrtimer_run_queues+0x300/0x6d0\n ? sched_clock_cpu+0x69/0x4e0\n ? __pfx___hrtimer_run_queues+0x10/0x10\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get_update_offsets_now+0x7f/0x2a0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? hrtimer_interrupt+0x2ca/0x760\n ? __sysvec_apic_timer_interrupt+0x8c/0x2b0\n ? sysvec_apic_timer_interrupt+0x6a/0x90\n </IRQ>\n <TASK>\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? smp_call_function_many_cond+0x1d8/0xbb0\n ? __pfx_do_kernel_range_flush+0x10/0x10\n on_each_cpu_cond_mask+0x20/0x40\n flush_tlb_kernel_range+0x19b/0x250\n ? srso_return_thunk+0x5/0x5f\n ? kasan_release_vmalloc+0xa7/0xc0\n purge_vmap_node+0x357/0x820\n ? __pfx_purge_vmap_node+0x10/0x10\n __purge_vmap_area_lazy+0x5b8/0xa10\n drain_vmap_area_work+0x21/0x30\n process_one_work+0x661/0x10b0\n worker_thread+0x844/0x10e0\n ? srso_return_thunk+0x5/0x5f\n ? __kthread_parkme+0x82/0x140\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2a5/0x370\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nDebugging Analysis:\n\n 1. The following ftrace log shows that the lockup CPU spends too much\n time iterating vmap_nodes and flushing TLB when purging vm_area\n structures. (Some info is trimmed).\n\n kworker: funcgraph_entry: | drain_vmap_area_work() {\n kworker: funcgraph_entry: | mutex_lock() {\n kworker: funcgraph_entry: 1.092 us | __cond_resched();\n kworker: funcgraph_exit: 3.306 us | }\n ... ...\n kworker: funcgraph_entry: | flush_tlb_kernel_range() {\n ... ...\n kworker: funcgraph_exit: # 7533.649 us | }\n ... ...\n kworker: funcgraph_entry: 2.344 us | mutex_unlock();\n kworker: funcgraph_exit: $ 23871554 us | }\n\n The drain_vmap_area_work() spends over 23 seconds.\n\n There are 2805 flush_tlb_kernel_range() calls in the ftrace log.\n * One is called in __purge_vmap_area_lazy().\n * Others are called by purge_vmap_node->kasan_release_vmalloc.\n purge_vmap_node() iteratively releases kasan vmalloc\n allocations and flushes TLB for each vmap_area.\n - [Rough calculation] Each flush_tlb_kernel_range() runs\n about 7.5ms.\n -- 2804 * 7.5ms = 21.03 seconds.\n -- That's why a soft lock is triggered.\n\n 2. Extending the soft lockup time can work around the issue (For example,\n # echo\n---truncated---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56559 was patched at 2025-03-27, 2025-04-01

208. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56563) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ceph: fix cred leak in ceph_mds_check_access() get_current_cred() increments the reference counter, but the put_cred() call was missing.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix cred leak in ceph_mds_check_access()\n\nget_current_cred() increments the reference counter, but the\nput_cred() call was missing.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56563 was patched at 2025-03-27, 2025-04-01

209. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56564) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ceph: pass cred pointer to ceph_mds_auth_match() This eliminates a redundant get_current_cred() call, because ceph_mds_check_access() has already obtained this pointer. As a side effect, this also fixes a reference leak in ceph_mds_auth_match(): by omitting the get_current_cred() call, no additional cred reference is taken.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nceph: pass cred pointer to ceph_mds_auth_match()\n\nThis eliminates a redundant get_current_cred() call, because\nceph_mds_check_access() has already obtained this pointer.\n\nAs a side effect, this also fixes a reference leak in\nceph_mds_auth_match(): by omitting the get_current_cred() call, no\nadditional cred reference is taken.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56564 was patched at 2025-03-27, 2025-04-01

210. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56573) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: efi/libstub: Free correct pointer on failure cmdline_ptr is an out parameter, which is not allocated by the function itself, and likely points into the caller's stack. cmdline refers to the pool allocation that should be freed when cleaning up after a failure, so pass this instead to free_pool().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nefi/libstub: Free correct pointer on failure\n\ncmdline_ptr is an out parameter, which is not allocated by the function\nitself, and likely points into the caller's stack.\n\ncmdline refers to the pool allocation that should be freed when cleaning\nup after a failure, so pass this instead to free_pool().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.10967

ubuntu: CVE-2024-56573 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

211. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56607) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask() When I try to manually set bitrates: iw wlan0 set bitrates legacy-2.4 1 I get sleeping from invalid context error, see below. Fix that by switching to use recently introduced ieee80211_iterate_stations_mtx(). Do note that WCN6855 firmware is still crashing, I'm not sure if that firmware even supports bitrate WMI commands and should we consider disabling ath12k_mac_op_set_bitrate_mask() for WCN6855? But that's for another patch. BUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 3 locks held by iw/2236: #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40 #1: ffff888138410810 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211] #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211] CPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0xa4/0xe0 dump_stack+0x10/0x20 __might_resched+0x363/0x5a0 ? __alloc_skb+0x165/0x340 __might_sleep+0xad/0x160 ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k] ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k] ? __netdev_alloc_skb+0x45/0x7b0 ? __asan_memset+0x39/0x40 ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k] ? reacquire_held_locks+0x4d0/0x4d0 ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k] ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k] ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k] ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211] ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k] ? ath12k_mac_vif_chan+0x320/0x320 [ath12k] drv_set_bitrate_mask+0x267/0x470 [mac80211] ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211] ? __this_cpu_preempt_check+0x13/0x20 nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? trace_contention_end+0xef/0x140 ? rtnl_unlock+0x9/0x10 ? nl80211_pre_doit+0x557/0x800 [cfg80211] genl_family_rcv_msg_doit+0x1f0/0x2e0 ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250 ? ns_capable+0x57/0xd0 genl_family_rcv_msg+0x34c/0x600 ? genl_family_rcv_msg_dumpit+0x310/0x310 ? __lock_acquire+0xc62/0x1de0 ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211] ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211] ? cfg80211_external_auth_request+0x690/0x690 [cfg80211] genl_rcv_msg+0xa0/0x130 netlink_rcv_skb+0x14c/0x400 ? genl_family_rcv_msg+0x600/0x600 ? netlink_ack+0xd70/0xd70 ? rwsem_optimistic_spin+0x4f0/0x4f0 ? genl_rcv+0x14/0x40 ? down_read_killable+0x580/0x580 ? netlink_deliver_tap+0x13e/0x350 ? __this_cpu_preempt_check+0x13/0x20 genl_rcv+0x23/0x40 netlink_unicast+0x45e/0x790 ? netlink_attachskb+0x7f0/0x7f0 netlink_sendmsg+0x7eb/0xdb0 ? netlink_unicast+0x790/0x790 ? __this_cpu_preempt_check+0x13/0x20 ? selinux_socket_sendmsg+0x31/0x40 ? netlink_unicast+0x790/0x790 __sock_sendmsg+0xc9/0x160 ____sys_sendmsg+0x620/0x990 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x410/0x410 ? __kasan_check_read+0x11/0x20 ? mark_lock+0xe6/0x1470 ___sys_sendmsg+0xe9/0x170 ? copy_msghdr_from_user+0x120/0x120 ? __lock_acquire+0xc62/0x1de0 ? do_fault_around+0x2c6/0x4e0 ? do_user_addr_fault+0x8c1/0xde0 ? reacquire_held_locks+0x220/0x4d0 ? do_user_addr_fault+0x8c1/0xde0 ? __kasan_check_read+0x11/0x20 ? __fdget+0x4e/0x1d0 ? sockfd_lookup_light+0x1a/0x170 __sys_sendmsg+0xd2/0x180 ? __sys_sendmsg_sock+0x20/0x20 ? reacquire_held_locks+0x4d0/0x4d0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_sendmsg+0x72/0xb0 ? lockdep_hardirqs_on+0x7d/0x100 x64_sys_call+0x894/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_ ---truncated---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()\n\nWhen I try to manually set bitrates:\n\niw wlan0 set bitrates legacy-2.4 1\n\nI get sleeping from invalid context error, see below. Fix that by switching to\nuse recently introduced ieee80211_iterate_stations_mtx().\n\nDo note that WCN6855 firmware is still crashing, I'm not sure if that firmware\neven supports bitrate WMI commands and should we consider disabling\nath12k_mac_op_set_bitrate_mask() for WCN6855? But that's for another patch.\n\nBUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\n3 locks held by iw/2236:\n #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40\n #1: ffff888138410810 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211]\n #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211]\nCPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\nCall Trace:\n <TASK>\n dump_stack_lvl+0xa4/0xe0\n dump_stack+0x10/0x20\n __might_resched+0x363/0x5a0\n ? __alloc_skb+0x165/0x340\n __might_sleep+0xad/0x160\n ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k]\n ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k]\n ? __netdev_alloc_skb+0x45/0x7b0\n ? __asan_memset+0x39/0x40\n ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k]\n ? reacquire_held_locks+0x4d0/0x4d0\n ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k]\n ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k]\n ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k]\n ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211]\n ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k]\n ? ath12k_mac_vif_chan+0x320/0x320 [ath12k]\n drv_set_bitrate_mask+0x267/0x470 [mac80211]\n ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211]\n ? __this_cpu_preempt_check+0x13/0x20\n nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? trace_contention_end+0xef/0x140\n ? rtnl_unlock+0x9/0x10\n ? nl80211_pre_doit+0x557/0x800 [cfg80211]\n genl_family_rcv_msg_doit+0x1f0/0x2e0\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250\n ? ns_capable+0x57/0xd0\n genl_family_rcv_msg+0x34c/0x600\n ? genl_family_rcv_msg_dumpit+0x310/0x310\n ? __lock_acquire+0xc62/0x1de0\n ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? cfg80211_external_auth_request+0x690/0x690 [cfg80211]\n genl_rcv_msg+0xa0/0x130\n netlink_rcv_skb+0x14c/0x400\n ? genl_family_rcv_msg+0x600/0x600\n ? netlink_ack+0xd70/0xd70\n ? rwsem_optimistic_spin+0x4f0/0x4f0\n ? genl_rcv+0x14/0x40\n ? down_read_killable+0x580/0x580\n ? netlink_deliver_tap+0x13e/0x350\n ? __this_cpu_preempt_check+0x13/0x20\n genl_rcv+0x23/0x40\n netlink_unicast+0x45e/0x790\n ? netlink_attachskb+0x7f0/0x7f0\n netlink_sendmsg+0x7eb/0xdb0\n ? netlink_unicast+0x790/0x790\n ? __this_cpu_preempt_check+0x13/0x20\n ? selinux_socket_sendmsg+0x31/0x40\n ? netlink_unicast+0x790/0x790\n __sock_sendmsg+0xc9/0x160\n ____sys_sendmsg+0x620/0x990\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x410/0x410\n ? __kasan_check_read+0x11/0x20\n ? mark_lock+0xe6/0x1470\n ___sys_sendmsg+0xe9/0x170\n ? copy_msghdr_from_user+0x120/0x120\n ? __lock_acquire+0xc62/0x1de0\n ? do_fault_around+0x2c6/0x4e0\n ? do_user_addr_fault+0x8c1/0xde0\n ? reacquire_held_locks+0x220/0x4d0\n ? do_user_addr_fault+0x8c1/0xde0\n ? __kasan_check_read+0x11/0x20\n ? __fdget+0x4e/0x1d0\n ? sockfd_lookup_light+0x1a/0x170\n __sys_sendmsg+0xd2/0x180\n ? __sys_sendmsg_sock+0x20/0x20\n ? reacquire_held_locks+0x4d0/0x4d0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_sendmsg+0x72/0xb0\n ? lockdep_hardirqs_on+0x7d/0x100\n x64_sys_call+0x894/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_\n---truncated---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.10967

ubuntu: CVE-2024-56607 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

212. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56624) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix out_fput in iommufd_fault_alloc() As fput() calls the file->f_op->release op, where fault obj and ictx are getting released, there is no need to release these two after fput() one more time, which would result in imbalanced refcounts: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230 Call trace: refcount_warn_saturate+0x60/0x230 (P) refcount_warn_saturate+0x60/0x230 (L) iommufd_fault_fops_release+0x9c/0xe0 [iommufd] ... VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd]) WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0 Call trace: filp_flush+0x3c/0xf0 (P) filp_flush+0x3c/0xf0 (L) __arm64_sys_close+0x34/0x98 ... imbalanced put on file reference count WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138 Call trace: __file_ref_put+0x100/0x138 (P) __file_ref_put+0x100/0x138 (L) __fput_sync+0x4c/0xd0 Drop those two lines to fix the warnings above.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix out_fput in iommufd_fault_alloc()\n\nAs fput() calls the file->f_op->release op, where fault obj and ictx are\ngetting released, there is no need to release these two after fput() one\nmore time, which would result in imbalanced refcounts:\n refcount_t: decrement hit 0; leaking memory.\n WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230\n Call trace:\n refcount_warn_saturate+0x60/0x230 (P)\n refcount_warn_saturate+0x60/0x230 (L)\n iommufd_fault_fops_release+0x9c/0xe0 [iommufd]\n ...\n VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd])\n WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0\n Call trace:\n filp_flush+0x3c/0xf0 (P)\n filp_flush+0x3c/0xf0 (L)\n __arm64_sys_close+0x34/0x98\n ...\n imbalanced put on file reference count\n WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138\n Call trace:\n __file_ref_put+0x100/0x138 (P)\n __file_ref_put+0x100/0x138 (L)\n __fput_sync+0x4c/0xd0\n\nDrop those two lines to fix the warnings above.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56624 was patched at 2025-03-27, 2025-04-01

213. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56638) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: incorrect percpu area handling under softirq\n\nSoftirq can interrupt ongoing packet from process context that is\nwalking over the percpu area that contains inner header offsets.\n\nDisable bh and perform three checks before restoring the percpu inner\nheader offsets to validate that the percpu area is valid for this\nskbuff:\n\n1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff\n has already been parsed before for inner header fetching to\n register.\n\n2) Validate that the percpu area refers to this skbuff using the\n skbuff pointer as a cookie. If there is a cookie mismatch, then\n this skbuff needs to be parsed again.\n\n3) Finally, validate if the percpu area refers to this tunnel type.\n\nOnly after these three checks the percpu area is restored to a on-stack\ncopy and bh is enabled again.\n\nAfter inner header fetching, the on-stack copy is stored back to the\npercpu area.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00039, EPSS Percentile is 0.10967

ubuntu: CVE-2024-56638 was patched at 2025-03-27, 2025-04-01, 2025-04-23, 2025-04-24, 2025-04-28

214. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56639) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: hsr: must allocate more bytes for RedBox support Blamed commit forgot to change hsr_init_skb() to allocate larger skb for RedBox case. Indeed, send_hsr_supervision_frame() will add two additional components (struct hsr_sup_tlv and struct hsr_sup_payload) syzbot reported the following crash: skbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206 Code: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c RSP: 0018:ffffc90000858ab8 EFLAGS: 00010282 RAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69 RDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005 RBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a R13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140 FS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> skb_over_panic net/core/skbuff.c:211 [inline] skb_put+0x174/0x1b0 net/core/skbuff.c:2617 send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342 hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436 call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794 expire_timers kernel/time/timer.c:1845 [inline] __run_timers+0x6e8/0x930 kernel/time/timer.c:2419 __run_timer_base kernel/time/timer.c:2430 [inline] __run_timer_base kernel/time/timer.c:2423 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2439 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:637 [inline] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: must allocate more bytes for RedBox support\n\nBlamed commit forgot to change hsr_init_skb() to allocate\nlarger skb for RedBox case.\n\nIndeed, send_hsr_supervision_frame() will add\ntwo additional components (struct hsr_sup_tlv\nand struct hsr_sup_payload)\n\nsyzbot reported the following crash:\nskbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206\nCode: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c\nRSP: 0018:ffffc90000858ab8 EFLAGS: 00010282\nRAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69\nRDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005\nRBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a\nR13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140\nFS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <IRQ>\n skb_over_panic net/core/skbuff.c:211 [inline]\n skb_put+0x174/0x1b0 net/core/skbuff.c:2617\n send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342\n hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436\n call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794\n expire_timers kernel/time/timer.c:1845 [inline]\n __run_timers+0x6e8/0x930 kernel/time/timer.c:2419\n __run_timer_base kernel/time/timer.c:2430 [inline]\n __run_timer_base kernel/time/timer.c:2423 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2439\n run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449\n handle_softirqs+0x213/0x8f0 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu kernel/softirq.c:637 [inline]\n irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049\n </IRQ>', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00034, EPSS Percentile is 0.08526

ubuntu: CVE-2024-56639 was patched at 2025-03-27, 2025-04-01

215. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56713) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: netdevsim: fix nsim_pp_hold_write() nsim_pp_hold_write() has two problems: 1) It may return with rtnl held, as found by syzbot. 2) Its return value does not propagate an error if any.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: fix nsim_pp_hold_write()\n\nnsim_pp_hold_write() has two problems:\n\n1) It may return with rtnl held, as found by syzbot.\n\n2) Its return value does not propagate an error if any.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-56713 was patched at 2025-03-27, 2025-04-01

216. Unknown Vulnerability Type - Linux Kernel (CVE-2024-56714) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ionic: no double destroy workqueue There are some FW error handling paths that can cause us to try to destroy the workqueue more than once, so let's be sure we're checking for that. The case where this popped up was in an AER event where the handlers got called in such a way that ionic_reset_prepare() and thus ionic_dev_teardown() got called twice in a row. The second time through the workqueue was already destroyed, and destroy_workqueue() choked on the bad wq pointer. We didn't hit this in AER handler testing before because at that time we weren't using a private workqueue. Later we replaced the use of the system workqueue with our own private workqueue but hadn't rerun the AER handler testing since then.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nionic: no double destroy workqueue\n\nThere are some FW error handling paths that can cause us to\ntry to destroy the workqueue more than once, so let's be sure\nwe're checking for that.\n\nThe case where this popped up was in an AER event where the\nhandlers got called in such a way that ionic_reset_prepare()\nand thus ionic_dev_teardown() got called twice in a row.\nThe second time through the workqueue was already destroyed,\nand destroy_workqueue() choked on the bad wq pointer.\n\nWe didn't hit this in AER handler testing before because at\nthat time we weren't using a private workqueue. Later we\nreplaced the use of the system workqueue with our own private\nworkqueue but hadn't rerun the AER handler testing since then.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-56714 was patched at 2025-03-27, 2025-04-01

217. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57793) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Just leak decrypted memory on unrecoverable errors In CoCo VMs it is possible for the untrusted host to cause set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Leak the decrypted memory when set_memory_decrypted() fails, and don't need to print an error since set_memory_decrypted() will call WARN_ONCE().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Just leak decrypted memory on unrecoverable errors\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_decrypted() to fail such that an error is returned\nand the resulting memory is shared. Callers need to take care\nto handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional\nor security issues.\n\nLeak the decrypted memory when set_memory_decrypted() fails,\nand don't need to print an error since set_memory_decrypted()\nwill call WARN_ONCE().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57793 was patched at 2025-03-27, 2025-04-01

218. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57805) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP The linkDMA should not be released on stop trigger since a stream re-start might happen without closing of the stream. This leaves a short time for other streams to 'steal' the linkDMA since it has been released. This issue is not easy to reproduce under normal conditions as usually after stop the stream is closed, or the same stream is restarted, but if another stream got in between the stop and start, like this: aplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120 CTRL+z aplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120 then the link DMA channels will be mixed up, resulting firmware error or crash.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP\n\nThe linkDMA should not be released on stop trigger since a stream re-start\nmight happen without closing of the stream. This leaves a short time for\nother streams to 'steal' the linkDMA since it has been released.\n\nThis issue is not easy to reproduce under normal conditions as usually\nafter stop the stream is closed, or the same stream is restarted, but if\nanother stream got in between the stop and start, like this:\naplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120\nCTRL+z\naplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120\n\nthen the link DMA channels will be mixed up, resulting firmware error or\ncrash.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57805 was patched at 2025-03-27, 2025-04-01

219. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57806) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction atomicity bug when enabling simple quotas Set squota incompat bit before committing the transaction that enables the feature. With the config CONFIG_BTRFS_ASSERT enabled, an assertion failure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] <TASK> [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150 The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs The issue is that when enabling quotas, at btrfs_quota_enable(), we set BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we commit the transaction used to enable simple quotas. This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an assertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen() To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction atomicity bug when enabling simple quotas\n\nSet squota incompat bit before committing the transaction that enables\nthe feature.\n\nWith the config CONFIG_BTRFS_ASSERT enabled, an assertion\nfailure occurs regarding the simple quota feature.\n\n [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365\n [5.597098] ------------[ cut here ]------------\n [5.597371] kernel BUG at fs/btrfs/qgroup.c:365!\n [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146\n [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0\n [5.604303] <TASK>\n [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.605538] ? exc_invalid_op+0x56/0x70\n [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.606066] ? asm_exc_invalid_op+0x1f/0x30\n [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.607038] ? try_to_wake_up+0x317/0x760\n [5.607286] open_ctree+0xd9c/0x1710\n [5.607509] btrfs_get_tree+0x58a/0x7e0\n [5.608002] vfs_get_tree+0x2e/0x100\n [5.608224] fc_mount+0x16/0x60\n [5.608420] btrfs_get_tree+0x2f8/0x7e0\n [5.608897] vfs_get_tree+0x2e/0x100\n [5.609121] path_mount+0x4c8/0xbc0\n [5.609538] __x64_sys_mount+0x10d/0x150\n\nThe issue can be easily reproduced using the following reproducer:\n\n root@q:linux# cat repro.sh\n set -e\n\n mkfs.btrfs -q -f /dev/sdb\n mount /dev/sdb /mnt/btrfs\n btrfs quota enable -s /mnt/btrfs\n umount /mnt/btrfs\n mount /dev/sdb /mnt/btrfs\n\nThe issue is that when enabling quotas, at btrfs_quota_enable(), we set\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist\nit in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but\nwe only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we\ncommit the transaction used to enable simple quotas.\n\nThis means that if after that transaction commit we unmount the filesystem\nwithout starting and committing any other transaction, or we have a power\nfailure, the next time we mount the filesystem we will find the flag\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key\nBTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit\nBTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an\nassertion failure at:\n\n btrfs_read_qgroup_config() -> qgroup_read_enable_gen()\n\nTo fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag\nimmediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.\nThis ensures that both flags are flushed to disk within the same\ntransaction.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57806 was patched at 2025-03-27, 2025-04-01

220. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57839) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" This reverts commit 7c877586da3178974a8a94577b6045a48377ff25. Anders and Philippe have reported that recent kernels occasionally hang when used with NFS in readahead code. The problem has been bisected to 7c877586da3 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()"). The cause of the problem is that ra->size can be shrunk by read_pages() call and subsequently we end up calling do_page_cache_ra() with negative (read huge positive) number of pages. Let's revert 7c877586da3 for now until we can find a proper way how the logic in read_pages() and page_cache_ra_order() can coexist. This can lead to reduced readahead throughput due to readahead window confusion but that's better than outright hangs.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nRevert "readahead: properly shorten readahead when falling back to do_page_cache_ra()"\n\nThis reverts commit 7c877586da3178974a8a94577b6045a48377ff25.\n\nAnders and Philippe have reported that recent kernels occasionally hang\nwhen used with NFS in readahead code. The problem has been bisected to\n7c877586da3 ("readahead: properly shorten readahead when falling back to\ndo_page_cache_ra()"). The cause of the problem is that ra->size can be\nshrunk by read_pages() call and subsequently we end up calling\ndo_page_cache_ra() with negative (read huge positive) number of pages. \nLet's revert 7c877586da3 for now until we can find a proper way how the\nlogic in read_pages() and page_cache_ra_order() can coexist. This can\nlead to reduced readahead throughput due to readahead window confusion but\nthat's better than outright hangs.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57839 was patched at 2025-03-27, 2025-04-01

221. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57879) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Always release hdev at the end of iso_listen_bis Since hci_get_route holds the device before returning, the hdev should be released with hci_dev_put at the end of iso_listen_bis even if the function returns with an error.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Always release hdev at the end of iso_listen_bis\n\nSince hci_get_route holds the device before returning, the hdev\nshould be released with hci_dev_put at the end of iso_listen_bis\neven if the function returns with an error.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57879 was patched at 2025-03-27, 2025-04-01

222. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57880) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array The code uses the initialised member of the asoc_sdw_dailink struct to determine if a member of the array is in use. However in the case the array is completely full this will lead to an access 1 past the end of the array, expand the array by one entry to include a space for a terminator.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: Add space for a terminator into DAIs array\n\nThe code uses the initialised member of the asoc_sdw_dailink struct to\ndetermine if a member of the array is in use. However in the case the\narray is completely full this will lead to an access 1 past the end of\nthe array, expand the array by one entry to include a space for a\nterminator.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57880 was patched at 2025-03-27, 2025-04-01

223. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57885) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: fix sleeping function called from invalid context at print message Address a bug in the kernel that triggers a "sleeping function called from invalid context" warning when /sys/kernel/debug/kmemleak is printed under specific conditions: - CONFIG_PREEMPT_RT=y - Set SELinux as the LSM for the system - Set kptr_restrict to 1 - kmemleak buffer contains at least one item BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 6 locks held by cat/136: #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 irq event stamp: 136660 hardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 Tainted: [E]=UNSIGNED_MODULE Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 restricted_pointer+0x21c/0x4b0 pointer+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 print_unreferenced+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 full_proxy_read+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 invoke_syscall.constprop.0+0xd4/0x1d8 el0_svc+0x50/0x158 el0t_64_sync+0x17c/0x180 %pS and %pK, in the same back trace line, are redundant, and %pS can void %pK service in certain contexts. %pS alone already provides the necessary information, and if it cannot resolve the symbol, it falls back to printing the raw address voiding the original intent behind the %pK. Additionally, %pK requires a privilege check CAP_SYSLOG enforced through the LSM, which can trigger a "sleeping function called from invalid context" warning under RT_PREEMPT kernels when the check occurs in an atomic context. This issue may also affect other LSMs. This change avoids the unnecessary privilege check and resolves the sleeping function warning without any loss of information.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: fix sleeping function called from invalid context at print message\n\nAddress a bug in the kernel that triggers a "sleeping function called from\ninvalid context" warning when /sys/kernel/debug/kmemleak is printed under\nspecific conditions:\n- CONFIG_PREEMPT_RT=y\n- Set SELinux as the LSM for the system\n- Set kptr_restrict to 1\n- kmemleak buffer contains at least one item\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n6 locks held by cat/136:\n #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30\n #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128\n #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0\n #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0\n #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0\nirq event stamp: 136660\nhardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8\nhardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0\nsoftirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nPreemption disabled at:\n[<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0\nCPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34\nTainted: [E]=UNSIGNED_MODULE\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x1c/0x30\n dump_stack_lvl+0xe8/0x198\n dump_stack+0x18/0x20\n rt_spin_lock+0x8c/0x1a8\n avc_perm_nonode+0xa0/0x150\n cred_has_capability.isra.0+0x118/0x218\n selinux_capable+0x50/0x80\n security_capable+0x7c/0xd0\n has_ns_capability_noaudit+0x94/0x1b0\n has_capability_noaudit+0x20/0x30\n restricted_pointer+0x21c/0x4b0\n pointer+0x298/0x760\n vsnprintf+0x330/0xf70\n seq_printf+0x178/0x218\n print_unreferenced+0x1a4/0x2d0\n kmemleak_seq_show+0xd0/0x1e0\n seq_read_iter+0x354/0xe30\n seq_read+0x250/0x378\n full_proxy_read+0xd8/0x148\n vfs_read+0x190/0x918\n ksys_read+0xf0/0x1e0\n __arm64_sys_read+0x70/0xa8\n invoke_syscall.constprop.0+0xd4/0x1d8\n el0_svc+0x50/0x158\n el0t_64_sync+0x17c/0x180\n\n%pS and %pK, in the same back trace line, are redundant, and %pS can void\n%pK service in certain contexts.\n\n%pS alone already provides the necessary information, and if it cannot\nresolve the symbol, it falls back to printing the raw address voiding\nthe original intent behind the %pK.\n\nAdditionally, %pK requires a privilege check CAP_SYSLOG enforced through\nthe LSM, which can trigger a "sleeping function called from invalid\ncontext" warning under RT_PREEMPT kernels when the check occurs in an\natomic context. This issue may also affect other LSMs.\n\nThis change avoids the unnecessary privilege check and resolves the\nsleeping function warning without any loss of information.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2024-57885 was patched at 2025-03-27, 2025-04-01

224. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57886) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix new damon_target objects leaks on damon_commit_targets()\n\nPatch series "mm/damon/core: fix memory leaks and ignored inputs from\ndamon_commit_ctx()".\n\nDue to two bugs in damon_commit_targets() and damon_commit_schemes(),\nwhich are called from damon_commit_ctx(), some user inputs can be ignored,\nand some mmeory objects can be leaked. Fix those.\n\nNote that only DAMON sysfs interface users are affected. Other DAMON core\nAPI user modules that more focused more on simple and dedicated production\nusages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy\nfunction in the way, so not affected.\n\n\nThis patch (of 2):\n\nWhen new DAMON targets are added via damon_commit_targets(), the newly\ncreated targets are not deallocated when updating the internal data\n(damon_commit_target()) is failed. Worse yet, even if the setup is\nsuccessfully done, the new target is not linked to the context. Hence,\nthe new targets are always leaked regardless of the internal data setup\nfailure. Fix the leaks.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57886 was patched at 2025-03-27, 2025-04-01

225. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57918) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix page fault due to max surface definition mismatch DC driver is using two different values to define the maximum number of surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as the unique definition for surface updates across DC. It fixes page fault faced by Cosmic users on AMD display versions that support two overlay planes, since the introduction of cursor overlay mode. [Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b [ +0.000015] #PF: supervisor read access in kernel mode [ +0.000006] #PF: error_code(0x0000) - not-present page [ +0.000005] PGD 0 P4D 0 [ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300 [ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper] [ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b [ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206 [ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070 [ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000 [ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000 [ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000 [ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000 [ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000 [ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0 [ +0.000005] Call Trace: [ +0.000011] <TASK> [ +0.000010] ? __die_body.cold+0x19/0x27 [ +0.000012] ? page_fault_oops+0x15a/0x2d0 [ +0.000014] ? exc_page_fault+0x7e/0x180 [ +0.000009] ? asm_exc_page_fault+0x26/0x30 [ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu] [ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu] [ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu] [ +0.000450] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu] [ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu] [ +0.000464] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? sort+0x31/0x50 [ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu] [ +0.000508] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu] [ +0.000377] ? srso_return_thunk+0x5/0x5f [ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm] [ +0.000058] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_default_wait+0x8c/0x260 [ +0.000010] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? wait_for_completion_timeout+0x13b/0x170 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? dma_fence_wait_timeout+0x108/0x140 [ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper] [ +0.000024] ? process_one_work+0x177/0x330 [ +0.000008] ? worker_thread+0x266/0x3a0 [ +0.000006] ? __pfx_worker_thread+0x10/0x10 [ +0.000004] ? kthread+0xd2/0x100 [ +0.000006] ? __pfx_kthread+0x10/0x10 [ +0.000006] ? ret_from_fork+0x34/0x50 [ +0.000004] ? __pfx_kthread+0x10/0x10 [ +0.000005] ? ret_from_fork_asm+0x1a/0x30 [ +0.000011] </TASK> (cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix page fault due to max surface definition mismatch\n\nDC driver is using two different values to define the maximum number of\nsurfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as\nthe unique definition for surface updates across DC.\n\nIt fixes page fault faced by Cosmic users on AMD display versions that\nsupport two overlay planes, since the introduction of cursor overlay\nmode.\n\n[Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b\n[ +0.000015] #PF: supervisor read access in kernel mode\n[ +0.000006] #PF: error_code(0x0000) - not-present page\n[ +0.000005] PGD 0 P4D 0\n[ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300\n[ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]\n[ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b\n[ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206\n[ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070\n[ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000\n[ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000\n[ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000\n[ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000\n[ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0\n[ +0.000005] Call Trace:\n[ +0.000011] <TASK>\n[ +0.000010] ? __die_body.cold+0x19/0x27\n[ +0.000012] ? page_fault_oops+0x15a/0x2d0\n[ +0.000014] ? exc_page_fault+0x7e/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]\n[ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]\n[ +0.000450] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]\n[ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu]\n[ +0.000464] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? sort+0x31/0x50\n[ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]\n[ +0.000508] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]\n[ +0.000377] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]\n[ +0.000058] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? dma_fence_default_wait+0x8c/0x260\n[ +0.000010] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? wait_for_completion_timeout+0x13b/0x170\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? dma_fence_wait_timeout+0x108/0x140\n[ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper]\n[ +0.000024] ? process_one_work+0x177/0x330\n[ +0.000008] ? worker_thread+0x266/0x3a0\n[ +0.000006] ? __pfx_worker_thread+0x10/0x10\n[ +0.000004] ? kthread+0xd2/0x100\n[ +0.000006] ? __pfx_kthread+0x10/0x10\n[ +0.000006] ? ret_from_fork+0x34/0x50\n[ +0.000004] ? __pfx_kthread+0x10/0x10\n[ +0.000005] ? ret_from_fork_asm+0x1a/0x30\n[ +0.000011] </TASK>\n\n(cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57918 was patched at 2025-03-27, 2025-04-01

226. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57932) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: gve: guard XDP xmit NDO on existence of xdp queues In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false. In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL. The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XDP xmit NDO on existence of xdp queues\n\nIn GVE, dedicated XDP queues only exist when an XDP program is installed\nand the interface is up. As such, the NDO XDP XMIT callback should\nreturn early if either of these conditions are false.\n\nIn the case of no loaded XDP program, priv->num_xdp_queues=0 which can\ncause a divide-by-zero error, and in the case of interface down,\nnum_xdp_queues remains untouched to persist XDP queue count for the next\ninterface up, but the TX pointer itself would be NULL.\n\nThe XDP xmit callback also needs to synchronize with a device\ntransitioning from open to close. This synchronization will happen via\nthe GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,\nwhich waits for any RCU critical sections at call-time to complete.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2024-57932 was patched at 2025-03-27, 2025-04-01

227. Unknown Vulnerability Type - Linux Kernel (CVE-2024-57935) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix accessing invalid dip_ctx during destroying QP If it fails to modify QP to RTR, dip_ctx will not be attached. And during detroying QP, the invalid dip_ctx pointer will be accessed.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix accessing invalid dip_ctx during destroying QP\n\nIf it fails to modify QP to RTR, dip_ctx will not be attached. And\nduring detroying QP, the invalid dip_ctx pointer will be accessed.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2024-57935 was patched at 2025-03-27, 2025-04-01

228. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21632) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure shadow stack is active before "getting" registers The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can not touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI for XSAVE state. Thus, there is a new ptrace get/set interface for it. The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the thread struct. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place. As a result, both the set/get handlers can be called with XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an ssp_active() check to avoid surprising the kernel with shadow stack behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That check just happened to avoid the warning. But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe: WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 [...] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? ssp_get+0x89/0xa0 ? __warn+0x91/0x150 ? ssp_get+0x89/0xa0 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? __pfx_ssp_get+0x10/0x10 ? ssp_get+0x89/0xa0 ? ssp_get+0x52/0xa0 __regset_get+0xad/0xf0 copy_regset_to_user+0x52/0xc0 ptrace_regset+0x119/0x140 ptrace_request+0x13c/0x850 ? wait_task_inactive+0x142/0x1d0 ? do_syscall_64+0x6d/0x90 arch_ptrace+0x102/0x300 [...] Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer. [ dhansen: changelog/subject tweaks ]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Ensure shadow stack is active before "getting" registers\n\nThe x86 shadow stack support has its own set of registers. Those registers\nare XSAVE-managed, but they are "supervisor state components" which means\nthat userspace can not touch them with XSAVE/XRSTOR. It also means that\nthey are not accessible from the existing ptrace ABI for XSAVE state.\nThus, there is a new ptrace get/set interface for it.\n\nThe regset code that ptrace uses provides an ->active() handler in\naddition to the get/set ones. For shadow stack this ->active() handler\nverifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the\nthread struct. The ->active() handler is checked from some call sites of\nthe regset get/set handlers, but not the ptrace ones. This was not\nunderstood when shadow stack support was put in place.\n\nAs a result, both the set/get handlers can be called with\nXFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to\nreturn NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an\nssp_active() check to avoid surprising the kernel with shadow stack\nbehavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That\ncheck just happened to avoid the warning.\n\nBut the ->get() side wasn't so lucky. It can be called with shadow stacks\ndisabled, triggering the warning in practice, as reported by Christina\nSchimpe:\n\nWARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0\n[...]\nCall Trace:\n<TASK>\n? show_regs+0x6e/0x80\n? ssp_get+0x89/0xa0\n? __warn+0x91/0x150\n? ssp_get+0x89/0xa0\n? report_bug+0x19d/0x1b0\n? handle_bug+0x46/0x80\n? exc_invalid_op+0x1d/0x80\n? asm_exc_invalid_op+0x1f/0x30\n? __pfx_ssp_get+0x10/0x10\n? ssp_get+0x89/0xa0\n? ssp_get+0x52/0xa0\n__regset_get+0xad/0xf0\ncopy_regset_to_user+0x52/0xc0\nptrace_regset+0x119/0x140\nptrace_request+0x13c/0x850\n? wait_task_inactive+0x142/0x1d0\n? do_syscall_64+0x6d/0x90\narch_ptrace+0x102/0x300\n[...]\n\nEnsure that shadow stacks are active in a thread before looking them up\nin the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are\nset at the same time, the active check ensures that there will be\nsomething to find in the XSAVE buffer.\n\n[ dhansen: changelog/subject tweaks ]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2025-21632 was patched at 2025-03-27, 2025-04-01

229. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21643) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: netfs: Fix kernel async DIO Netfslib needs to be able to handle kernel-initiated asynchronous DIO that is supplied with a bio_vec[] array. Currently, because of the async flag, this gets passed to netfs_extract_user_iter() which throws a warning and fails because it only handles IOVEC and UBUF iterators. This can be triggered through a combination of cifs and a loopback blockdev with something like: mount //my/cifs/share /foo dd if=/dev/zero of=/foo/m0 bs=4K count=1K losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0 echo hello >/dev/loop2046 This causes the following to appear in syslog: WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs] and the write to fail. Fix this by removing the check in netfs_unbuffered_write_iter_locked() that causes async kernel DIO writes to be handled as userspace writes. Note that this change relies on the kernel caller maintaining the existence of the bio_vec array (or kvec[] or folio_queue) until the op is complete.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel async DIO\n\nNetfslib needs to be able to handle kernel-initiated asynchronous DIO that\nis supplied with a bio_vec[] array. Currently, because of the async flag,\nthis gets passed to netfs_extract_user_iter() which throws a warning and\nfails because it only handles IOVEC and UBUF iterators. This can be\ntriggered through a combination of cifs and a loopback blockdev with\nsomething like:\n\n mount //my/cifs/share /foo\n dd if=/dev/zero of=/foo/m0 bs=4K count=1K\n losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0\n echo hello >/dev/loop2046\n\nThis causes the following to appear in syslog:\n\n WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs]\n\nand the write to fail.\n\nFix this by removing the check in netfs_unbuffered_write_iter_locked() that\ncauses async kernel DIO writes to be handled as userspace writes. Note\nthat this change relies on the kernel caller maintaining the existence of\nthe bio_vec array (or kvec[] or folio_queue) until the op is complete.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00025, EPSS Percentile is 0.05143

ubuntu: CVE-2025-21643 was patched at 2025-03-27, 2025-04-01

230. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21654) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ovl: support encoding fid from inode with no alias Dmitry Safonov reported that a WARN_ON() assertion can be trigered by userspace when calling inotify_show_fdinfo() for an overlayfs watched inode, whose dentry aliases were discarded with drop_caches. The WARN_ON() assertion in inotify_show_fdinfo() was removed, because it is possible for encoding file handle to fail for other reason, but the impact of failing to encode an overlayfs file handle goes beyond this assertion. As shown in the LTP test case mentioned in the link below, failure to encode an overlayfs file handle from a non-aliased inode also leads to failure to report an fid with FAN_DELETE_SELF fanotify events. As Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails if it cannot find an alias for the inode, but this failure can be fixed. ovl_encode_fh() seldom uses the alias and in the case of non-decodable file handles, as is often the case with fanotify fid info, ovl_encode_fh() never needs to use the alias to encode a file handle. Defer finding an alias until it is actually needed so ovl_encode_fh() will not fail in the common case of FAN_DELETE_SELF fanotify events.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\novl: support encoding fid from inode with no alias\n\nDmitry Safonov reported that a WARN_ON() assertion can be trigered by\nuserspace when calling inotify_show_fdinfo() for an overlayfs watched\ninode, whose dentry aliases were discarded with drop_caches.\n\nThe WARN_ON() assertion in inotify_show_fdinfo() was removed, because\nit is possible for encoding file handle to fail for other reason, but\nthe impact of failing to encode an overlayfs file handle goes beyond\nthis assertion.\n\nAs shown in the LTP test case mentioned in the link below, failure to\nencode an overlayfs file handle from a non-aliased inode also leads to\nfailure to report an fid with FAN_DELETE_SELF fanotify events.\n\nAs Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails\nif it cannot find an alias for the inode, but this failure can be fixed.\novl_encode_fh() seldom uses the alias and in the case of non-decodable\nfile handles, as is often the case with fanotify fid info,\novl_encode_fh() never needs to use the alias to encode a file handle.\n\nDefer finding an alias until it is actually needed so ovl_encode_fh()\nwill not fail in the common case of FAN_DELETE_SELF fanotify events.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00028, EPSS Percentile is 0.06259

ubuntu: CVE-2025-21654 was patched at 2025-03-27, 2025-04-01

231. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21659) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: netdev: prevent accessing NAPI instances from another namespace The NAPI IDs were not fully exposed to user space prior to the netlink API, so they were never namespaced. The netlink API must ensure that at the very least NAPI instance belongs to the same netns as the owner of the genl sock. napi_by_id() can become static now, but it needs to move because of dev_get_by_napi_id().', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnetdev: prevent accessing NAPI instances from another namespace\n\nThe NAPI IDs were not fully exposed to user space prior to the netlink\nAPI, so they were never namespaced. The netlink API must ensure that\nat the very least NAPI instance belongs to the same netns as the owner\nof the genl sock.\n\nnapi_by_id() can become static now, but it needs to move because of\ndev_get_by_napi_id().', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00031, EPSS Percentile is 0.07051

ubuntu: CVE-2025-21659 was patched at 2025-03-27, 2025-04-01

232. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21663) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-tegra: Read iommu stream id from device tree Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be written to the MGBE_WRAP_AXI_ASID0_CTRL register. The current driver is hard coded to use MGBE0's SID for all controllers. This causes softirq time outs and kernel panics when using controllers other than MGBE0. Example dmesg errors when an ethernet cable is connected to MGBE1: [ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms [ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter. [ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0 [ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171) [ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features [ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported [ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock [ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode [ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx [ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: [ 181.921404] rcu: \t7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337 [ 181.921684] rcu: \t(detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8) [ 181.921878] Sending NMI from CPU 4 to CPUs 7: [ 181.921886] NMI backtrace for cpu 7 [ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 [ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 [ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 181.922847] pc : handle_softirqs+0x98/0x368 [ 181.922978] lr : __do_softirq+0x18/0x20 [ 181.923095] sp : ffff80008003bf50 [ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 [ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 [ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 [ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 [ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 [ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d [ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 [ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74 [ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1 [ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 [ 181.967591] Call trace: [ 181.970043] handle_softirqs+0x98/0x368 (P) [ 181.974240] __do_softirq+0x18/0x20 [ 181.977743] ____do_softirq+0x14/0x28 [ 181.981415] call_on_irq_stack+0x24/0x30 [ 181.985180] do_softirq_own_stack+0x20/0x30 [ 181.989379] __irq_exit_rcu+0x114/0x140 [ 181.993142] irq_exit_rcu+0x14/0x28 [ 181.996816] el1_interrupt+0x44/0xb8 [ 182.000316] el1h_64_irq_handler+0x14/0x20 [ 182.004343] el1h_64_irq+0x80/0x88 [ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P) [ 182.012305] cpuidle_enter+0x3c/0x58 [ 182.015980] cpuidle_idle_call+0x128/0x1c0 [ 182.020005] do_idle+0xe0/0xf0 [ 182.023155] cpu_startup_entry+0x3c/0x48 [ 182.026917] secondary_start_kernel+0xdc/0x120 [ 182.031379] __secondary_switched+0x74/0x78 [ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/. [ 212.985935] rcu: blocking rcu_node structures (internal RCU debug): [ 212.992758] Sending NMI from CPU 0 to CPUs 7: [ 212.998539] NMI backtrace for cpu 7 [ 213.004304] CPU: 7 UID: 0 PI ---truncated---', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwmac-tegra: Read iommu stream id from device tree\n\nNvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be\nwritten to the MGBE_WRAP_AXI_ASID0_CTRL register.\n\nThe current driver is hard coded to use MGBE0's SID for all controllers.\nThis causes softirq time outs and kernel panics when using controllers\nother than MGBE0.\n\nExample dmesg errors when an ethernet cable is connected to MGBE1:\n\n[ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms\n[ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter.\n[ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0\n[ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171)\n[ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features\n[ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported\n[ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock\n[ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode\n[ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n[ 181.921404] rcu: \t7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337\n[ 181.921684] rcu: \t(detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8)\n[ 181.921878] Sending NMI from CPU 4 to CPUs 7:\n[ 181.921886] NMI backtrace for cpu 7\n[ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6\n[ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024\n[ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 181.922847] pc : handle_softirqs+0x98/0x368\n[ 181.922978] lr : __do_softirq+0x18/0x20\n[ 181.923095] sp : ffff80008003bf50\n[ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000\n[ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0\n[ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70\n[ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000\n[ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000\n[ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d\n[ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160\n[ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74\n[ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1\n[ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000\n[ 181.967591] Call trace:\n[ 181.970043] handle_softirqs+0x98/0x368 (P)\n[ 181.974240] __do_softirq+0x18/0x20\n[ 181.977743] ____do_softirq+0x14/0x28\n[ 181.981415] call_on_irq_stack+0x24/0x30\n[ 181.985180] do_softirq_own_stack+0x20/0x30\n[ 181.989379] __irq_exit_rcu+0x114/0x140\n[ 181.993142] irq_exit_rcu+0x14/0x28\n[ 181.996816] el1_interrupt+0x44/0xb8\n[ 182.000316] el1h_64_irq_handler+0x14/0x20\n[ 182.004343] el1h_64_irq+0x80/0x88\n[ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P)\n[ 182.012305] cpuidle_enter+0x3c/0x58\n[ 182.015980] cpuidle_idle_call+0x128/0x1c0\n[ 182.020005] do_idle+0xe0/0xf0\n[ 182.023155] cpu_startup_entry+0x3c/0x48\n[ 182.026917] secondary_start_kernel+0xdc/0x120\n[ 182.031379] __secondary_switched+0x74/0x78\n[ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/.\n[ 212.985935] rcu: blocking rcu_node structures (internal RCU debug):\n[ 212.992758] Sending NMI from CPU 0 to CPUs 7:\n[ 212.998539] NMI backtrace for cpu 7\n[ 213.004304] CPU: 7 UID: 0 PI\n---truncated---', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.0003, EPSS Percentile is 0.06801

ubuntu: CVE-2025-21663 was patched at 2025-03-27, 2025-04-01

233. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21834) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: seccomp: passthrough uretprobe systemcall without filtering When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes. Pass this systemcall through seccomp without depending on configuration. Note: uretprobe is currently only x86_64 and isn't expected to ever be supported in i386. [kees: minimized changes for easier backporting, tweaked commit log]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: passthrough uretprobe systemcall without filtering\n\nWhen attaching uretprobes to processes running inside docker, the attached\nprocess is segfaulted when encountering the retprobe.\n\nThe reason is that now that uretprobe is a system call the default seccomp\nfilters in docker block it as they only allow a specific set of known\nsyscalls. This is true for other userspace applications which use seccomp\nto control their syscall surface.\n\nSince uretprobe is a "kernel implementation detail" system call which is\nnot used by userspace application code directly, it is impractical and\nthere's very little point in forcing all userspace applications to\nexplicitly allow it in order to avoid crashing tracked processes.\n\nPass this systemcall through seccomp without depending on configuration.\n\nNote: uretprobe is currently only x86_64 and isn't expected to ever be\nsupported in i386.\n\n[kees: minimized changes for easier backporting, tweaked commit log]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00027, EPSS Percentile is 0.05749

ubuntu: CVE-2025-21834 was patched at 2025-03-27, 2025-04-01

234. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21881) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: Reject the shared zeropage in uprobe_write_opcode()\n\nWe triggered the following crash in syzkaller tests:\n\n BUG: Bad page state in process syz.7.38 pfn:1eff3\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3\n flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)\n raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x32/0x50\n bad_page+0x69/0xf0\n free_unref_page_prepare+0x401/0x500\n free_unref_page+0x6d/0x1b0\n uprobe_write_opcode+0x460/0x8e0\n install_breakpoint.part.0+0x51/0x80\n register_for_each_vma+0x1d9/0x2b0\n __uprobe_register+0x245/0x300\n bpf_uprobe_multi_link_attach+0x29b/0x4f0\n link_create+0x1e2/0x280\n __sys_bpf+0x75f/0xac0\n __x64_sys_bpf+0x1a/0x30\n do_syscall_64+0x56/0x100\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\n BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1\n\nThe following syzkaller test case can be used to reproduce:\n\n r2 = creat(&(0x7f0000000000)='./file0\\x00', 0x8)\n write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)\n r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x42, 0x0)\n mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)\n r5 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})\n r6 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))\n ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})\n ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})\n r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)\n bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)\n\nThe cause is that zero pfn is set to the PTE without increasing the RSS\ncount in mfill_atomic_pte_zeropage() and the refcount of zero folio does\nnot increase accordingly. Then, the operation on the same pfn is performed\nin uprobe_write_opcode()->__replace_page() to unconditional decrease the\nRSS count and old_folio's refcount.\n\nTherefore, two bugs are introduced:\n\n 1. The RSS count is incorrect, when process exit, the check_mm() report\n error "Bad rss-count".\n\n 2. The reserved folio (zero folio) is freed when folio->refcount is zero,\n then free_pages_prepare->free_page_is_bad() report error\n "Bad page state".\n\nThere is more, the following warning could also theoretically be triggered:\n\n __replace_page()\n -> ...\n -> folio_remove_rmap_pte()\n -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)\n\nConsidering that uprobe hit on the zero folio is a very rare case, just\nreject zero old folio immediately after get_user_page_vma_remote().\n\n[ mingo: Cleaned up the changelog ]', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00045, EPSS Percentile is 0.13359

debian: CVE-2025-21881 was patched at 2025-04-12, 2025-04-23

235. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21899) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix bad hist from corrupting named_triggers list\n\nThe following commands causes a crash:\n\n ~# cd /sys/kernel/tracing/events/rcu/rcu_callback\n ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger\n bash: echo: write error: Invalid argument\n ~# echo 'hist:name=bad:keys=common_pid' > trigger\n\nBecause the following occurs:\n\nevent_trigger_write() {\n trigger_process_regex() {\n event_hist_trigger_parse() {\n\n data = event_trigger_alloc(..);\n\n event_trigger_register(.., data) {\n cmd_ops->reg(.., data, ..) [hist_register_trigger()] {\n data->ops->init() [event_hist_trigger_init()] {\n save_named_trigger(name, data) {\n list_add(&data->named_list, &named_triggers);\n }\n }\n }\n }\n\n ret = create_actions(); (return -EINVAL)\n if (ret)\n goto out_unreg;\n[..]\n ret = hist_trigger_enable(data, ...) {\n list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!)\n[..]\n out_unreg:\n event_hist_unregister(.., data) {\n cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] {\n list_for_each_entry(iter, &file->triggers, list) {\n if (!hist_trigger_match(data, iter, named_data, false)) <- never matches\n continue;\n [..]\n test = iter;\n }\n if (test && test->ops->free) <<<-- test is NULL\n\n test->ops->free(test) [event_hist_trigger_free()] {\n [..]\n if (data->name)\n del_named_trigger(data) {\n list_del(&data->named_list); <<<<-- NEVER gets removed!\n }\n }\n }\n }\n\n [..]\n kfree(data); <<<-- frees item but it is still on list\n\nThe next time a hist with name is registered, it causes an u-a-f bug and\nthe kernel can crash.\n\nMove the code around such that if event_trigger_register() succeeds, the\nnext thing called is hist_trigger_enable() which adds it to the list.\n\nA bunch of actions is called if get_named_trigger_data() returns false.\nBut that doesn't need to be called after event_trigger_register(), so it\ncan be moved up, allowing event_trigger_register() to be called just\nbefore hist_trigger_enable() keeping them together and allowing the\nfile->triggers to be properly populated.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21899 was patched at 2025-04-12, 2025-04-23

236. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21913) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nx86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()\n\nXen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results\nin the following warning:\n\n unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0)\n Call Trace:\n xen_read_msr+0x1e/0x30\n amd_get_mmconfig_range+0x2b/0x80\n quirk_amd_mmconfig_area+0x28/0x100\n pnp_fixup_device+0x39/0x50\n __pnp_add_device+0xf/0x150\n pnp_add_device+0x3d/0x100\n pnpacpi_add_device_handler+0x1f9/0x280\n acpi_ns_get_device_callback+0x104/0x1c0\n acpi_ns_walk_namespace+0x1d0/0x260\n acpi_get_devices+0x8a/0xb0\n pnpacpi_init+0x50/0x80\n do_one_initcall+0x46/0x2e0\n kernel_init_freeable+0x1da/0x2f0\n kernel_init+0x16/0x1b0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\n\nbased on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the\nright course of action, so no change is needed there.\n\nThis was most likely exposed by fixing the Xen MSR accessors to not be\nsilently-safe.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21913 was patched at 2025-04-12, 2025-04-23

237. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21938) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr\n\nIf multiple connection requests attempt to create an implicit mptcp\nendpoint in parallel, more than one caller may end up in\nmptcp_pm_nl_append_new_local_addr because none found the address in\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id. In this\ncase, the concurrent new_local_addr calls may delete the address entry\ncreated by the previous caller. These deletes use synchronize_rcu, but\nthis is not permitted in some of the contexts where this function may be\ncalled. During packet recv, the caller may be in a rcu read critical\nsection and have preemption disabled.\n\nAn example stack:\n\n BUG: scheduling while atomic: swapper/2/0/0x00000302\n\n Call Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\n dump_stack (lib/dump_stack.c:124)\n __schedule_bug (kernel/sched/core.c:5943)\n schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\n __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\n schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\n schedule_timeout (kernel/time/timer.c:2160)\n wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\n __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\n synchronize_rcu (kernel/rcu/tree.c:3609)\n mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\n mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\n mptcp_pm_get_local_id (net/mptcp/pm.c:420)\n subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\n subflow_v4_route_req (net/mptcp/subflow.c:305)\n tcp_conn_request (net/ipv4/tcp_input.c:7216)\n subflow_v4_conn_request (net/mptcp/subflow.c:651)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\n tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\n ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\n ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\n ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\n ip_sublist_rcv (net/ipv4/ip_input.c:640)\n ip_list_rcv (net/ipv4/ip_input.c:675)\n __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\n netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\n napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\n igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\n __napi_poll (net/core/dev.c:6582)\n net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\n handle_softirqs (kernel/softirq.c:553)\n __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\n irq_exit_rcu (kernel/softirq.c:651)\n common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\n </IRQ>\n\nThis problem seems particularly prevalent if the user advertises an\nendpoint that has a different external vs internal address. In the case\nwhere the external address is advertised and multiple connections\nalready exist, multiple subflow SYNs arrive in parallel which tends to\ntrigger the race during creation of the first local_addr_list entries\nwhich have the internal address instead.\n\nFix by skipping the replacement of an existing implicit local address if\ncalled via mptcp_pm_nl_get_local_id.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21938 was patched at 2025-04-12, 2025-04-23

238. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21944) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix bug on trap in smb2_lock If lock count is greater than 1, flags could be old value. It should be checked with flags of smb_lock, not flags. It will cause bug-on trap from locks_free_lock in error handling routine.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix bug on trap in smb2_lock\n\nIf lock count is greater than 1, flags could be old value.\nIt should be checked with flags of smb_lock, not flags.\nIt will cause bug-on trap from locks_free_lock in error handling\nroutine.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21944 was patched at 2025-04-12, 2025-04-23

239. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21960) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed is CHECKSUM_NONE or not. It means that ip_summed should be CHECKSUM_NONE at this moment. But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the XDP-MB-PASS path. So the by skb_checksum_none_assert() WARNS about it. This is duplicate work and updating ip_summed in the bnxt_xdp_build_skb() is not needed. Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00 ... Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: do not update checksum in bnxt_xdp_build_skb()\n\nThe bnxt_rx_pkt() updates ip_summed value at the end if checksum offload\nis enabled.\nWhen the XDP-MB program is attached and it returns XDP_PASS, the\nbnxt_xdp_build_skb() is called to update skb_shared_info.\nThe main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,\nbut it updates ip_summed value too if checksum offload is enabled.\nThis is actually duplicate work.\n\nWhen the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed\nis CHECKSUM_NONE or not.\nIt means that ip_summed should be CHECKSUM_NONE at this moment.\nBut ip_summed may already be updated to CHECKSUM_UNNECESSARY in the\nXDP-MB-PASS path.\nSo the by skb_checksum_none_assert() WARNS about it.\n\nThis is duplicate work and updating ip_summed in the\nbnxt_xdp_build_skb() is not needed.\n\nSplat looks like:\nWARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nModules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]\nCPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27\nTainted: [W]=WARN\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nCode: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f\nRSP: 0018:ffff88881ba09928 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000\nRDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8\nRBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070\nR10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080\nR13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000\nFS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <IRQ>\n ? __warn+0xcd/0x2f0\n ? bnxt_rx_pkt+0x479b/0x7610\n ? report_bug+0x326/0x3c0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x14/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? bnxt_rx_pkt+0x479b/0x7610\n ? bnxt_rx_pkt+0x3e41/0x7610\n ? __pfx_bnxt_rx_pkt+0x10/0x10\n ? napi_complete_done+0x2cf/0x7d0\n __bnxt_poll_work+0x4e8/0x1220\n ? __pfx___bnxt_poll_work+0x10/0x10\n ? __pfx_mark_lock.part.0+0x10/0x10\n bnxt_poll_p5+0x36a/0xfa0\n ? __pfx_bnxt_poll_p5+0x10/0x10\n __napi_poll.constprop.0+0xa0/0x440\n net_rx_action+0x899/0xd00\n...\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going\nto be able to reproduce this issue.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21960 was patched at 2025-04-12, 2025-04-23

240. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21978) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequently the kernel address space for the mapping is leaked. Fix this by adding iounmap() calls in the device removal path, and in the error path during device probing.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hyperv: Fix address space leak when Hyper-V DRM device is removed\n\nWhen a Hyper-V DRM device is probed, the driver allocates MMIO space for\nthe vram, and maps it cacheable. If the device removed, or in the error\npath for device probing, the MMIO space is released but no unmap is done.\nConsequently the kernel address space for the mapping is leaked.\n\nFix this by adding iounmap() calls in the device removal path, and in the\nerror path during device probing.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21978 was patched at 2025-04-12, 2025-04-23

241. Unknown Vulnerability Type - Linux Kernel (CVE-2025-21986) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event. In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1]. Specifically, this can happen when the bridge driver processes a SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdev_deferred_process(). Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in call_switchdev_blocking_notifiers() to make sure this is not violated in the future. Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block. [1]: WARNING: possible recursive locking detected 6.14.0-rc4-custom-g079270089484 #1 Not tainted -------------------------------------------- ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 but task is already holding lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); lock((switchdev_blocking_notif_chain).rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ...', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nnet: switchdev: Convert blocking notification chain to a raw one\n\nA blocking notification chain uses a read-write semaphore to protect the\nintegrity of the chain. The semaphore is acquired for writing when\nadding / removing notifiers to / from the chain and acquired for reading\nwhen traversing the chain and informing notifiers about an event.\n\nIn case of the blocking switchdev notification chain, recursive\nnotifications are possible which leads to the semaphore being acquired\ntwice for reading and to lockdep warnings being generated [1].\n\nSpecifically, this can happen when the bridge driver processes a\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\nabout deferred events when calling switchdev_deferred_process().\n\nFix this by converting the notification chain to a raw notification\nchain in a similar fashion to the netdev notification chain. Protect\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\nEvents are always informed under the RTNL mutex, but add an assertion in\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\nthe future.\n\nMaintain the "blocking" prefix as events are always emitted from process\ncontext and listeners are allowed to block.\n\n[1]:\nWARNING: possible recursive locking detected\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\n--------------------------------------------\nip/52731 is trying to acquire lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nbut task is already holding lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0\n----\nlock((switchdev_blocking_notif_chain).rwsem);\nlock((switchdev_blocking_notif_chain).rwsem);\n\n*** DEADLOCK ***\nMay be due to missing lock nesting notation\n3 locks held by ip/52731:\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\n #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nstack backtrace:\n...\n? __pfx_down_read+0x10/0x10\n? __pfx_mark_lock+0x10/0x10\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\nblocking_notifier_call_chain+0x58/0xa0\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\n? mark_held_locks+0x94/0xe0\n? switchdev_deferred_process+0x11a/0x340\nswitchdev_port_attr_set_deferred+0x27/0xd0\nswitchdev_deferred_process+0x164/0x340\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\nnotifier_call_chain+0xa2/0x440\nblocking_notifier_call_chain+0x6e/0xa0\nswitchdev_bridge_port_unoffload+0xde/0x1a0\n...', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00041, EPSS Percentile is 0.11863

debian: CVE-2025-21986 was patched at 2025-04-12, 2025-04-23

242. Unknown Vulnerability Type - Linux Kernel (CVE-2025-22008) - Low [161]

Description: {'nvd_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: check that dummy regulator has been probed before using it\n\nDue to asynchronous driver probing there is a chance that the dummy\nregulator hasn't already been probed when first accessing it.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.914The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile0.110EPSS Probability is 0.00032, EPSS Percentile is 0.07556

debian: CVE-2025-22008 was patched at 2025-04-12, 2025-04-23

243. Denial of Service - Unknown Product (CVE-2025-30258) - Low [160]

Description: {'nvd_cve_data_all': 'In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.715Denial of Service
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.310CVSS Base Score is 2.7. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.0001, EPSS Percentile is 0.00775

debian: CVE-2025-30258 was patched at 2025-04-23

ubuntu: CVE-2025-30258 was patched at 2025-04-03

244. Memory Corruption - Unknown Product (CVE-2023-48184) - Low [148]

Description: {'nvd_cve_data_all': 'QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.410CVSS Base Score is 3.9. According to NVD data source
EPSS Percentile0.110EPSS Probability is 0.00048, EPSS Percentile is 0.14812

ubuntu: CVE-2023-48184 was patched at 2025-04-15

245. Memory Corruption - Unknown Product (CVE-2025-32365) - Low [136]

Description: {'nvd_cve_data_all': 'Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type0.515Memory Corruption
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.410CVSS Base Score is 4.0. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00017, EPSS Percentile is 0.0273

debian: CVE-2025-32365 was patched at 2025-04-23

ubuntu: CVE-2025-32365 was patched at 2025-04-08, 2025-04-09

246. Unknown Vulnerability Type - MongoDB (CVE-2024-8013) - Low [135]

Description: {'nvd_cve_data_all': 'A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common0.614MongoDB is a source-available, cross-platform, document-oriented database program
CVSS Base Score0.310CVSS Base Score is 3.3. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.0001, EPSS Percentile is 0.00753

redos: CVE-2024-8013 was patched at 2025-03-26

247. Unknown Vulnerability Type - Unknown Product (CVE-2025-30204) - Low [95]

Description: {'nvd_cve_data_all': 'golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.810CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00024, EPSS Percentile is 0.04945

almalinux: CVE-2025-30204 was patched at 2025-03-27

debian: CVE-2025-30204 was patched at 2025-04-23

oraclelinux: CVE-2025-30204 was patched at 2025-03-27

redhat: CVE-2025-30204 was patched at 2025-03-27, 2025-03-31, 2025-04-07, 2025-04-08

248. Unknown Vulnerability Type - Unknown Product (CVE-2025-27796) - Low [59]

Description: {'nvd_cve_data_all': 'ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette buffer allocation, resulting in out-of-bounds access to heap memory in ReadBlob.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette buffer allocation, resulting in out-of-bounds access to heap memory in ReadBlob.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.510CVSS Base Score is 4.5. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00021, EPSS Percentile is 0.03893

ubuntu: CVE-2025-27796 was patched at 2025-04-14

249. Unknown Vulnerability Type - Unknown Product (CVE-2024-33263) - Low [47]

Description: {'nvd_cve_data_all': 'QuickJS commit 3b45d15 was discovered to contain an Assertion Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'QuickJS commit 3b45d15 was discovered to contain an Assertion Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.410CVSS Base Score is 4.0. According to NVD data source
EPSS Percentile0.010EPSS Probability is 0.00014, EPSS Percentile is 0.01471

ubuntu: CVE-2024-33263 was patched at 2025-04-15

250. Unknown Vulnerability Type - Unknown Product (CVE-2024-53159) - Low [0]

Description: {'nvd_cve_data_all': 'Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile010EPSS Probability is 0, EPSS Percentile is 0

redos: CVE-2024-53159 was patched at 2025-03-20

251. Unknown Vulnerability Type - Unknown Product (CVE-2025-31510) - Low [0]

Description: {'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ComponentValueWeightComment
Exploited in the Wild018Exploitation in the wild is NOT mentioned in available Data Sources
Exploit Exists017The existence of publicly available or private exploit is NOT mentioned in available Data Sources
Criticality of Vulnerability Type015Unknown Vulnerability Type
Vulnerable Product is Common014Unknown Product
CVSS Base Score0.010CVSS Base Score is NA. No data.
EPSS Percentile010EPSS Probability is 0, EPSS Percentile is 0

debian: CVE-2025-31510 was patched at 2025-04-08, 2025-04-23

Exploitation in the wild detected (0)

Public exploit exists, but exploitation in the wild is NOT detected (7)

Code Injection (2)

Information Disclosure (1)

Security Feature Bypass (1)

Denial of Service (1)

Memory Corruption (2)

Other Vulnerabilities (244)

Memory Corruption (76)

Command Injection (1)

Remote Code Execution (3)

Denial of Service (15)

Security Feature Bypass (7)

Elevation of Privilege (2)

Authentication Bypass (7)

Information Disclosure (8)

Path Traversal (2)

Cross Site Scripting (9)

Incorrect Calculation (6)

Spoofing (3)

Unknown Vulnerability Type (105)