{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "core20" ] }, "deb": { "added": [ "linux-headers-5.15.0-138", "linux-headers-5.15.0-138-generic", "linux-image-5.15.0-138-generic", "linux-modules-5.15.0-138-generic" ], "removed": [ "linux-headers-5.15.0-135", "linux-headers-5.15.0-135-generic", "linux-image-5.15.0-135-generic", "linux-modules-5.15.0-135-generic" ], "diff": [ "binutils", "binutils-aarch64-linux-gnu", "binutils-common", "dirmngr", "ethtool", "gnupg", "gnupg-l10n", "gnupg-utils", "gpg", "gpg-agent", "gpg-wks-client", "gpg-wks-server", "gpgconf", "gpgsm", "gpgv", "libarchive13", "libbinutils", "libctf-nobfd0", "libctf0", "libexpat1", "libnss-systemd", "libpam-systemd", "libperl5.34", "libsystemd0", "libudev1", "libxml2", "linux-base", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "openssh-client", "openssh-server", "openssh-sftp-server", "pci.ids", "perl", "perl-base", "perl-modules-5.34", "systemd", "systemd-sysv", "systemd-timesyncd", "tzdata", "udev", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "binutils", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "binutils-aarch64-linux-gnu", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "binutils-common", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "dirmngr", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ethtool", "from_version": { "source_package_name": "ethtool", "source_package_version": "1:5.16-1ubuntu0.1", "version": "1:5.16-1ubuntu0.1" }, "to_version": { "source_package_name": "ethtool", "source_package_version": "1:5.16-1ubuntu0.2", "version": "1:5.16-1ubuntu0.2" }, "cves": [], "launchpad_bugs_fixed": [ 2100246 ], "changes": [ { "cves": [], "log": [ "", " * Fix ethtool module info missing sff-8472 output in netlink path", " (LP: #2100246)", " - d/p/lp2100246-Fix-missing-sff-8472-output-in-netlink-path.patch", "" ], "package": "ethtool", "version": "1:5.16-1ubuntu0.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2100246 ], "author": "Gerald Yang ", "date": "Fri, 07 Mar 2025 15:22:37 +1300" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-l10n", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-utils", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-agent", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-wks-client", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-wks-server", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgconf", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgsm", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.1", "version": "2.2.27-3ubuntu2.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.2.27-3ubuntu2.3", "version": "2.2.27-3ubuntu2.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: verification DoS via crafted subkey data", " - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/", " inserting only by primary key in g10/getkey.c, g10/import.c,", " g10/keydb.h.", " - debian/patches/CVE-2025-30258-2.patch: remove a signature check", " function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.", " - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to", " a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,", " g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.", " - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent", " malicious subkey DoS fix in g10/getkey.c, g10/packet.h.", " - debian/patches/CVE-2025-30258-5.patch: fix double free of internal", " data in g10/sig-check.c.", " - CVE-2025-30258", "" ], "package": "gnupg2", "version": "2.2.27-3ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 28 Mar 2025 13:39:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libarchive13", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.3", "version": "3.6.0-1ubuntu1.3" }, "to_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.4", "version": "3.6.0-1ubuntu1.4" }, "cves": [ { "cve": "CVE-2025-25724", "url": "https://ubuntu.com/security/CVE-2025-25724", "cve_description": "list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.", "cve_priority": "medium", "cve_public_date": "2025-03-02 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-25724", "url": "https://ubuntu.com/security/CVE-2025-25724", "cve_description": "list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.", "cve_priority": "medium", "cve_public_date": "2025-03-02 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DoS via crafted TAR archive", " - debian/patches/CVE-2025-25724.patch: make sure ltime is valid in", " tar/util.c.", " - CVE-2025-25724", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 10 Apr 2025 13:35:36 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbinutils", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libctf-nobfd0", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libctf0", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.7", "version": "2.38-4ubuntu2.7" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.8", "version": "2.38-4ubuntu2.8" }, "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-1153", "url": "https://ubuntu.com/security/CVE-2025-1153", "cve_description": "A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.", "cve_priority": "low", "cve_public_date": "2025-02-10 19:15:00 UTC" }, { "cve": "CVE-2025-1176", "url": "https://ubuntu.com/security/CVE-2025-1176", "cve_description": "A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 06:15:00 UTC" }, { "cve": "CVE-2025-1178", "url": "https://ubuntu.com/security/CVE-2025-1178", "cve_description": "A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 07:15:00 UTC" }, { "cve": "CVE-2025-1181", "url": "https://ubuntu.com/security/CVE-2025-1181", "cve_description": "A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 08:15:00 UTC" }, { "cve": "CVE-2025-1182", "url": "https://ubuntu.com/security/CVE-2025-1182", "cve_description": "A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-11 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1153.patch: introduces new variant of einfo", " called 'fatal' that always exits in ld/*.", " - CVE-2025-1153", " * SECURITY UPDATE: Heap based buffer overflow", " - debian/patches/CVE-2025-1176.patch: prevent illegal memory access", " when indexing into the sym_hashes array in bfd/elflink.c.", " - CVE-2025-1176", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1178.patch: prevent an abort in the bfd linkder", " when attempting to generate dynamic relocs for a corrupt input file", " in bfd/elf64-x86-64.c.", " - CVE-2025-1178", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1181-pre.patch: prevent illegal memory access", " when checking relocs in a corrupt ELF binary in bfd/elf-bfd.h,", " bfd/elf64-x86-64.c, bfd/elflink.c, bfd/elfxx-x86.c.", " - debian/patches/CVE-2025-1181.patch: add even more checks for corrupt", " input when processing relocations for ELF files in bdf/elflink.c.", " - CVE-2025-1181", " * SECURITY UPDATE: Memory corruption", " - debian/patches/CVE-2025-1182.patch: fix illegal memory access", " triggered by corrupt ELF input files in bfd/elflink.c.", " - CVE-2025-1182", "" ], "package": "binutils", "version": "2.38-4ubuntu2.8", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Mon, 17 Mar 2025 16:24:06 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libexpat1", "from_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.5", "version": "2.4.7-1ubuntu0.5" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.6", "version": "2.4.7-1ubuntu0.6" }, "cves": [ { "cve": "CVE-2024-8176", "url": "https://ubuntu.com/security/CVE-2024-8176", "cve_description": "A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.", "cve_priority": "medium", "cve_public_date": "2025-03-14 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8176", "url": "https://ubuntu.com/security/CVE-2024-8176", "cve_description": "A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.", "cve_priority": "medium", "cve_public_date": "2025-03-14 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: denial of service via stack overflow", " - debian/patches/CVE-2024-8176-pre.patch: Remove XML_DTD guards", " before is_param accesses", " - debian/patches/CVE-2024-8176-test-pre-1.patch: minicheck: Add", " fail_unless() macro", " - debian/patches/CVE-2024-8176-test-pre-2.patch: tests: Rename", " _fail_unless to _assert_true for clarity", " - debian/patches/CVE-2024-8176-test-pre-3.patch: minicheck: Add", " simple subtest support", " - debian/patches/CVE-2024-8176-1.patch: Resolve the recursion during", " entity processing to prevent stack overflow", " - debian/patches/CVE-2024-8176-2.patch: Stop updating event pointer", " on exit for reentry", " - CVE-2024-8176", "" ], "package": "expat", "version": "2.4.7-1ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Mon, 07 Apr 2025 20:07:15 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libperl5.34", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.3", "version": "5.34.0-3ubuntu1.3" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes", " - debian/patches/CVE-2024-56406.patch: properly calculate needed space", " in op.c.", " - CVE-2024-56406", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 08 Apr 2025 09:21:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxml2", "from_version": { "source_package_name": "libxml2", "source_package_version": "2.9.13+dfsg-1ubuntu0.6", "version": "2.9.13+dfsg-1ubuntu0.6" }, "to_version": { "source_package_name": "libxml2", "source_package_version": "2.9.13+dfsg-1ubuntu0.7", "version": "2.9.13+dfsg-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2025-32414", "url": "https://ubuntu.com/security/CVE-2025-32414", "cve_description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.", "cve_priority": "medium", "cve_public_date": "2025-04-08 03:15:00 UTC" }, { "cve": "CVE-2025-32415", "url": "https://ubuntu.com/security/CVE-2025-32415", "cve_description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", "cve_priority": "medium", "cve_public_date": "2025-04-17 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32414", "url": "https://ubuntu.com/security/CVE-2025-32414", "cve_description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.", "cve_priority": "medium", "cve_public_date": "2025-04-08 03:15:00 UTC" }, { "cve": "CVE-2025-32415", "url": "https://ubuntu.com/security/CVE-2025-32415", "cve_description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", "cve_priority": "medium", "cve_public_date": "2025-04-17 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB access in python API", " - debian/patches/CVE-2025-32414-pre1.patch: fix SAX driver with", " character streams in python/drv_libxml2.py.", " - debian/patches/CVE-2025-32414-1.patch: read at most len/4 characters", " in python/libxml.c.", " - debian/patches/CVE-2025-32414-2.patch: add a test in", " python/tests/Makefile.am, python/tests/unicode.py.", " - CVE-2025-32414", " * SECURITY UPDATE: heap under-read in xmlSchemaIDCFillNodeTables", " - debian/patches/CVE-2025-32415.patch: fix heap buffer overflow in", " xmlSchemaIDCFillNodeTables in xmlschemas.c.", " - CVE-2025-32415", "" ], "package": "libxml2", "version": "2.9.13+dfsg-1ubuntu0.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 24 Apr 2025 14:42:32 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-base", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.5ubuntu9", "version": "4.5ubuntu9" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.5ubuntu9+22.04.1", "version": "4.5ubuntu9+22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2018128 ], "changes": [ { "cves": [], "log": [ "", " * Add missing Apport links for kernel packages (LP: #2018128)", "" ], "package": "linux-base", "version": "4.5ubuntu9+22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2018128 ], "author": "Juerg Haefliger ", "date": "Wed, 05 Mar 2025 12:11:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.135.133", "version": "5.15.0.135.133" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.138.134", "version": "5.15.0.138.134" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-138", "" ], "package": "linux-meta", "version": "5.15.0.138.134", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 16:59:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.135.133", "version": "5.15.0.135.133" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.138.134", "version": "5.15.0.138.134" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-138", "" ], "package": "linux-meta", "version": "5.15.0.138.134", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 16:59:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.135.133", "version": "5.15.0.135.133" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.138.134", "version": "5.15.0.138.134" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-138", "" ], "package": "linux-meta", "version": "5.15.0.138.134", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 16:59:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.135.133", "version": "5.15.0.135.133" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.138.134", "version": "5.15.0.138.134" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-138", "" ], "package": "linux-meta", "version": "5.15.0.138.134", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 16:59:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.11", "version": "1:8.9p1-3ubuntu0.11" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.13", "version": "1:8.9p1-3ubuntu0.13" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2028282 ], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 08:05:47 -0400" }, { "cves": [], "log": [ "", " * d/p/gssapi.patch: Fix interaction between gssapi-keyex and pubkey auth", " (LP: #2028282)", " Don't prefer host-bound public key signatures if there was no initial", " host key, as is the case when using GSS-API key exchange.", " Thanks to Colin Watson for providing patches via Debian Salsa (7d291bb)", " + d/t/ssh-gssapi: Fix typo in autopkgtest", " + d/t/ssh-gssapi: Test interaction between gssapi-keyex and pubkey auth.", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2028282 ], "author": "Lukas Märdian ", "date": "Mon, 10 Mar 2025 16:56:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.11", "version": "1:8.9p1-3ubuntu0.11" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.13", "version": "1:8.9p1-3ubuntu0.13" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2028282 ], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 08:05:47 -0400" }, { "cves": [], "log": [ "", " * d/p/gssapi.patch: Fix interaction between gssapi-keyex and pubkey auth", " (LP: #2028282)", " Don't prefer host-bound public key signatures if there was no initial", " host key, as is the case when using GSS-API key exchange.", " Thanks to Colin Watson for providing patches via Debian Salsa (7d291bb)", " + d/t/ssh-gssapi: Fix typo in autopkgtest", " + d/t/ssh-gssapi: Test interaction between gssapi-keyex and pubkey auth.", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2028282 ], "author": "Lukas Märdian ", "date": "Mon, 10 Mar 2025 16:56:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.11", "version": "1:8.9p1-3ubuntu0.11" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.13", "version": "1:8.9p1-3ubuntu0.13" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2028282 ], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.13", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 08:05:47 -0400" }, { "cves": [], "log": [ "", " * d/p/gssapi.patch: Fix interaction between gssapi-keyex and pubkey auth", " (LP: #2028282)", " Don't prefer host-bound public key signatures if there was no initial", " host key, as is the case when using GSS-API key exchange.", " Thanks to Colin Watson for providing patches via Debian Salsa (7d291bb)", " + d/t/ssh-gssapi: Fix typo in autopkgtest", " + d/t/ssh-gssapi: Test interaction between gssapi-keyex and pubkey auth.", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.12", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2028282 ], "author": "Lukas Märdian ", "date": "Mon, 10 Mar 2025 16:56:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pci.ids", "from_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2022.01.22-1", "version": "0.0~2022.01.22-1" }, "to_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2022.01.22-1ubuntu0.1", "version": "0.0~2022.01.22-1ubuntu0.1" }, "cves": [], "launchpad_bugs_fixed": [ 2100918 ], "changes": [ { "cves": [], "log": [ "", " * Correct the labeling of Intel Wireless-AC 9560 CNVi Wi-Fi interface on", " Jasper Lake platforms. (LP: #2100918)", "" ], "package": "pci.ids", "version": "0.0~2022.01.22-1ubuntu0.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2100918 ], "author": "Yao Wei (魏銘廷) ", "date": "Thu, 06 Mar 2025 17:53:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.3", "version": "5.34.0-3ubuntu1.3" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes", " - debian/patches/CVE-2024-56406.patch: properly calculate needed space", " in op.c.", " - CVE-2024-56406", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 08 Apr 2025 09:21:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.3", "version": "5.34.0-3ubuntu1.3" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes", " - debian/patches/CVE-2024-56406.patch: properly calculate needed space", " in op.c.", " - CVE-2024-56406", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 08 Apr 2025 09:21:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-modules-5.34", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.3", "version": "5.34.0-3ubuntu1.3" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes", " - debian/patches/CVE-2024-56406.patch: properly calculate needed space", " in op.c.", " - CVE-2024-56406", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 08 Apr 2025 09:21:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2025a-0ubuntu0.22.04", "version": "2025a-0ubuntu0.22.04" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2025b-0ubuntu0.22.04", "version": "2025b-0ubuntu0.22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2104284 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release (LP: #2104284):", " - New America/Coyhaique zone for Aysén Region in Chile, which moves", " from -04/-03 to -03. It will not change its clocks on 2025-04-05.", " - Improve historical data for Iran", " * Add America/Coyhaique to tzdata.install and debconf templates", " * Update English, French and Spanish debconf translations for Coyhaique", " * Add autopkgtest test case for 2025b release", " * No ICU data update yet as none is yet available upstream.", "" ], "package": "tzdata", "version": "2025b-0ubuntu0.22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2104284 ], "author": "Benjamin Drung ", "date": "Wed, 26 Mar 2025 18:44:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.12", "version": "249.11-0ubuntu3.12" }, "to_version": { "source_package_name": "systemd", "source_package_version": "249.11-0ubuntu3.15", "version": "249.11-0ubuntu3.15" }, "cves": [], "launchpad_bugs_fixed": [ 2078555, 2003250, 2009859, 2037667, 2055200, 2077779 ], "changes": [ { "cves": [], "log": [ "", " * d/systemd.prerm: call d-s-h update-state for resolved on upgrades", " (LP: #2078555)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.15", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078555 ], "author": "Nick Rosbrook ", "date": "Thu, 20 Feb 2025 08:24:02 -0500" }, { "cves": [], "log": [ "", " [ Ioanna Alifieraki ]", " * network: skip to reassign master ifindex if already set", " (LP: #2003250)", "", " [ Nick Rosbrook ]", " * network: do not bring down a bonding port interface when it is already joined", " (This is a follow-up commit required for LP: 2003250)", "", " * networkd-test: skip test_resolved_domain_restricted_dns", " (LP: #2009859)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.14", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2003250, 2009859 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Dec 2024 15:23:18 -0500" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * Fixing GRE6 and VTI6 on newer kernels (LP: #2037667)", "", " [ Nick Rosbrook ]", " * debian/tests/tests-in-lxd: update workaround patch (LP: #2055200)", "", " [ Chengen Du ]", " * udev: Handle PTP device symlink properly on udev action 'change'", " (LP: #2077779)", "" ], "package": "systemd", "version": "249.11-0ubuntu3.13", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2037667, 2055200, 2077779 ], "author": "Nick Rosbrook ", "date": "Thu, 17 Oct 2024 10:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.23", "version": "2:8.2.3995-1ubuntu2.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.24", "version": "2:8.2.3995-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when redirecting display command to", " register.", " - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use", " vim_strchr command check in ./src/register.c.", " - CVE-2025-26603", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 02 Apr 2025 10:09:01 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.23", "version": "2:8.2.3995-1ubuntu2.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.24", "version": "2:8.2.3995-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when redirecting display command to", " register.", " - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use", " vim_strchr command check in ./src/register.c.", " - CVE-2025-26603", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 02 Apr 2025 10:09:01 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.23", "version": "2:8.2.3995-1ubuntu2.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.24", "version": "2:8.2.3995-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when redirecting display command to", " register.", " - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use", " vim_strchr command check in ./src/register.c.", " - CVE-2025-26603", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 02 Apr 2025 10:09:01 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.23", "version": "2:8.2.3995-1ubuntu2.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.24", "version": "2:8.2.3995-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when redirecting display command to", " register.", " - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use", " vim_strchr command check in ./src/register.c.", " - CVE-2025-26603", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 02 Apr 2025 10:09:01 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.23", "version": "2:8.2.3995-1ubuntu2.23" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.24", "version": "2:8.2.3995-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-26603", "url": "https://ubuntu.com/security/CVE-2025-26603", "cve_description": "Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-02-18 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when redirecting display command to", " register.", " - debian/patches/CVE-2025-26603.patch: Change redir_reg check to use", " vim_strchr command check in ./src/register.c.", " - CVE-2025-26603", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.24", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 02 Apr 2025 10:09:01 -0230" } ], "notes": null, "is_version_downgrade": false } ], "snap": [ { "name": "core20", "from_version": { "source_package_name": null, "source_package_version": null, "version": "2499" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "2503" } } ] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-138", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-138.148", "version": "5.15.0-138.148" }, "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "changes": [ { "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-138.148 -proposed tracker (LP: #2102587)", "", " * ipsec_offload in rtnetlink.sh from ubunsu_kselftests_net fails on O/J", " (LP: #2096976)", " - SAUCE: selftest: netfilter: fix null IP field in kci_test_ipsec_offload", "", " * CVE-2025-21756", " - vsock: Keep the binding until socket destruction", " - vsock: Orphan socket after transport release", "", " * CVE-2024-50256", " - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()", "", " * CVE-2025-21702", " - pfifo_tail_enqueue: Drop new packet when sch->limit == 0", "", " * CVE-2025-21703", " - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "", " * CVE-2025-21700", " - net: sched: Disallow replacing of child qdisc from one parent to another", "", " * CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", "", " * CVE-2024-56651", " - can: hi311x: hi3110_can_ist(): fix potential use-after-free", "", " * iBFT iSCSI out-of-bounds shift UBSAN warning (LP: #2097824)", " - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()", "", " * CVE-2024-50248", " - ntfs3: Add bounds checking to mi_enum_attr()", " - fs/ntfs3: Sequential field availability check in mi_enum_attr()", "", " * CVE-2022-0995", " - watch_queue: Use the bitmap API when applicable", "", " * CVE-2024-26837", " - net: bridge: switchdev: Skip MDB replays of deferred events on offload", "", " * CVE-2025-21701", " - net: avoid race between device unregistration and ethnl ops", "", " * CVE-2024-57798", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/dp_mst: Ensure mst_primary pointer is valid in", " drm_dp_mst_handle_up_req()", "", " * CVE-2024-56658", " - net: defer final 'struct net' free in netns dismantle", "", " * CVE-2024-35864", " - smb: client: fix potential UAF in smb2_is_valid_lease_break()", "", " * CVE-2024-35864/CVE-2024-26928", " - smb: client: fix potential UAF in cifs_debug_files_proc_show()", "" ], "package": "linux", "version": "5.15.0-138.148", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 15:32:05 +0100" } ], "notes": "linux-headers-5.15.0-138 version '5.15.0-138.148' (source package linux version '5.15.0-138.148') was added. linux-headers-5.15.0-138 version '5.15.0-138.148' has the same source package name, linux, as removed package linux-headers-5.15.0-135. As such we can use the source package version of the removed package, '5.15.0-135.146', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-5.15.0-138-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-138.148", "version": "5.15.0-138.148" }, "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "changes": [ { "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-138.148 -proposed tracker (LP: #2102587)", "", " * ipsec_offload in rtnetlink.sh from ubunsu_kselftests_net fails on O/J", " (LP: #2096976)", " - SAUCE: selftest: netfilter: fix null IP field in kci_test_ipsec_offload", "", " * CVE-2025-21756", " - vsock: Keep the binding until socket destruction", " - vsock: Orphan socket after transport release", "", " * CVE-2024-50256", " - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()", "", " * CVE-2025-21702", " - pfifo_tail_enqueue: Drop new packet when sch->limit == 0", "", " * CVE-2025-21703", " - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "", " * CVE-2025-21700", " - net: sched: Disallow replacing of child qdisc from one parent to another", "", " * CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", "", " * CVE-2024-56651", " - can: hi311x: hi3110_can_ist(): fix potential use-after-free", "", " * iBFT iSCSI out-of-bounds shift UBSAN warning (LP: #2097824)", " - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()", "", " * CVE-2024-50248", " - ntfs3: Add bounds checking to mi_enum_attr()", " - fs/ntfs3: Sequential field availability check in mi_enum_attr()", "", " * CVE-2022-0995", " - watch_queue: Use the bitmap API when applicable", "", " * CVE-2024-26837", " - net: bridge: switchdev: Skip MDB replays of deferred events on offload", "", " * CVE-2025-21701", " - net: avoid race between device unregistration and ethnl ops", "", " * CVE-2024-57798", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/dp_mst: Ensure mst_primary pointer is valid in", " drm_dp_mst_handle_up_req()", "", " * CVE-2024-56658", " - net: defer final 'struct net' free in netns dismantle", "", " * CVE-2024-35864", " - smb: client: fix potential UAF in smb2_is_valid_lease_break()", "", " * CVE-2024-35864/CVE-2024-26928", " - smb: client: fix potential UAF in cifs_debug_files_proc_show()", "" ], "package": "linux", "version": "5.15.0-138.148", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 15:32:05 +0100" } ], "notes": "linux-headers-5.15.0-138-generic version '5.15.0-138.148' (source package linux version '5.15.0-138.148') was added. linux-headers-5.15.0-138-generic version '5.15.0-138.148' has the same source package name, linux, as removed package linux-headers-5.15.0-135. As such we can use the source package version of the removed package, '5.15.0-135.146', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-138-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-135.146", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-138.148", "version": "5.15.0-138.148" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-138.148", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-138.148", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 16:58:32 +0100" } ], "notes": "linux-image-5.15.0-138-generic version '5.15.0-138.148' (source package linux-signed version '5.15.0-138.148') was added. linux-image-5.15.0-138-generic version '5.15.0-138.148' has the same source package name, linux-signed, as removed package linux-image-5.15.0-135-generic. As such we can use the source package version of the removed package, '5.15.0-135.146', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-138-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-138.148", "version": "5.15.0-138.148" }, "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "changes": [ { "cves": [ { "cve": "CVE-2025-21756", "url": "https://ubuntu.com/security/CVE-2025-21756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-50256", "url": "https://ubuntu.com/security/CVE-2024-50256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() I got a syzbot report without a repro [1] crashing in nf_send_reset6() I think the issue is that dev->hard_header_len is zero, and we attempt later to push an Ethernet header. Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c. [1] skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900045269b0 EFLAGS: 00010282 RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140 R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c FS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 eth_header+0x38/0x1f0 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3208 [inline] nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358 nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_bridge_pre net/bridge/br_input.c:277 [inline] br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424 __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562 __netif_receive_skb_one_core net/core/dev.c:5666 [inline] __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781 netif_receive_skb_internal net/core/dev.c:5867 [inline] netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926 tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550 tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007 tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xa6d/0xc90 fs/read_write.c:683 ksys_write+0x183/0x2b0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdbeeb7d1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8 RBP: 00007fdbeebf12be R08: 0000000 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2025-21702", "url": "https://ubuntu.com/security/CVE-2025-21702", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21703", "url": "https://ubuntu.com/security/CVE-2025-21703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.", "cve_priority": "medium", "cve_public_date": "2025-02-18 15:15:00 UTC" }, { "cve": "CVE-2025-21700", "url": "https://ubuntu.com/security/CVE-2025-21700", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of \"replace\" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could \"fix\" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of \"disallow such config\". Joint work with Lion Ackermann ", "cve_priority": "medium", "cve_public_date": "2025-02-13 12:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "low", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-56651", "url": "https://ubuntu.com/security/CVE-2024-56651", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: hi311x: hi3110_can_ist(): fix potential use-after-free The commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr during bus-off\") removed the reporting of rxerr and txerr even in case of correct operation (i. e. not bus-off). The error count information added to the CAN frame after netif_rx() is a potential use after free, since there is no guarantee that the skb is in the same state. It might be freed or reused. Fix the issue by postponing the netif_rx() call in case of txerr and rxerr reporting.", "cve_priority": "medium", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-50248", "url": "https://ubuntu.com/security/CVE-2024-50248", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: Add bounds checking to mi_enum_attr() Added bounds checking to make sure that every attr don't stray beyond valid memory region.", "cve_priority": "medium", "cve_public_date": "2024-11-09 11:15:00 UTC" }, { "cve": "CVE-2022-0995", "url": "https://ubuntu.com/security/CVE-2022-0995", "cve_description": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "cve_priority": "high", "cve_public_date": "2022-03-25 19:15:00 UTC" }, { "cve": "CVE-2024-26837", "url": "https://ubuntu.com/security/CVE-2024-26837", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2025-21701", "url": "https://ubuntu.com/security/CVE-2025-21701", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.", "cve_priority": "medium", "cve_public_date": "2025-02-13 15:15:00 UTC" }, { "cve": "CVE-2024-57798", "url": "https://ubuntu.com/security/CVE-2024-57798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.", "cve_priority": "high", "cve_public_date": "2025-01-11 13:15:00 UTC" }, { "cve": "CVE-2024-56658", "url": "https://ubuntu.com/security/CVE-2024-56658", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" }, { "cve": "CVE-2024-35864", "url": "https://ubuntu.com/security/CVE-2024-35864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-05-19 09:15:00 UTC" }, { "cve": "CVE-2024-26928", "url": "https://ubuntu.com/security/CVE-2024-26928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.", "cve_priority": "high", "cve_public_date": "2024-04-28 12:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-138.148 -proposed tracker (LP: #2102587)", "", " * ipsec_offload in rtnetlink.sh from ubunsu_kselftests_net fails on O/J", " (LP: #2096976)", " - SAUCE: selftest: netfilter: fix null IP field in kci_test_ipsec_offload", "", " * CVE-2025-21756", " - vsock: Keep the binding until socket destruction", " - vsock: Orphan socket after transport release", "", " * CVE-2024-50256", " - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()", "", " * CVE-2025-21702", " - pfifo_tail_enqueue: Drop new packet when sch->limit == 0", "", " * CVE-2025-21703", " - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "", " * CVE-2025-21700", " - net: sched: Disallow replacing of child qdisc from one parent to another", "", " * CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", "", " * CVE-2024-56651", " - can: hi311x: hi3110_can_ist(): fix potential use-after-free", "", " * iBFT iSCSI out-of-bounds shift UBSAN warning (LP: #2097824)", " - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()", "", " * CVE-2024-50248", " - ntfs3: Add bounds checking to mi_enum_attr()", " - fs/ntfs3: Sequential field availability check in mi_enum_attr()", "", " * CVE-2022-0995", " - watch_queue: Use the bitmap API when applicable", "", " * CVE-2024-26837", " - net: bridge: switchdev: Skip MDB replays of deferred events on offload", "", " * CVE-2025-21701", " - net: avoid race between device unregistration and ethnl ops", "", " * CVE-2024-57798", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/dp_mst: Ensure mst_primary pointer is valid in", " drm_dp_mst_handle_up_req()", "", " * CVE-2024-56658", " - net: defer final 'struct net' free in netns dismantle", "", " * CVE-2024-35864", " - smb: client: fix potential UAF in smb2_is_valid_lease_break()", "", " * CVE-2024-35864/CVE-2024-26928", " - smb: client: fix potential UAF in cifs_debug_files_proc_show()", "" ], "package": "linux", "version": "5.15.0-138.148", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2102587, 2096976, 2097824 ], "author": "Stefan Bader ", "date": "Fri, 14 Mar 2025 15:32:05 +0100" } ], "notes": "linux-modules-5.15.0-138-generic version '5.15.0-138.148' (source package linux version '5.15.0-138.148') was added. linux-modules-5.15.0-138-generic version '5.15.0-138.148' has the same source package name, linux, as removed package linux-headers-5.15.0-135. As such we can use the source package version of the removed package, '5.15.0-135.146', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-135", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": "5.15.0-135.146" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-5.15.0-135-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": "5.15.0-135.146" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-135-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-135.146", "version": "5.15.0-135.146" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-135-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-135.146", "version": "5.15.0-135.146" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20250327 to 20250429", "from_series": "jammy", "to_series": "jammy", "from_serial": "20250327", "to_serial": "20250429", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }