Vulnerability-Lookup

alsa-2025:11850

Vulnerability from osv_almalinux

Published

2025-07-28 00:00

Modified

2025-08-06 17:11

Summary

Moderate: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: wifi: iwlwifi: limit printed string from FW file (CVE-2025-21905)
kernel: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (CVE-2025-21919)
kernel: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead (CVE-2022-49977)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.64.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: wifi: iwlwifi: limit printed string from FW file (CVE-2025-21905)\n  * kernel: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (CVE-2025-21919)\n  * kernel: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead (CVE-2022-49977)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:11850",
  "modified": "2025-08-06T17:11:33Z",
  "published": "2025-07-28T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:11850"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-49977"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-21905"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-21919"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2356613"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2356618"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2373574"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-11850.html"
    }
  ],
  "related": [
    "CVE-2025-21905",
    "CVE-2025-21919",
    "CVE-2022-49977"
  ],
  "summary": "Moderate: kernel security update"
}

CVE-2025-21919 (GCVE-0-2025-21919)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5cb300dcdd27e6a35…
	https://git.kernel.org/stable/c/000c9ee43928f2ce6…
	https://git.kernel.org/stable/c/9cc7f0018609f75a3…
	https://git.kernel.org/stable/c/b5741e4b9ef356761…
	https://git.kernel.org/stable/c/e1dd09df30ba86716…
	https://git.kernel.org/stable/c/3b4035ddbfc8e4521…

Impacted products

Vendor

Product

Version

Linux

Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 5cb300dcdd27e6a351ac02541e0231261c775852 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 000c9ee43928f2ce68a156dd40bab7616256f4dd (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 9cc7f0018609f75a349e42e3aebc3b0e905ba775 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < b5741e4b9ef3567613b2351384f91d3f16e59986 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < e1dd09df30ba86716cb2ffab97dc35195c01eb8f (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 3b4035ddbfc8e4521f85569998a7569668cccf51 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:23:59.713530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:11.086Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cb300dcdd27e6a351ac02541e0231261c775852",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "000c9ee43928f2ce68a156dd40bab7616256f4dd",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "9cc7f0018609f75a349e42e3aebc3b0e905ba775",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "b5741e4b9ef3567613b2351384f91d3f16e59986",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "e1dd09df30ba86716cb2ffab97dc35195c01eb8f",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "3b4035ddbfc8e4521f85569998a7569668cccf51",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:33.615Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852"
        },
        {
          "url": "https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51"
        }
      ],
      "title": "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21919",
    "datePublished": "2025-04-01T15:40:54.075Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:39:11.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21905 (GCVE-0-2025-21905)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:38

Title

wifi: iwlwifi: limit printed string from FW file

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/38f0d398b6d7640d2…
	https://git.kernel.org/stable/c/c0e626f2b2390472a…
	https://git.kernel.org/stable/c/47616b82f2d42ea20…
	https://git.kernel.org/stable/c/88ed69f924638c750…
	https://git.kernel.org/stable/c/b02f8d5a71c8571cc…
	https://git.kernel.org/stable/c/f265e6031d0bc4fc4…
	https://git.kernel.org/stable/c/59cdda202829d1d6a…
	https://git.kernel.org/stable/c/e0dc2c1bef722cbf1…

Impacted products

Vendor

Product

Version

Linux

Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 38f0d398b6d7640d223db69df022c4a232f24774 (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < c0e626f2b2390472afac52dfe72b29daf9ed8e1d (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 47616b82f2d42ea2060334746fed9a2988d845c9 (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 88ed69f924638c7503644e1f8eed1e976f3ffa7a (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < b02f8d5a71c8571ccf77f285737c566db73ef5e5 (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < f265e6031d0bc4fc40c4619cb42466722b46eaa9 (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < 59cdda202829d1d6a095d233386870a59aff986f (git)
Affected: aee1b6385e29e472ae5592b9652b750a29bf702e , < e0dc2c1bef722cbf16ae557690861e5f91208129 (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:24:24.171530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:34.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:51.433Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/iwl-drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "38f0d398b6d7640d223db69df022c4a232f24774",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "c0e626f2b2390472afac52dfe72b29daf9ed8e1d",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "47616b82f2d42ea2060334746fed9a2988d845c9",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "88ed69f924638c7503644e1f8eed1e976f3ffa7a",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "b02f8d5a71c8571ccf77f285737c566db73ef5e5",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "f265e6031d0bc4fc40c4619cb42466722b46eaa9",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "59cdda202829d1d6a095d233386870a59aff986f",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            },
            {
              "lessThan": "e0dc2c1bef722cbf16ae557690861e5f91208129",
              "status": "affected",
              "version": "aee1b6385e29e472ae5592b9652b750a29bf702e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/iwl-drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: limit printed string from FW file\n\nThere\u0027s no guarantee here that the file is always with a\nNUL-termination, so reading the string may read beyond the\nend of the TLV. If that\u0027s the last TLV in the file, it can\nperhaps even read beyond the end of the file buffer.\n\nFix that by limiting the print format to the size of the\nbuffer we have."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:55.412Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/38f0d398b6d7640d223db69df022c4a232f24774"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0e626f2b2390472afac52dfe72b29daf9ed8e1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/47616b82f2d42ea2060334746fed9a2988d845c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/88ed69f924638c7503644e1f8eed1e976f3ffa7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b02f8d5a71c8571ccf77f285737c566db73ef5e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f265e6031d0bc4fc40c4619cb42466722b46eaa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/59cdda202829d1d6a095d233386870a59aff986f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0dc2c1bef722cbf16ae557690861e5f91208129"
        }
      ],
      "title": "wifi: iwlwifi: limit printed string from FW file",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21905",
    "datePublished": "2025-04-01T15:40:46.465Z",
    "dateReserved": "2024-12-29T08:45:45.785Z",
    "dateUpdated": "2025-11-03T19:38:51.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49977 (GCVE-0-2022-49977)

Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2025-12-23 13:26

Title

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function is not executed, // as a result, ops is still in the ftrace_ops_list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Therefore, when ftrace_startup_enable fails, we need to rollback registration process and remove ops from ftrace_ops_list.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8569b4ada1e0b9bfa…
	https://git.kernel.org/stable/c/4c34a2a6c9927c239…
	https://git.kernel.org/stable/c/ddffe882d74ef43a3…
	https://git.kernel.org/stable/c/934e49f7d696afdae…
	https://git.kernel.org/stable/c/dbd8c8fc60480e3fa…
	https://git.kernel.org/stable/c/e4ae97295984ff1b9…
	https://git.kernel.org/stable/c/d81bd6671f45fde4c…
	https://git.kernel.org/stable/c/c3b0f72e805f0801f…

Impacted products

Vendor

Product

Version

Linux

Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < 8569b4ada1e0b9bfaa125bd0c0967918b6560fa2 (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < 4c34a2a6c9927c239dd2e295a03d49b37b618d2c (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < ddffe882d74ef43a3494f0ab0c24baf076c45f96 (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < 934e49f7d696afdae9f979abe3f308408184e17b (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77 (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < e4ae97295984ff1b9b340ed18ae1b066f36b7835 (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e (git)
Affected: 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 , < c3b0f72e805f0801f05fa2aa52011c4bfc694c44 (git)
Affected: 969a08e9048ddd0d655a19e692673cdb95116ce6 (git)
Affected: 51d351d5b949ae7204696ada7ef502ed34d34fb0 (git)
Affected: 2940c25bec92f40a3f7f32504b8ea115d1701892 (git)
Affected: 189f4e672fc1c086f78818affc810ef29dda42a3 (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 4.9.327 , ≤ 4.9.* (semver)
Unaffected: 4.14.292 , ≤ 4.14.* (semver)
Unaffected: 4.19.257 , ≤ 4.19.* (semver)
Unaffected: 5.4.212 , ≤ 5.4.* (semver)
Unaffected: 5.10.141 , ≤ 5.10.* (semver)
Unaffected: 5.15.65 , ≤ 5.15.* (semver)
Unaffected: 5.19.7 , ≤ 5.19.* (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8569b4ada1e0b9bfaa125bd0c0967918b6560fa2",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "4c34a2a6c9927c239dd2e295a03d49b37b618d2c",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "ddffe882d74ef43a3494f0ab0c24baf076c45f96",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "934e49f7d696afdae9f979abe3f308408184e17b",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "e4ae97295984ff1b9b340ed18ae1b066f36b7835",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "lessThan": "c3b0f72e805f0801f05fa2aa52011c4bfc694c44",
              "status": "affected",
              "version": "8a56d7761d2d041ae5e8215d20b4167d8aa93f51",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "969a08e9048ddd0d655a19e692673cdb95116ce6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "51d351d5b949ae7204696ada7ef502ed34d34fb0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2940c25bec92f40a3f7f32504b8ea115d1701892",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "189f4e672fc1c086f78818affc810ef29dda42a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.327",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.65",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.327",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.292",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.257",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.212",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.141",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.65",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.7",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead\n\nftrace_startup does not remove ops from ftrace_ops_list when\nftrace_startup_enable fails:\n\nregister_ftrace_function\n  ftrace_startup\n    __register_ftrace_function\n      ...\n      add_ftrace_ops(\u0026ftrace_ops_list, ops)\n      ...\n    ...\n    ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1\n    ...\n  return 0 // ops is in the ftrace_ops_list.\n\nWhen ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:\nunregister_ftrace_function\n  ftrace_shutdown\n    if (unlikely(ftrace_disabled))\n            return -ENODEV;  // return here, __unregister_ftrace_function is not executed,\n                             // as a result, ops is still in the ftrace_ops_list\n    __unregister_ftrace_function\n    ...\n\nIf ops is dynamically allocated, it will be free later, in this case,\nis_ftrace_trampoline accesses NULL pointer:\n\nis_ftrace_trampoline\n  ftrace_ops_trampoline\n    do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!\n\nSyzkaller reports as follows:\n[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b\n[ 1203.508039] #PF: supervisor read access in kernel mode\n[ 1203.508798] #PF: error_code(0x0000) - not-present page\n[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0\n[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI\n[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G    B   W         5.10.0 #8\n[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0\n[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 \u003c48\u003e 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00\n[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246\n[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866\n[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b\n[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07\n[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399\n[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008\n[ 1203.525634] FS:  00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000\n[ 1203.526801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0\n[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nTherefore, when ftrace_startup_enable fails, we need to rollback registration\nprocess and remove ops from ftrace_ops_list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:26:15.919Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8569b4ada1e0b9bfaa125bd0c0967918b6560fa2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c34a2a6c9927c239dd2e295a03d49b37b618d2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddffe882d74ef43a3494f0ab0c24baf076c45f96"
        },
        {
          "url": "https://git.kernel.org/stable/c/934e49f7d696afdae9f979abe3f308408184e17b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4ae97295984ff1b9b340ed18ae1b066f36b7835"
        },
        {
          "url": "https://git.kernel.org/stable/c/d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3b0f72e805f0801f05fa2aa52011c4bfc694c44"
        }
      ],
      "title": "ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49977",
    "datePublished": "2025-06-18T11:00:39.871Z",
    "dateReserved": "2025-06-18T10:57:27.385Z",
    "dateUpdated": "2025-12-23T13:26:15.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2025:11850

Vulnerability from osv_almalinux

CVE-2025-21919 (GCVE-0-2025-21919)

CVE-2025-21905 (GCVE-0-2025-21905)

CVE-2022-49977 (GCVE-0-2022-49977)

Tags

Sightings

Nomenclature