OESA-2025-1869

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

pfifotailenqueue: Drop new packet when sch->limit == 0

Expected behaviour: In case we reach scheduler's limit, pfifotailenqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifotailenqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifotailenqueue() return NET_XMIT_CN status code.

Weird behaviour: In case we set sch->limit == 0 and trigger pfifotailenqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifotailenqueue() to increase qlen by one and return NET_XMIT_CN status code.

The problem is: Let's say we have two qdiscs: QdiscA and QdiscB. - QdiscA's type must have '->graft()' function to create parent/child relationship. Let's say QdiscA's type is hfsc. Enqueue packet to this qdisc will trigger hfsc_enqueue. - QdiscB's type is pfifoheaddrop. Enqueue packet to this qdisc will trigger pfifo_tail_enqueue. - QdiscB is configured to have sch->limit == 0. - QdiscA is configured to route the enqueued's packet to QdiscB.

Enqueue packet through QdiscA will lead to: - hfscenqueue(QdiscA) -> pfifotailenqueue(QdiscB) - QdiscB->q.qlen += 1 - pfifotailenqueue() return NET_XMIT_CN - hfscenqueue() check for NET_XMIT_SUCCESS and see NET_XMIT_CN => hfscenqueue() don't increase qlen of QdiscA.

The whole process lead to a situation where QdiscA->q.qlen == 0 and QdiscB->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen.

Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.(CVE-2025-21702)

In the Linux kernel, the following vulnerability has been resolved:

mptcp: always handle address removal under msk socket lock

Syzkaller reported a lockdep splat in the PM control path:

WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sockownedbyme include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mskownedbyme net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcppmnladdrsendack+0x57c/0x610 net/mptcp/pmnetlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sockownedbyme include/net/sock.h:1711 [inline] RIP: 0010:mskownedbyme net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcppmnladdrsendack+0x57c/0x610 net/mptcp/pmnetlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcppmremoveaddr+0x103/0x1d0 net/mptcp/pm.c:59 mptcppmremoveannoaddr+0x1f4/0x2f0 net/mptcp/pmnetlink.c:1486 mptcpnlremovesubflowandsignaladdr net/mptcp/pmnetlink.c:1518 [inline] mptcppmnldeladdrdoit+0x118d/0x1af0 net/mptcp/pmnetlink.c:1629 genlfamilyrcvmsgdoit net/netlink/genetlink.c:1115 [inline] genlfamilyrcvmsg net/netlink/genetlink.c:1195 [inline] genlrcvmsg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlinkrcvskb+0x206/0x480 net/netlink/afnetlink.c:2543 genlrcv+0x28/0x40 net/netlink/genetlink.c:1219 netlinkunicastkernel net/netlink/afnetlink.c:1322 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1348 netlinksendmsg+0x8de/0xcb0 net/netlink/afnetlink.c:1892 socksendmsgnosec net/socket.c:718 [inline] socksendmsg+0x221/0x270 net/socket.c:733 syssendmsg+0x53a/0x860 net/socket.c:2573 _syssendmsg net/socket.c:2627 [inline] _syssendmsg+0x269/0x350 net/socket.c:2659 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088

Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock.

The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications.

The above statement is incorrect, as without locks another process could concur ---truncated---(CVE-2025-21875)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Add check for mgmtallocskb() in mgmtdeviceconnected()

Add check for the return value of mgmtallocskb() in mgmtdeviceconnected() to prevent null pointer dereference.(CVE-2025-21936)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Add check for mgmtallocskb() in mgmtremotename()

Add check for the return value of mgmtallocskb() in mgmtremotename() to prevent null pointer dereference.(CVE-2025-21937)

In the Linux kernel, the following vulnerability has been resolved:

net: libwx: fix Tx L4 checksum

The hardware only supports L4 checksum offload for TCP/UDP/SCTP protocol. There was a bug to set Tx checksum flag for the other protocol that results in Tx ring hang. Fix to compute software checksum for these packets.(CVE-2025-22101)

In the Linux kernel, the following vulnerability has been resolved:

bnxten: Mask the bdcnt field in the TX BD properly

The bdcnt field in the TX BD specifies the total number of BDs for the TX packet. The bdcnt field has 5 bits and the maximum number supported is 32 with the value 0.

CONFIGMAXSKBFRAGS can be modified and the total number of SKB fragments can approach or exceed the maximum supported by the chip. Add a macro to properly mask the bdcnt field so that the value 32 will be properly masked and set to 0 in the bd_cnd field.

Without this patch, the out-of-range bd_cnt value will corrupt the TX BD and may cause TX timeout.

The next patch will check for values exceeding 32.(CVE-2025-22108)

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: check that event count does not exceed event buffer length

The event count is read from register DWC3GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : _memcpy+0x114/0x180 lr : dwc3checkeventbuf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: _memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34(CVE-2025-37810)

A vulnerability was found in Linux Kernel up to 6.16-rc2 (Operating System). It has been rated as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc3 eliminates this vulnerability. Applying the patch 5e8c658acd1b7c186aeffa46bf08795e121f401a/07d7b8e7ef7d1f812a6211ed531947c56d09e95e/a7b477b64ef5e37cb08dd536ae07c46f9f28262e/f3b840fb1508a80cd8a0efb5c886ae1995a88b24/4d71f2c1e5263a9f042faa71d59515709869dc79/32d05e6cc3a7bf6c8f16f7b7ef8fe80eca0c233e/61ce04601e0d8265ec6d2ffa6df5a7e1bce64854 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38197)

A vulnerability was found in Linux Kernel up to 6.15.3 (Operating System). It has been rated as critical.Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Impacted is confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch 5f1e1573bf103303944fd7225559de5d8297539c/b968ba8bfd9f90914957bbbd815413bf6a98eca7/74bc813d11c30e28fc5261dc877cca662ccfac68/78297d53d3878d43c1d627d20cd09f611fa4b91d/5180561afff8e0f029073c8c8117c95c6512d1f9/68c173ea138b66d7dd1fd980c9bc578a18e11884/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057/d66adabe91803ef34a8b90613c81267b5ded1472 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-20044).(CVE-2025-38212)

In the Linux kernel, the following vulnerability has been resolved:

media: cxusb: no longer judge rbuf when the write fails

syzbot reported a uninit-value in cxusbi2cxfer. [1]

Only when the write operation of usbbulkmsg() in dvbusbgenericrw() succeeds and rlen is greater than 0, the read operation of usbbulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf.

In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized.

[1] BUG: KMSAN: uninit-value in cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 _i2ctransfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2ctransfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2ctransferbufferflags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2cmastersend include/linux/i2c.h:109 [inline] i2cdevwrite+0x210/0x280 drivers/i2c/i2c-dev.c:183 doloopreadvwritev fs/readwrite.c:848 [inline] vfswritev+0x963/0x14e0 fs/readwrite.c:1057 dowritev+0x247/0x5c0 fs/readwrite.c:1101 _dosyswritev fs/readwrite.c:1169 [inline] _sesyswritev fs/readwrite.c:1166 [inline] _x64syswritev+0x98/0xe0 fs/readwrite.c:1166 x64syscall+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls64.h:21 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f(CVE-2025-38229)

A vulnerability was found in Linux Kernel up to 6.15.2/fc2778c42f99c7de52fc004157b3c3ee4dcc208a (Operating System). It has been rated as problematic.Impacted is confidentiality, integrity, and availability.Upgrading to version 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch ac49b7560b4b08b1e4043a29214cc7ad77644c00/e2d2115e56c4a02377189bfc3a9a7933552a7b0f is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38279)

A vulnerability, which was classified as problematic, was found in Linux Kernel (Operating System).CWE is classifying the issue as CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch e7fb4ebee6e900899d2b2e5852c3e2eafcbcad66/ef92b96530d1731d9ac167bc7c193c683cd78fff/6f639c25bfad17d9fd7379ab91ff9678ea9aac85/2bc6dffb4b72d53d6a6ada510269bf548c3f7ae0/0b9bb52796b239de6792d0d68cdc6eb505ebff96/86bc9c742426a16b52a10ef61f5b721aecca2344 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38280)

A vulnerability has been found in Linux Kernel up to 6.15.2 (Operating System) and classified as critical.The CWE definition for the vulnerability is CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch 44ebe361abb322d2afd77930fa767a99f271c4d1/147ea936fc6fa8fe0c93f0df918803a5375ca535/ee90be48edb3dac612e0b7f5332482a9e8be2696/e167414beabb1e941fe563a96becc98627d5bdf6/6d8f39875a10a194051c3eaefebc7ac06a34aaf3/c98cdf6795a36bca163ebb40411fef1687b9eb13/18e8cbbae79cb35bdce8a01c889827b9799c762e/3880cdbed1c4607e378f58fa924c5d6df900d1d3 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38285)

A vulnerability was found in Linux Kernel up to 6.16-rc2 (Operating System). It has been declared as problematic.The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc3 eliminates this vulnerability. Applying the patch 64773b3ea09235168a549a195cba43bb867c4a17/67abac27d806e8f9d4226ec1528540cf73af673a/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38/01f91d415a8375d85e0c7d3615cd4a168308bb7c/21da6d3561f373898349ca7167c9811c020da695/22f935bc86bdfbde04009f05eee191d220cd8c89/422e565b7889ebfd9c8705a3fc786642afe61fca/39dfc971e42d886e7df01371cd1bef505076d84c is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-20926).(CVE-2025-38320)

A vulnerability was found in Linux Kernel up to 6.15.3/6.16-rc2 (Operating System). It has been rated as critical.Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.Impacted is availability.Upgrading to version 6.15.4 or 6.16-rc3 eliminates this vulnerability. Applying the patch a85cc69acdcb05f8cd226b8ea0778b8e2e887e6f/b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38322)

A vulnerability was found in Linux Kernel up to 6.15.3 (Operating System). It has been declared as critical.The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch d064c68781c19f378af1ae741d9132d35d24b2bb/8690cd3258455bbae64f809e1d3ee0f043661c71/6805582abb720681dd1c87ff677f155dcf4e86c9/03a162933c4a03b9f1a84f7d8482903c7e1e11bb/83a692a9792aa86249d68a8ac0b9d55ecdd255fa/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c/f78a786ad9a5443a29eef4dae60cde85b7375129/f914b52c379c12288b7623bb814d0508dbe7481d is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38346)