Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2025:11428
Vulnerability from osv_almalinux
Published
2025-07-21 00:00
Modified
2025-07-30 08:22
Summary
Important: kernel security update
Details
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
- kernel: media: uvcvideo: Remove dangling pointers (CVE-2024-58002)
- kernel: media: uvcvideo: Fix double free in error path (CVE-2024-57980)
- kernel: wifi: iwlwifi: limit printed string from FW file (CVE-2025-21905)
- kernel: mm/huge_memory: fix dereferencing invalid pmd migration entry (CVE-2025-37958)
- kernel: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (CVE-2025-38089)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-abi-stablelists"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-55.22.1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-55.22.1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel packages contain the Linux kernel, the core of any Linux operating system. \n\nSecurity Fix(es): \n\n * kernel: media: uvcvideo: Remove dangling pointers (CVE-2024-58002)\n * kernel: media: uvcvideo: Fix double free in error path (CVE-2024-57980)\n * kernel: wifi: iwlwifi: limit printed string from FW file (CVE-2025-21905)\n * kernel: mm/huge_memory: fix dereferencing invalid pmd migration entry (CVE-2025-37958)\n * kernel: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (CVE-2025-38089)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:11428",
"modified": "2025-07-30T08:22:07Z",
"published": "2025-07-21T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:11428"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-57980"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-58002"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-21905"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-37958"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-38089"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2348513"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2348599"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2356613"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2367572"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2375529"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2025-11428.html"
}
],
"related": [
"CVE-2024-58002",
"CVE-2024-57980",
"CVE-2025-21905",
"CVE-2025-37958",
"CVE-2025-38089"
],
"summary": "Important: kernel security update"
}
CVE-2025-21905 (GCVE-0-2025-21905)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:38
VLAI?
EPSS
Title
wifi: iwlwifi: limit printed string from FW file
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: limit printed string from FW file
There's no guarantee here that the file is always with a
NUL-termination, so reading the string may read beyond the
end of the TLV. If that's the last TLV in the file, it can
perhaps even read beyond the end of the file buffer.
Fix that by limiting the print format to the size of the
buffer we have.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aee1b6385e29e472ae5592b9652b750a29bf702e , < 38f0d398b6d7640d223db69df022c4a232f24774
(git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < c0e626f2b2390472afac52dfe72b29daf9ed8e1d (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 47616b82f2d42ea2060334746fed9a2988d845c9 (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 88ed69f924638c7503644e1f8eed1e976f3ffa7a (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < b02f8d5a71c8571ccf77f285737c566db73ef5e5 (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < f265e6031d0bc4fc40c4619cb42466722b46eaa9 (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 59cdda202829d1d6a095d233386870a59aff986f (git) Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < e0dc2c1bef722cbf16ae557690861e5f91208129 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:24:24.171530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:34.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:51.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/iwl-drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38f0d398b6d7640d223db69df022c4a232f24774",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "c0e626f2b2390472afac52dfe72b29daf9ed8e1d",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "47616b82f2d42ea2060334746fed9a2988d845c9",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "88ed69f924638c7503644e1f8eed1e976f3ffa7a",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "b02f8d5a71c8571ccf77f285737c566db73ef5e5",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "f265e6031d0bc4fc40c4619cb42466722b46eaa9",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "59cdda202829d1d6a095d233386870a59aff986f",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
},
{
"lessThan": "e0dc2c1bef722cbf16ae557690861e5f91208129",
"status": "affected",
"version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/iwl-drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: limit printed string from FW file\n\nThere\u0027s no guarantee here that the file is always with a\nNUL-termination, so reading the string may read beyond the\nend of the TLV. If that\u0027s the last TLV in the file, it can\nperhaps even read beyond the end of the file buffer.\n\nFix that by limiting the print format to the size of the\nbuffer we have."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:55.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38f0d398b6d7640d223db69df022c4a232f24774"
},
{
"url": "https://git.kernel.org/stable/c/c0e626f2b2390472afac52dfe72b29daf9ed8e1d"
},
{
"url": "https://git.kernel.org/stable/c/47616b82f2d42ea2060334746fed9a2988d845c9"
},
{
"url": "https://git.kernel.org/stable/c/88ed69f924638c7503644e1f8eed1e976f3ffa7a"
},
{
"url": "https://git.kernel.org/stable/c/b02f8d5a71c8571ccf77f285737c566db73ef5e5"
},
{
"url": "https://git.kernel.org/stable/c/f265e6031d0bc4fc40c4619cb42466722b46eaa9"
},
{
"url": "https://git.kernel.org/stable/c/59cdda202829d1d6a095d233386870a59aff986f"
},
{
"url": "https://git.kernel.org/stable/c/e0dc2c1bef722cbf16ae557690861e5f91208129"
}
],
"title": "wifi: iwlwifi: limit printed string from FW file",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21905",
"datePublished": "2025-04-01T15:40:46.465Z",
"dateReserved": "2024-12-29T08:45:45.785Z",
"dateUpdated": "2025-11-03T19:38:51.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38089 (GCVE-0-2025-38089)
Vulnerability from cvelistv5 – Published: 2025-06-30 07:29 – Updated: 2025-11-04 21:10
VLAI?
EPSS
Title
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.
If it's the first time the thread has processed an RPC, then that
pointer will be set to NULL and the kernel will crash. In other cases,
it could create a memory scribble.
The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate
or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531
says that if authentication fails that the RPC should be rejected
instead with a status of AUTH_ERR.
Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of
AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This
sidesteps the whole problem of touching the rpc_accept_statp pointer in
this situation and avoids the crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
29cd2927fb914cc53b5ba4f67d2b74695c994ba4 , < 599c489eea793821232a2f69a00fa57d82b0ac98
(git)
Affected: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 , < 353e75b55e583635bf71cde6abcec274dba05edd (git) Affected: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 , < c90459cd58bb421d275337093d8e901e0ba748dd (git) Affected: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 , < 94d10a4dba0bc482f2b01e39f06d5513d0f75742 (git) Affected: 9b59f5c4911e87264507e0934cd2bb277390c560 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:10.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "599c489eea793821232a2f69a00fa57d82b0ac98",
"status": "affected",
"version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
"versionType": "git"
},
{
"lessThan": "353e75b55e583635bf71cde6abcec274dba05edd",
"status": "affected",
"version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
"versionType": "git"
},
{
"lessThan": "c90459cd58bb421d275337093d8e901e0ba748dd",
"status": "affected",
"version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
"versionType": "git"
},
{
"lessThan": "94d10a4dba0bc482f2b01e39f06d5513d0f75742",
"status": "affected",
"version": "29cd2927fb914cc53b5ba4f67d2b74695c994ba4",
"versionType": "git"
},
{
"status": "affected",
"version": "9b59f5c4911e87264507e0934cd2bb277390c560",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: handle SVC_GARBAGE during svc auth processing as auth error\n\ntianshuo han reported a remotely-triggerable crash if the client sends a\nkernel RPC server a specially crafted packet. If decoding the RPC reply\nfails in such a way that SVC_GARBAGE is returned without setting the\nrq_accept_statp pointer, then that pointer can be dereferenced and a\nvalue stored there.\n\nIf it\u0027s the first time the thread has processed an RPC, then that\npointer will be set to NULL and the kernel will crash. In other cases,\nit could create a memory scribble.\n\nThe server sunrpc code treats a SVC_GARBAGE return from svc_authenticate\nor pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531\nsays that if authentication fails that the RPC should be rejected\ninstead with a status of AUTH_ERR.\n\nHandle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of\nAUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This\nsidesteps the whole problem of touching the rpc_accept_statp pointer in\nthis situation and avoids the crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:04.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/599c489eea793821232a2f69a00fa57d82b0ac98"
},
{
"url": "https://git.kernel.org/stable/c/353e75b55e583635bf71cde6abcec274dba05edd"
},
{
"url": "https://git.kernel.org/stable/c/c90459cd58bb421d275337093d8e901e0ba748dd"
},
{
"url": "https://git.kernel.org/stable/c/94d10a4dba0bc482f2b01e39f06d5513d0f75742"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/07/02/2"
},
{
"url": "https://github.com/keymaker-arch/NFSundown"
}
],
"title": "sunrpc: handle SVC_GARBAGE during svc auth processing as auth error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38089",
"datePublished": "2025-06-30T07:29:44.836Z",
"dateReserved": "2025-04-16T04:51:23.982Z",
"dateUpdated": "2025-11-04T21:10:10.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57980 (GCVE-0-2024-57980)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:32
VLAI?
EPSS
Title
media: uvcvideo: Fix double free in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix double free in error path
If the uvc_status_init() function fails to allocate the int_urb, it will
free the dev->status pointer but doesn't reset the pointer to NULL. This
results in the kfree() call in uvc_status_cleanup() trying to
double-free the memory. Fix it by resetting the dev->status pointer to
NULL after freeing it.
Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d
(git)
Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 87522ef165e5b6de8ef98cc318f3335166a1512c (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 9232719ac9ce4d5c213cebda23d72aec3e1c4c0d (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < 6c36dcd662ec5276782838660f8533a7cb26be49 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d1f8e69eec91d5a75ef079778a5d0151db2a7f22 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < d8e63dd7b6683969d3d47c7b8e9635f96d554ad4 (git) Affected: a31a4055473bf0a7b2b06cb2262347200d0711e1 , < c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:59.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "87522ef165e5b6de8ef98cc318f3335166a1512c",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "9232719ac9ce4d5c213cebda23d72aec3e1c4c0d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "6c36dcd662ec5276782838660f8533a7cb26be49",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d1f8e69eec91d5a75ef079778a5d0151db2a7f22",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d8e63dd7b6683969d3d47c7b8e9635f96d554ad4",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:38.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d"
},
{
"url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c"
},
{
"url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277"
},
{
"url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d"
},
{
"url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49"
},
{
"url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22"
},
{
"url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4"
},
{
"url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac"
}
],
"title": "media: uvcvideo: Fix double free in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57980",
"datePublished": "2025-02-27T02:07:06.849Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2025-11-03T19:32:59.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37958 (GCVE-0-2025-37958)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2025-11-03 17:32
VLAI?
EPSS
Title
mm/huge_memory: fix dereferencing invalid pmd migration entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: fix dereferencing invalid pmd migration entry
When migrating a THP, concurrent access to the PMD migration entry during
a deferred split scan can lead to an invalid address access, as
illustrated below. To prevent this invalid access, it is necessary to
check the PMD migration entry and return early. In this context, there is
no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the
equality of the target folio. Since the PMD migration entry is locked, it
cannot be served as the target.
Mailing list discussion and explanation from Hugh Dickins: "An anon_vma
lookup points to a location which may contain the folio of interest, but
might instead contain another folio: and weeding out those other folios is
precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of
replacing the wrong folio" comment a few lines above it) is for."
BUG: unable to handle page fault for address: ffffea60001db008
CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60
Call Trace:
<TASK>
try_to_migrate_one+0x28c/0x3730
rmap_walk_anon+0x4f6/0x770
unmap_folio+0x196/0x1f0
split_huge_page_to_list_to_order+0x9f6/0x1560
deferred_split_scan+0xac5/0x12a0
shrinker_debugfs_scan_write+0x376/0x470
full_proxy_write+0x15c/0x220
vfs_write+0x2fc/0xcb0
ksys_write+0x146/0x250
do_syscall_64+0x6a/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug is found by syzkaller on an internal kernel, then confirmed on
upstream.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 753f142f7ff7d2223a47105b61e1efd91587d711
(git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 9468afbda3fbfcec21ac8132364dff3dab945faf (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < ef5706bed97e240b4abf4233ceb03da7336bc775 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 22f6368768340260e862f35151d2e1c55cb1dc75 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 3977946f61cdba87b6b5aaf7d7094e96089583a5 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 6166c3cf405441f7147b322980144feb3cefc617 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < fbab262b0c8226c697af1851a424896ed47dedcc (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:32:46.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below. To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early. In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio. Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T10:21:21.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
},
{
"url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
},
{
"url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
},
{
"url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
},
{
"url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
},
{
"url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
},
{
"url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
},
{
"url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
}
],
"title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37958",
"datePublished": "2025-05-20T16:01:51.740Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2025-11-03T17:32:46.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58002 (GCVE-0-2024-58002)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2025-11-03 19:33
VLAI?
EPSS
Title
media: uvcvideo: Remove dangling pointers
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Remove dangling pointers
When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.
If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.
Clean all the dangling pointers during release().
To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e5225c820c057537dc780244760e2e24c7d27366 , < 2a29413ace64627e178fd422dd8a5d95219a2c0b
(git)
Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 653993f46861f2971e95e9a0e36a34b49dec542c (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < ac18d781466252cd35a3e311e0a4b264260fd927 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 4dbaa738c583a0e947803c69e8996e88cf98d971 (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 438bda062b2c40ddd7df23b932e29ffe0a448cac (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 9edc7d25f7e49c33a1ce7a5ffadea2222065516c (git) Affected: e5225c820c057537dc780244760e2e24c7d27366 , < 221cd51efe4565501a3dbf04cc011b537dcce7fb (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:15.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a29413ace64627e178fd422dd8a5d95219a2c0b",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "653993f46861f2971e95e9a0e36a34b49dec542c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "ac18d781466252cd35a3e311e0a4b264260fd927",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "4dbaa738c583a0e947803c69e8996e88cf98d971",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "438bda062b2c40ddd7df23b932e29ffe0a448cac",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "9edc7d25f7e49c33a1ce7a5ffadea2222065516c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "221cd51efe4565501a3dbf04cc011b537dcce7fb",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:09.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b"
},
{
"url": "https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c"
},
{
"url": "https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50"
},
{
"url": "https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927"
},
{
"url": "https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971"
},
{
"url": "https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac"
},
{
"url": "https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c"
},
{
"url": "https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb"
}
],
"title": "media: uvcvideo: Remove dangling pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58002",
"datePublished": "2025-02-27T02:12:00.223Z",
"dateReserved": "2025-02-27T02:04:28.915Z",
"dateUpdated": "2025-11-03T19:33:15.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…