Vulnerability-Lookup

alsa-2026:1142

Vulnerability from osv_almalinux

Published

2026-01-26 00:00

Modified

2026-01-26 13:49

Summary

Important: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: Bluetooth: hci_event: call disconnect callback before deleting conn (CVE-2023-53673)
kernel: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CVE-2025-40154)
kernel: Linux kernel: vsock vulnerability may lead to memory corruption (CVE-2025-40248)
kernel: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CVE-2025-40277)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.97.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: Bluetooth: hci_event: call disconnect callback before deleting conn (CVE-2023-53673)\n  * kernel: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CVE-2025-40154)\n  * kernel: Linux kernel: vsock vulnerability may lead to memory corruption (CVE-2025-40248)\n  * kernel: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CVE-2025-40277)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:1142",
  "modified": "2026-01-26T13:49:21Z",
  "published": "2026-01-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:1142"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-53673"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-40154"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-40248"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-40277"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2402193"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2414494"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2418872"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2419954"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-1142.html"
    }
  ],
  "related": [
    "CVE-2023-53673",
    "CVE-2025-40154",
    "CVE-2025-40248",
    "CVE-2025-40277"
  ],
  "summary": "Important: kernel security update"
}

CVE-2025-40277 (GCVE-0-2025-40277)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e58559845021c3bad…
	https://git.kernel.org/stable/c/54d458b244893e47b…
	https://git.kernel.org/stable/c/709e5c088f9c99a5c…
	https://git.kernel.org/stable/c/a3abb54c27b2c393c…
	https://git.kernel.org/stable/c/b5df9e06eed3df6a4…
	https://git.kernel.org/stable/c/5aea2cde03d4247cd…
	https://git.kernel.org/stable/c/f3f3a8eb3f0ba799f…
	https://git.kernel.org/stable/c/32b415a9dc2c212e8…

Impacted products

Vendor

Product

Version

Linux

Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e58559845021c3bad5e094219378b869157fad53",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:00.437Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
        },
        {
          "url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
        },
        {
          "url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
        }
      ],
      "title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40277",
    "datePublished": "2025-12-06T21:51:00.437Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:00.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40248 (GCVE-0-2025-40248)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38

Title

vsock: Ignore signal/timeout on connect() if already established

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3f71753935d648082…
	https://git.kernel.org/stable/c/da664101fb4a0de5c…
	https://git.kernel.org/stable/c/67432915145848658…
	https://git.kernel.org/stable/c/eeca93f06df89be5a…
	https://git.kernel.org/stable/c/5998da5a8208ae9ad…
	https://git.kernel.org/stable/c/f1c170cae285e4b8f…
	https://git.kernel.org/stable/c/ab6b19f690d89ae47…
	https://git.kernel.org/stable/c/002541ef650b742a1…

Impacted products

Vendor

Product

Version

Linux

Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 3f71753935d648082a8279a97d30efe6b85be680 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < da664101fb4a0de5cb70d2bae6a650df954df2af (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 67432915145848658149683101104e32f9fd6559 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < eeca93f06df89be5a36305b7b9dae1ed65550dfc (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 5998da5a8208ae9ad7838ba322bccb2bdcd95e81 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f1c170cae285e4b8f61be043bb17addc3d0a14b5 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ab6b19f690d89ae4709fba73a3c4a7911f495b7a (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 002541ef650b742a198e4be363881439bb9d86b4 (git)

Linux

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f71753935d648082a8279a97d30efe6b85be680",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "da664101fb4a0de5cb70d2bae6a650df954df2af",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "67432915145848658149683101104e32f9fd6559",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "eeca93f06df89be5a36305b7b9dae1ed65550dfc",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "5998da5a8208ae9ad7838ba322bccb2bdcd95e81",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "f1c170cae285e4b8f61be043bb17addc3d0a14b5",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "ab6b19f690d89ae4709fba73a3c4a7911f495b7a",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "002541ef650b742a198e4be363881439bb9d86b4",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\n   virtio_transport_purge_skbs() may race with sendmsg() invoking\n   virtio_transport_get_credit(). This results in a permanently elevated\n   `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket\u0027s state may race with socket\n   being placed in a sockmap. A disconnected socket remaining in a sockmap\n   breaks sockmap\u0027s assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\n   transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n   any simultaneous sendmsg() or connect() and may result in a\n   use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:46.423Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680"
        },
        {
          "url": "https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af"
        },
        {
          "url": "https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559"
        },
        {
          "url": "https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4"
        }
      ],
      "title": "vsock: Ignore signal/timeout on connect() if already established",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40248",
    "datePublished": "2025-12-04T16:08:11.509Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-06T21:38:46.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53673 (GCVE-0-2023-53673)

Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-02-12 08:19

Title

Bluetooth: hci_event: call disconnect callback before deleting conn

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. ISO, L2CAP and SCO connections refer to the hci_conn without hci_conn_get, so disconn_cfm must be called so they can clean up their conn, otherwise use-after-free occurs. ISO: ========================================================== iso_sock_connect:880: sk 00000000eabd6557 iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 hci_dev_put:1487: hci0 orig refcnt 17 __iso_chan_add:214: conn 00000000b6251073 iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 ... hci_rx_work:4085: hci0 Event packet hci_event_packet:7601: hci0: event 0x0f hci_cmd_status_evt:4346: hci0: opcode 0x0406 hci_cs_disconnect:2760: hci0: status 0x0c hci_sent_cmd_data:3107: hci0 opcode 0x0406 hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 hci_conn_unlink:1102: hci0: hcon 000000001696f1fd hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 hci_chan_list_flush:2780: hcon 000000001696f1fd hci_dev_put:1487: hci0 orig refcnt 21 hci_dev_put:1487: hci0 orig refcnt 20 hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c ... <no iso_* activity on sk/conn> ... iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 BUG: kernel NULL pointer dereference, address: 0000000000000668 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth ========================================================== L2CAP: ================================================================== hci_cmd_status_evt:4359: hci0: opcode 0x0406 hci_cs_disconnect:2760: hci0: status 0x0c hci_sent_cmd_data:3085: hci0 opcode 0x0406 hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 hci_conn_unlink:1102: hci0: hcon ffff88800c999000 hci_chan_list_flush:2780: hcon ffff88800c999000 hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 ... BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xf8/0x180 ? hci_send_acl+0x2d/0x540 [bluetooth] kasan_report+0xa8/0xe0 ? hci_send_acl+0x2d/0x540 [bluetooth] hci_send_acl+0x2d/0x540 [bluetooth] ? __pfx___lock_acquire+0x10/0x10 l2cap_chan_send+0x1fd/0x1300 [bluetooth] ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] ? lock_release+0x1d5/0x3c0 ? mark_held_locks+0x1a/0x90 l2cap_sock_sendmsg+0x100/0x170 [bluetooth] sock_write_iter+0x275/0x280 ? __pfx_sock_write_iter+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 do_iter_readv_writev+0x176/0x220 ? __pfx_do_iter_readv_writev+0x10/0x10 ? find_held_lock+0x83/0xa0 ? selinux_file_permission+0x13e/0x210 do_iter_write+0xda/0x340 vfs_writev+0x1b4/0x400 ? __pfx_vfs_writev+0x10/0x10 ? __seccomp_filter+0x112/0x750 ? populate_seccomp_data+0x182/0x220 ? __fget_light+0xdf/0x100 ? do_writev+0x19d/0x210 do_writev+0x19d/0x210 ? __pfx_do_writev+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0x60/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 ? do_syscall_64+0x6c/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7ff45cb23e64 Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1ecf6dc2676ead4b9…
	https://git.kernel.org/stable/c/59bd1e476bbc7bc6d…
	https://git.kernel.org/stable/c/093a07052406b363b…
	https://git.kernel.org/stable/c/7f7cfcb6f08256529…

Impacted products

Vendor

Product

Version

Linux

Affected: b8d290525e3972b5e876b2649a42bf4081d753fe , < 1ecf6dc2676ead4b927c50b1be0851fa4d756574 (git)
Affected: b8d290525e3972b5e876b2649a42bf4081d753fe , < 59bd1e476bbc7bc6dff3c61bba787095a4839796 (git)
Affected: b8d290525e3972b5e876b2649a42bf4081d753fe , < 093a07052406b363b1b2ab489e17dbadaf3e509b (git)
Affected: b8d290525e3972b5e876b2649a42bf4081d753fe , < 7f7cfcb6f0825652973b780f248603e23f16ee90 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.15.200 , ≤ 5.15.* (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ecf6dc2676ead4b927c50b1be0851fa4d756574",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            },
            {
              "lessThan": "59bd1e476bbc7bc6dff3c61bba787095a4839796",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            },
            {
              "lessThan": "093a07052406b363b1b2ab489e17dbadaf3e509b",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            },
            {
              "lessThan": "7f7cfcb6f0825652973b780f248603e23f16ee90",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.200",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.200",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... \u003cno iso_* activity on sk/conn\u003e ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G            E      6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T08:19:13.041Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ecf6dc2676ead4b927c50b1be0851fa4d756574"
        },
        {
          "url": "https://git.kernel.org/stable/c/59bd1e476bbc7bc6dff3c61bba787095a4839796"
        },
        {
          "url": "https://git.kernel.org/stable/c/093a07052406b363b1b2ab489e17dbadaf3e509b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f7cfcb6f0825652973b780f248603e23f16ee90"
        }
      ],
      "title": "Bluetooth: hci_event: call disconnect callback before deleting conn",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53673",
    "datePublished": "2025-10-07T15:21:29.632Z",
    "dateReserved": "2025-10-07T15:16:59.663Z",
    "dateUpdated": "2026-02-12T08:19:13.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40154 (GCVE-0-2025-40154)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19

Title

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2c27e047bdcba457e…
	https://git.kernel.org/stable/c/a97b4d18ecb012c56…
	https://git.kernel.org/stable/c/dea9c8c9028c93747…
	https://git.kernel.org/stable/c/f58fca15f3bf8b982…
	https://git.kernel.org/stable/c/29a41bf6422688f0c…
	https://git.kernel.org/stable/c/5c03ea2ef4ebba75c…
	https://git.kernel.org/stable/c/48880f3cdf2b6d8dc…
	https://git.kernel.org/stable/c/fba404e4b4af4f4f7…

Impacted products

Vendor

Product

Version

Linux

Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01 (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < dea9c8c9028c9374761224a7f9d824e845a2aa2e (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < f58fca15f3bf8b982e799c31e4afa8923788aa40 (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 29a41bf6422688f0c5a09b18222e1a64b2629fa4 (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 5c03ea2ef4ebba75c69c90929d8590eb3d3797a9 (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < 48880f3cdf2b6d8dcd91219c5b5c8a7526411322 (git)
Affected: 063422ca2a9de238401c3848c1b3641c07b6316c , < fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.112 , ≤ 6.6.* (semver)
Unaffected: 6.12.53 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/boards/bytcr_rt5640.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "dea9c8c9028c9374761224a7f9d824e845a2aa2e",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "f58fca15f3bf8b982e799c31e4afa8923788aa40",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "29a41bf6422688f0c5a09b18222e1a64b2629fa4",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "5c03ea2ef4ebba75c69c90929d8590eb3d3797a9",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "48880f3cdf2b6d8dcd91219c5b5c8a7526411322",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            },
            {
              "lessThan": "fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0",
              "status": "affected",
              "version": "063422ca2a9de238401c3848c1b3641c07b6316c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/boards/bytcr_rt5640.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.112",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.53",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver only shows an error message but leaves as is.\nThis may lead to unepxected results like OOB access.\n\nThis patch corrects the input mapping to the certain default value if\nan invalid value is passed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:19:04.590Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01"
        },
        {
          "url": "https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40"
        },
        {
          "url": "https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322"
        },
        {
          "url": "https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0"
        }
      ],
      "title": "ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40154",
    "datePublished": "2025-11-12T10:23:28.470Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2025-12-01T06:19:04.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:1142

Vulnerability from osv_almalinux

CVE-2025-40277 (GCVE-0-2025-40277)

CVE-2025-40248 (GCVE-0-2025-40248)

CVE-2023-53673 (GCVE-0-2023-53673)

CVE-2025-40154 (GCVE-0-2025-40154)

Tags

Sightings

Nomenclature