Vulnerability-Lookup

alsa-2025:19931

Vulnerability from osv_almalinux

Published

2025-11-10 00:00

Modified

2025-11-11 14:31

Summary

Moderate: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: x86/vmscape: Add conditional IBPB mitigation (CVE-2025-40300)
kernel: mm: fix zswap writeback race condition (CVE-2023-53178)
kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy (CVE-2022-50367)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.83.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: x86/vmscape: Add conditional IBPB mitigation (CVE-2025-40300)\n  * kernel: mm: fix zswap writeback race condition (CVE-2023-53178)\n  * kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy (CVE-2022-50367)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:19931",
  "modified": "2025-11-11T14:31:40Z",
  "published": "2025-11-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:19931"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-50367"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-53178"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-40300"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2394627"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395358"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2396114"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-19931.html"
    }
  ],
  "related": [
    "CVE-2025-40300",
    "CVE-2023-53178",
    "CVE-2022-50367"
  ],
  "summary": "Moderate: kernel security update"
}

CVE-2025-40300 (GCVE-0-2025-40300)

Vulnerability from cvelistv5 – Published: 2025-09-11 16:49 – Updated: 2026-01-02 15:33

Title

x86/vmscape: Add conditional IBPB mitigation

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac60717f9a8d21c58…
	https://git.kernel.org/stable/c/c08192b5d6730a914…
	https://git.kernel.org/stable/c/d5490dfa35427a296…
	https://git.kernel.org/stable/c/2f4f2f8f860cb4c33…
	https://git.kernel.org/stable/c/15006289e5c38b2a8…
	https://git.kernel.org/stable/c/893387c18612bb452…
	https://git.kernel.org/stable/c/f866eef8d1c65504d…
	https://git.kernel.org/stable/c/34e5667041050711a…
	https://git.kernel.org/stable/c/d7ddc93392e4a7ffc…
	https://git.kernel.org/stable/c/459274c77b37ac63b…
	https://git.kernel.org/stable/c/510603f504796c353…
	https://git.kernel.org/stable/c/9c23a90648e831d61…
	https://git.kernel.org/stable/c/2f8f173413f1cbf52…

Impacted products

Vendor

Product

Version

Linux

Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < ac60717f9a8d21c58617d0b34274babf24135835 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < c08192b5d6730a914dee6175bc71092ee6a65f14 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d5490dfa35427a2967e00a4c7a1b95fdbc8ede34 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 15006289e5c38b2a830e1fba221977a27598176c (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 893387c18612bb452336a5881da0d015a7e8f4a2 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < f866eef8d1c65504d30923c3f14082ad294d0e6d (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 34e5667041050711a947e260fc9ebebe08bddee5 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d7ddc93392e4a7ffcccc86edf6ef3e64c778db52 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 459274c77b37ac63b78c928b4b4e748d1f9d05c8 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 510603f504796c3535f67f55fb0b124a303b44c8 (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 9c23a90648e831d611152ac08dbcd1283d405e7f (git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f8f173413f1cbf52660d04df92d0069c4306d25 (git)
Affected: c51f1e5f57cca88d8d5894b6fad1638f643a99d0 (git)
Affected: 4b3870c343a82cd2df7192cc5149c87205dcc611 (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 5.10.244 , ≤ 5.10.* (semver)
Unaffected: 5.15.193 , ≤ 5.15.* (semver)
Unaffected: 6.1.152 , ≤ 6.1.* (semver)
Unaffected: 6.6.106 , ≤ 6.6.* (semver)
Unaffected: 6.12.47 , ≤ 6.12.* (semver)
Unaffected: 6.16.7 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-17T16:05:33.433Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/14/6"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/17/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/11/17/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/cpufeatures.h",
            "arch/x86/include/asm/entry-common.h",
            "arch/x86/include/asm/nospec-branch.h",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac60717f9a8d21c58617d0b34274babf24135835",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "c08192b5d6730a914dee6175bc71092ee6a65f14",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "d5490dfa35427a2967e00a4c7a1b95fdbc8ede34",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "15006289e5c38b2a830e1fba221977a27598176c",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "893387c18612bb452336a5881da0d015a7e8f4a2",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "f866eef8d1c65504d30923c3f14082ad294d0e6d",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "34e5667041050711a947e260fc9ebebe08bddee5",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "d7ddc93392e4a7ffcccc86edf6ef3e64c778db52",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "459274c77b37ac63b78c928b4b4e748d1f9d05c8",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "510603f504796c3535f67f55fb0b124a303b44c8",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "9c23a90648e831d611152ac08dbcd1283d405e7f",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "lessThan": "2f8f173413f1cbf52660d04df92d0069c4306d25",
              "status": "affected",
              "version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c51f1e5f57cca88d8d5894b6fad1638f643a99d0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4b3870c343a82cd2df7192cc5149c87205dcc611",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/cpufeatures.h",
            "arch/x86/include/asm/entry-common.h",
            "arch/x86/include/asm/nospec-branch.h",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.244",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.193",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.152",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.106",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.244",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.244",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.193",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.193",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.152",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.152",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.106",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.106",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.47",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.47",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.7",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.7",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.168",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:23.260Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835"
        },
        {
          "url": "https://git.kernel.org/stable/c/c08192b5d6730a914dee6175bc71092ee6a65f14"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5490dfa35427a2967e00a4c7a1b95fdbc8ede34"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/15006289e5c38b2a830e1fba221977a27598176c"
        },
        {
          "url": "https://git.kernel.org/stable/c/893387c18612bb452336a5881da0d015a7e8f4a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/f866eef8d1c65504d30923c3f14082ad294d0e6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/34e5667041050711a947e260fc9ebebe08bddee5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7ddc93392e4a7ffcccc86edf6ef3e64c778db52"
        },
        {
          "url": "https://git.kernel.org/stable/c/459274c77b37ac63b78c928b4b4e748d1f9d05c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/510603f504796c3535f67f55fb0b124a303b44c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c23a90648e831d611152ac08dbcd1283d405e7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f8f173413f1cbf52660d04df92d0069c4306d25"
        }
      ],
      "title": "x86/vmscape: Add conditional IBPB mitigation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40300",
    "datePublished": "2025-09-11T16:49:24.809Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:23.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50367 (GCVE-0-2022-50367)

Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:42

Title

fs: fix UAF/GPF bug in nilfs_mdt_destroy

Summary

In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d1ff475d7c83289d0…
	https://git.kernel.org/stable/c/c0aa76b0f17f59dd9…
	https://git.kernel.org/stable/c/ec2aab115eb38ac49…
	https://git.kernel.org/stable/c/70e4f70d54e0225f9…
	https://git.kernel.org/stable/c/1e555c3ed1fce4b27…
	https://git.kernel.org/stable/c/64b79e632869ad3ef…
	https://git.kernel.org/stable/c/81de80330fa6907ae…
	https://git.kernel.org/stable/c/2a96b532098284ecf…
	https://git.kernel.org/stable/c/2e488f13755ffbb60…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1ff475d7c83289d0a7faef346ea3bbf90818bad (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c0aa76b0f17f59dd9c9d3463550a2986a1d592e4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70e4f70d54e0225f91814e8610477d65f33cefe4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e555c3ed1fce4b278aaebe18a64a934cece57d8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64b79e632869ad3ef6c098a4731d559381da1115 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 81de80330fa6907aec32eb54c5619059e6e36452 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e488f13755ffbb60f307e991b27024716a33b29 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.218 , ≤ 5.4.* (semver)
Unaffected: 5.10.148 , ≤ 5.10.* (semver)
Unaffected: 5.15.73 , ≤ 5.15.* (semver)
Unaffected: 5.19.15 , ≤ 5.19.* (semver)
Unaffected: 6.0.1 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-50367",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T18:35:10.102018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T18:42:59.212Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d1ff475d7c83289d0a7faef346ea3bbf90818bad",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c0aa76b0f17f59dd9c9d3463550a2986a1d592e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "70e4f70d54e0225f91814e8610477d65f33cefe4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1e555c3ed1fce4b278aaebe18a64a934cece57d8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64b79e632869ad3ef6c098a4731d559381da1115",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "81de80330fa6907aec32eb54c5619059e6e36452",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2a96b532098284ecf8e4849b8b9e5fc7a28bdee9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2e488f13755ffbb60f307e991b27024716a33b29",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.218",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.73",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.218",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.148",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.73",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: fix UAF/GPF bug in nilfs_mdt_destroy\n\nIn alloc_inode, inode_init_always() could return -ENOMEM if\nsecurity_inode_alloc() fails, which causes inode-\u003ei_private\nuninitialized. Then nilfs_is_metadata_file_inode() returns\ntrue and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),\nwhich frees the uninitialized inode-\u003ei_private\nand leads to crashes(e.g., UAF/GPF).\n\nFix this by moving security_inode_alloc just prior to\nthis_cpu_inc(nr_inodes)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:29:06.406Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d1ff475d7c83289d0a7faef346ea3bbf90818bad"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0aa76b0f17f59dd9c9d3463550a2986a1d592e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48"
        },
        {
          "url": "https://git.kernel.org/stable/c/70e4f70d54e0225f91814e8610477d65f33cefe4"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e555c3ed1fce4b278aaebe18a64a934cece57d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/64b79e632869ad3ef6c098a4731d559381da1115"
        },
        {
          "url": "https://git.kernel.org/stable/c/81de80330fa6907aec32eb54c5619059e6e36452"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a96b532098284ecf8e4849b8b9e5fc7a28bdee9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e488f13755ffbb60f307e991b27024716a33b29"
        }
      ],
      "title": "fs: fix UAF/GPF bug in nilfs_mdt_destroy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50367",
    "datePublished": "2025-09-17T14:56:23.190Z",
    "dateReserved": "2025-09-17T14:53:06.995Z",
    "dateUpdated": "2026-01-14T18:42:59.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53178 (GCVE-0-2023-53178)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2025-09-16 08:02

Title

mm: fix zswap writeback race condition

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: fix zswap writeback race condition The zswap writeback mechanism can cause a race condition resulting in memory corruption, where a swapped out page gets swapped in with data that was written to a different page. The race unfolds like this: 1. a page with data A and swap offset X is stored in zswap 2. page A is removed off the LRU by zpool driver for writeback in zswap-shrink work, data for A is mapped by zpool driver 3. user space program faults and invalidates page entry A, offset X is considered free 4. kswapd stores page B at offset X in zswap (zswap could also be full, if so, page B would then be IOed to X, then skip step 5.) 5. entry A is replaced by B in tree->rbroot, this doesn't affect the local reference held by zswap-shrink work 6. zswap-shrink work writes back A at X, and frees zswap entry A 7. swapin of slot X brings A in memory instead of B The fix: Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), zswap-shrink work just checks that the local zswap_entry reference is still the same as the one in the tree. If it's not the same it means that it's either been invalidated or replaced, in both cases the writeback is aborted because the local entry contains stale data. Reproducer: I originally found this by running `stress` overnight to validate my work on the zswap writeback mechanism, it manifested after hours on my test machine. The key to make it happen is having zswap writebacks, so whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do the trick. In order to reproduce this faster on a vm, I setup a system with ~100M of available memory and a 500M swap file, then running `stress --vm 1 --vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens of minutes. One can speed things up even more by swinging /sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 and 1; this makes it reproduce in tens of seconds. It's crucial to set `--vm-stride` to something other than 4096 otherwise `stress` won't realize that memory has been corrupted because all pages would have the same data.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2cab13f500a6333bd…
	https://git.kernel.org/stable/c/ba700ea13bf0105a4…
	https://git.kernel.org/stable/c/04fc7816089c5a32c…

Impacted products

Vendor

Product

Version

Linux

Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < 2cab13f500a6333bd2b853783ac76be9e4956f8a (git)
Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < ba700ea13bf0105a4773c654f7d3bef8adb64ab2 (git)
Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < 04fc7816089c5a32c29a04ec94b998e219dfb946 (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 6.1.30 , ≤ 6.1.* (semver)
Unaffected: 6.3.4 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2cab13f500a6333bd2b853783ac76be9e4956f8a",
              "status": "affected",
              "version": "2b2811178e85553405b86e3fe78357b9b95889ce",
              "versionType": "git"
            },
            {
              "lessThan": "ba700ea13bf0105a4773c654f7d3bef8adb64ab2",
              "status": "affected",
              "version": "2b2811178e85553405b86e3fe78357b9b95889ce",
              "versionType": "git"
            },
            {
              "lessThan": "04fc7816089c5a32c29a04ec94b998e219dfb946",
              "status": "affected",
              "version": "2b2811178e85553405b86e3fe78357b9b95889ce",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.30",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix zswap writeback race condition\n\nThe zswap writeback mechanism can cause a race condition resulting in\nmemory corruption, where a swapped out page gets swapped in with data that\nwas written to a different page.\n\nThe race unfolds like this:\n1. a page with data A and swap offset X is stored in zswap\n2. page A is removed off the LRU by zpool driver for writeback in\n   zswap-shrink work, data for A is mapped by zpool driver\n3. user space program faults and invalidates page entry A, offset X is\n   considered free\n4. kswapd stores page B at offset X in zswap (zswap could also be\n   full, if so, page B would then be IOed to X, then skip step 5.)\n5. entry A is replaced by B in tree-\u003erbroot, this doesn\u0027t affect the\n   local reference held by zswap-shrink work\n6. zswap-shrink work writes back A at X, and frees zswap entry A\n7. swapin of slot X brings A in memory instead of B\n\nThe fix:\nOnce the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),\nzswap-shrink work just checks that the local zswap_entry reference is\nstill the same as the one in the tree.  If it\u0027s not the same it means that\nit\u0027s either been invalidated or replaced, in both cases the writeback is\naborted because the local entry contains stale data.\n\nReproducer:\nI originally found this by running `stress` overnight to validate my work\non the zswap writeback mechanism, it manifested after hours on my test\nmachine.  The key to make it happen is having zswap writebacks, so\nwhatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do\nthe trick.\n\nIn order to reproduce this faster on a vm, I setup a system with ~100M of\navailable memory and a 500M swap file, then running `stress --vm 1\n--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens\nof minutes.  One can speed things up even more by swinging\n/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20\nand 1; this makes it reproduce in tens of seconds.  It\u0027s crucial to set\n`--vm-stride` to something other than 4096 otherwise `stress` won\u0027t\nrealize that memory has been corrupted because all pages would have the\nsame data."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:02:20.669Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2cab13f500a6333bd2b853783ac76be9e4956f8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba700ea13bf0105a4773c654f7d3bef8adb64ab2"
        },
        {
          "url": "https://git.kernel.org/stable/c/04fc7816089c5a32c29a04ec94b998e219dfb946"
        }
      ],
      "title": "mm: fix zswap writeback race condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53178",
    "datePublished": "2025-09-15T14:04:23.768Z",
    "dateReserved": "2025-09-15T13:59:19.065Z",
    "dateUpdated": "2025-09-16T08:02:20.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2025:19931

Vulnerability from osv_almalinux

CVE-2025-40300 (GCVE-0-2025-40300)

CVE-2022-50367 (GCVE-0-2022-50367)

CVE-2023-53178 (GCVE-0-2023-53178)

Tags

Sightings

Nomenclature