{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)", "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "summary", "text": "SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality.\n\nSiemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version.", "title": "Summary" }, { "category": "general", "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "title": "General Recommendations" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "productcert@siemens.com", "name": "Siemens ProductCERT", "namespace": "https://www.siemens.com" }, "references": [ { "category": "self", "summary": "SSA-032379: Multiple Vulnerabilities in SIMATIC CN 4100 Before V5.0 - HTML Version", "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html" }, { "category": "self", "summary": "SSA-032379: Multiple Vulnerabilities in SIMATIC CN 4100 Before V5.0 - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-032379.json" } ], "title": "SSA-032379: Multiple Vulnerabilities in SIMATIC CN 4100 Before V5.0", "tracking": { "current_release_date": "2026-05-12T00:00:00.000Z", "generator": { "engine": { "name": "Siemens ProductCERT CSAF Generator", "version": "1" } }, "id": "SSA-032379", "initial_release_date": "2026-05-12T00:00:00.000Z", "revision_history": [ { "date": "2026-05-12T00:00:00.000Z", "legacy_version": "1.0", "number": "1", "summary": "Publication Date" } ], "status": "interim", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:intdot/<5.0", "product": { "name": "SIMATIC CN 4100", "product_id": "1" } } ], "category": "product_name", "name": "SIMATIC CN 4100" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-47704", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Check link_res->hpo_dp_link_enc before using it\r\n\r\n[WHAT & HOW]\r\nFunctions dp_enable_link_phy and dp_disable_link_phy can pass link_res\r\nwithout initializing hpo_dp_link_enc and it is necessary to check for\r\nnull before dereferencing.\r\n\r\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-47704" }, { "cve": "CVE-2024-57924", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: relax assertions on failure to encode file handles\n\nEncoding file handles is usually performed by a filesystem >encode_fh()\nmethod that may fail for various reasons.\n\nThe legacy users of exportfs_encode_fh(), namely, nfsd and\nname_to_handle_at(2) syscall are ready to cope with the possibility\nof failure to encode a file handle.\n\nThere are a few other users of exportfs_encode_{fh,fid}() that\ncurrently have a WARN_ON() assertion when ->encode_fh() fails.\nRelax those assertions because they are wrong.\n\nThe second linked bug report states commit 16aac5ad1fa9 (\"ovl: support\nencoding non-decodable file handles\") in v6.6 as the regressing commit,\nbut this is not accurate.\n\nThe aforementioned commit only increases the chances of the assertion\nand allows triggering the assertion with the reproducer using overlayfs,\ninotify and drop_caches.\n\nTriggering this assertion was always possible with other filesystems and\nother reasons of ->encode_fh() failures and more particularly, it was\nalso possible with the exact same reproducer using overlayfs that is\nmounted with options index=on,nfs_export=on also on kernels < v6.6.\nTherefore, I am not listing the aforementioned commit as a Fixes commit.\n\nBackport hint: this patch will have a trivial conflict applying to\nv6.6.y, and other trivial conflicts applying to stable kernels < v6.6.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-57924" }, { "cve": "CVE-2024-58240", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: separate no-async decryption request handling from async\r\n\r\nIf we're not doing async, the handling is much simpler. There's no\r\nreference counting, we just need to wait for the completion to wake us\r\nup and return its result.\r\n\r\nWe should preferably also use a separate crypto_wait. I'm not seeing a\r\nUAF as I did in the past, I think aec7961916f3 (\"tls: fix race between\r\nasync notify and socket close\") took care of it.\r\n\r\nThis will make the next fix easier.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-58240" }, { "cve": "CVE-2025-6021", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-6021" }, { "cve": "CVE-2025-6052", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "summary", "text": "A flaw was found in how GLib\u2019s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn\u2019t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-6052" }, { "cve": "CVE-2025-7425", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-7425" }, { "cve": "CVE-2025-8916", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "summary", "text": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java.\r\n\r\nThis issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-8916" }, { "cve": "CVE-2025-9230", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Issue summary: An application trying to decrypt CMS messages encrypted using\npassword based encryption can trigger an out-of-bounds read and write.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application. The out-of-bounds write can cause\na memory corruption which can have various consequences including\na Denial of Service or Execution of attacker-supplied code.\n\nAlthough the consequences of a successful exploit of this vulnerability\ncould be severe, the probability that the attacker would be able to\nperform it is low. Besides, password based (PWRI) encryption support in CMS\nmessages is very rarely used. For that reason the issue was assessed as\nModerate severity according to our Security Policy.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-9230" }, { "cve": "CVE-2025-9231", "cwe": { "id": "CWE-385", "name": "Covert Timing Channel" }, "notes": [ { "category": "summary", "text": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts. However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-9231" }, { "cve": "CVE-2025-9232", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-9232" }, { "cve": "CVE-2025-9820", "cwe": { "id": "CWE-121", "name": "Stack-based Buffer Overflow" }, "notes": [ { "category": "summary", "text": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-9820" }, { "cve": "CVE-2025-14831", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "notes": [ { "category": "summary", "text": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-14831" }, { "cve": "CVE-2025-23143", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\r\n\r\nWhen I ran the repro [0] and waited a few seconds, I observed two\r\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\r\n\r\nReproduction Steps:\r\n\r\n 1) Mount CIFS\r\n 2) Add an iptables rule to drop incoming FIN packets for CIFS\r\n 3) Unmount CIFS\r\n 4) Unload the CIFS module\r\n 5) Remove the iptables rule\r\n\r\nAt step 3), the CIFS module calls sock_release() for the underlying\r\nTCP socket, and it returns quickly. However, the socket remains in\r\nFIN_WAIT_1 because incoming FIN packets are dropped.\r\n\r\nAt this point, the module's refcnt is 0 while the socket is still\r\nalive, so the following rmmod command succeeds.\r\n\r\n # ss -tan\r\n State Recv-Q Send-Q Local Address:Port Peer Address:Port\r\n FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445\r\n\r\n # lsmod | grep cifs\r\n cifs 1159168 0\r\n\r\nThis highlights a discrepancy between the lifetime of the CIFS module\r\nand the underlying TCP socket. Even after CIFS calls sock_release()\r\nand it returns, the TCP socket does not die immediately in order to\r\nclose the connection gracefully.\r\n\r\nWhile this is generally fine, it causes an issue with LOCKDEP because\r\nCIFS assigns a different lock class to the TCP socket's sk->sk_lock\r\nusing sock_lock_init_class_and_name().\r\n\r\nOnce an incoming packet is processed for the socket or a timer fires,\r\nsk->sk_lock is acquired.\r\n\r\nThen, LOCKDEP checks the lock context in check_wait_context(), where\r\nhlock_class() is called to retrieve the lock class. However, since\r\nthe module has already been unloaded, hlock_class() logs a warning\r\nand returns NULL, triggering the null-ptr-deref.\r\n\r\nIf LOCKDEP is enabled, we must ensure that a module calling\r\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\r\nwhile such a socket is still alive to prevent this issue.\r\n\r\nLet's hold the module reference in sock_lock_init_class_and_name()\r\nand release it when the socket is freed in sk_prot_free().\r\n\r\nNote that sock_lock_init() clears sk->sk_owner for svc_create_socket()\r\nthat calls sock_lock_init_class_and_name() for a listening socket,\r\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\r\n\r\n[0]:\r\nCIFS_SERVER=\"10.0.0.137\"\r\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\r\nDEV=\"enp0s3\"\r\nCRED=\"/root/WindowsCredential.txt\"\r\n\r\nMNT=$(mktemp -d /tmp/XXXXXX)\r\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\r\n\r\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\r\n\r\nfor i in $(seq 10);\r\ndo\r\n umount ${MNT}\r\n rmmod cifs\r\n sleep 1\r\ndone\r\n\r\nrm -r ${MNT}\r\n\r\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\r\n\r\n[1]:\r\nDEBUG_LOCKS_WARN_ON(1)\r\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\r\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\r\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\r\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\r\n...\r\nCall Trace:\r\n \r\n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\r\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\r\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\r\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\r\n...\r\n\r\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\r\n PF: supervisor read access in kernel mode\r\n PF: error_code(0x0000) - not-present page\r\nPGD 0\r\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\r\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36\r\nTainted: [W]=WARN\r\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:__lock_acquire (kernel/\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-23143" }, { "cve": "CVE-2025-23160", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization\r\n\r\nOn Mediatek devices with a system companion processor (SCP) the mtk_scp\r\nstructure has to be removed explicitly to avoid a resource leak.\r\nFree the structure in case the allocation of the firmware structure fails\r\nduring the firmware initialization.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-23160" }, { "cve": "CVE-2025-31257", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "summary", "text": "This issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-31257" }, { "cve": "CVE-2025-37931", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: adjust subpage bit start based on sectorsize\r\n\r\nWhen running machines with 64k page size and a 16k nodesize we started\r\nseeing tree log corruption in production. This turned out to be because\r\nwe were not writing out dirty blocks sometimes, so this in fact affects\r\nall metadata writes.\r\n\r\nWhen writing out a subpage EB we scan the subpage bitmap for a dirty\r\nrange. If the range isn't dirty we do\r\n\r\n\tbit_start++;\r\n\r\nto move onto the next bit. The problem is the bitmap is based on the\r\nnumber of sectors that an EB has. So in this case, we have a 64k\r\npagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4\r\nbits for every node. With a 64k page size we end up with 4 nodes per\r\npage.\r\n\r\nTo make this easier this is how everything looks\r\n\r\n[0 16k 32k 48k ] logical address\r\n[0 4 8 12 ] radix tree offset\r\n[ 64k page ] folio\r\n[ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers\r\n[ | | | | | | | | | | | | | | | | ] bitmap\r\n\r\nNow we use all of our addressing based on fs_info->sectorsize_bits, so\r\nas you can see the above our 16k eb->start turns into radix entry 4.\r\n\r\nWhen we find a dirty range for our eb, we correctly do bit_start +=\r\nsectors_per_node, because if we start at bit 0, the next bit for the\r\nnext eb is 4, to correspond to eb->start 16k.\r\n\r\nHowever if our range is clean, we will do bit_start++, which will now\r\nput us offset from our radix tree entries.\r\n\r\nIn our case, assume that the first time we check the bitmap the block is\r\nnot dirty, we increment bit_start so now it == 1, and then we loop\r\naround and check again. This time it is dirty, and we go to find that\r\nstart using the following equation\r\n\r\n\tstart = folio_start + bit_start * fs_info->sectorsize;\r\n\r\nso in the case above, eb->start 0 is now dirty, and we calculate start\r\nas\r\n\r\n\t0 + 1 * fs_info->sectorsize = 4096\r\n\t4096 >> 12 = 1\r\n\r\nNow we're looking up the radix tree for 1, and we won't find an eb.\r\nWhat's worse is now we're using bit_start == 1, so we do bit_start +=\r\nsectors_per_node, which is now 5. If that eb is dirty we will run into\r\nthe same thing, we will look at an offset that is not populated in the\r\nradix tree, and now we're skipping the writeout of dirty extent buffers.\r\n\r\nThe best fix for this is to not use sectorsize_bits to address nodes,\r\nbut that's a larger change. Since this is a fs corruption problem fix\r\nit simply by always using sectors_per_node to increment the start bit.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-37931" }, { "cve": "CVE-2025-37968", "cwe": { "id": "CWE-667", "name": "Improper Locking" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: light: opt3001: fix deadlock due to concurrent flag access\r\n\r\nThe threaded IRQ function in this driver is reading the flag twice: once to\r\nlock a mutex and once to unlock it. Even though the code setting the flag\r\nis designed to prevent it, there are subtle cases where the flag could be\r\ntrue at the mutex_lock stage and false at the mutex_unlock stage. This\r\nresults in the mutex not being unlocked, resulting in a deadlock.\r\n\r\nFix it by making the opt3001_irq() code generally more robust, reading the\r\nflag into a variable and using the variable value at both stages.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-37968" }, { "cve": "CVE-2025-38322", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/intel: Fix crash in icl_update_topdown_event()\r\n\r\nThe perf_fuzzer found a hard-lockup crash on a RaptorLake machine:\r\n\r\n Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000\r\n CPU: 23 UID: 0 PID: 0 Comm: swapper/23\r\n Tainted: [W]=WARN\r\n Hardware name: Dell Inc. Precision 9660/0VJ762\r\n RIP: 0010:native_read_pmc+0x7/0x40\r\n Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...\r\n RSP: 000:fffb03100273de8 EFLAGS: 00010046\r\n ....\r\n Call Trace:\r\n \r\n icl_update_topdown_event+0x165/0x190\r\n ? ktime_get+0x38/0xd0\r\n intel_pmu_read_event+0xf9/0x210\r\n __perf_event_read+0xf9/0x210\r\n\r\nCPUs 16-23 are E-core CPUs that don't support the perf metrics feature.\r\nThe icl_update_topdown_event() should not be invoked on these CPUs.\r\n\r\nIt's a regression of commit:\r\n\r\n f9bdf1f95339 (\"perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read\")\r\n\r\nThe bug introduced by that commit is that the is_topdown_event() function\r\nis mistakenly used to replace the is_topdown_count() call to check if the\r\ntopdown functions for the perf metrics feature should be invoked.\r\n\r\nFix it.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38322" }, { "cve": "CVE-2025-38347", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to do sanity check on ino and xnid\r\n\r\nsyzbot reported a f2fs bug as below:\r\n\r\nINFO: task syz-executor140:5308 blocked for more than 143 seconds.\r\n Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0\r\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\r\ntask:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006\r\nCall Trace:\r\n \r\n context_switch kernel/sched/core.c:5378 [inline]\r\n __schedule+0x190e/0x4c90 kernel/sched/core.c:6765\r\n __schedule_loop kernel/sched/core.c:6842 [inline]\r\n schedule+0x14b/0x320 kernel/sched/core.c:6857\r\n io_schedule+0x8d/0x110 kernel/sched/core.c:7690\r\n folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317\r\n __folio_lock mm/filemap.c:1664 [inline]\r\n folio_lock include/linux/pagemap.h:1163 [inline]\r\n __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917\r\n pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87\r\n find_get_page_flags include/linux/pagemap.h:842 [inline]\r\n f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776\r\n __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463\r\n read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306\r\n lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]\r\n f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533\r\n __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179\r\n f2fs_acl_create fs/f2fs/acl.c:375 [inline]\r\n f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418\r\n f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539\r\n f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666\r\n f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765\r\n f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808\r\n f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]\r\n f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766\r\n vfs_mknod+0x36d/0x3b0 fs/namei.c:4191\r\n unix_bind_bsd net/unix/af_unix.c:1286 [inline]\r\n unix_bind+0x563/0xe30 net/unix/af_unix.c:1379\r\n __sys_bind_socket net/socket.c:1817 [inline]\r\n __sys_bind+0x1e4/0x290 net/socket.c:1848\r\n __do_sys_bind net/socket.c:1853 [inline]\r\n __se_sys_bind net/socket.c:1851 [inline]\r\n __x64_sys_bind+0x7a/0x90 net/socket.c:1851\r\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\r\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\r\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nLet's dump and check metadata of corrupted inode, it shows its xattr_nid\r\nis the same to its i_ino.\r\n\r\ndump.f2fs -i 3 chaseyu.img.raw\r\ni_xattr_nid [0x 3 : 3]\r\n\r\nSo that, during mknod in the corrupted directory, it tries to get and\r\nlock inode page twice, result in deadlock.\r\n\r\n- f2fs_mknod\r\n - f2fs_add_inline_entry\r\n - f2fs_get_inode_page --- lock dir's inode page\r\n - f2fs_init_acl\r\n - f2fs_acl_create(dir,..)\r\n - __f2fs_get_acl\r\n - f2fs_getxattr\r\n - lookup_all_xattrs\r\n - __get_node_page --- try to lock dir's inode page\r\n\r\nIn order to fix this, let's add sanity check on ino and xnid.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38347" }, { "cve": "CVE-2025-38491", "cwe": { "id": "CWE-667", "name": "Improper Locking" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: make fallback action and fallback decision atomic\r\n\r\nSyzkaller reported the following splat:\r\n\r\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\r\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\r\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\r\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\r\n Modules linked in:\r\n CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\r\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\r\n RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\r\n RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\r\n RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\r\n RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\r\n Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\r\n RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\r\n RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\r\n RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\r\n RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\r\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\r\n R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\r\n FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\r\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\r\n Call Trace:\r\n \r\n tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\r\n tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\r\n tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\r\n tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\r\n tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\r\n ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\r\n ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\r\n NF_HOOK include/linux/netfilter.h:317 [inline]\r\n NF_HOOK include/linux/netfilter.h:311 [inline]\r\n ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\r\n dst_input include/net/dst.h:469 [inline]\r\n ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\r\n NF_HOOK include/linux/netfilter.h:317 [inline]\r\n NF_HOOK include/linux/netfilter.h:311 [inline]\r\n ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\r\n __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\r\n __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\r\n process_backlog+0x301/0x1360 net/core/dev.c:6440\r\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\r\n napi_poll net/core/dev.c:7517 [inline]\r\n net_rx_action+0xb44/0x1010 net/core/dev.c:7644\r\n handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\r\n do_softirq+0x3f/0x90 kernel/softirq.c:480\r\n \r\n \r\n __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\r\n local_bh_enable include/linux/bottom_half.h:33 [inline]\r\n inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\r\n mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\r\n mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\r\n __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\r\n mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\r\n inet_release+0xed/0x200 net/ipv4/af_inet.c:435\r\n inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\r\n __sock_release+0xb3/0x270 net/socket.c:649\r\n sock_close+0x1c/0x30 net/socket.c:1439\r\n __fput+0x402/0xb70 fs/file_table.c:465\r\n task_work_run+0x150/0x240 kernel/task_work.c:227\r\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\r\n exit_to_user_mode_loop+0xd4\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38491" }, { "cve": "CVE-2025-38502", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix oob access in cgroup local storage\r\n\r\nLonial reported that an out-of-bounds access in cgroup local storage\r\ncan be crafted via tail calls. Given two programs each utilizing a\r\ncgroup local storage with a different value size, and one program\r\ndoing a tail call into the other. The verifier will validate each of\r\nthe indivial programs just fine. However, in the runtime context\r\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\r\nBPF program as well as any cgroup local storage flavor the program\r\nuses. Helpers such as bpf_get_local_storage() pick this up from the\r\nruntime context:\r\n\r\n ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);\r\n storage = ctx->prog_item->cgroup_storage[stype];\r\n\r\n if (stype == BPF_CGROUP_STORAGE_SHARED)\r\n ptr = &READ_ONCE(storage->buf)->data[0];\r\n else\r\n ptr = this_cpu_ptr(storage->percpu_buf);\r\n\r\nFor the second program which was called from the originally attached\r\none, this means bpf_get_local_storage() will pick up the former\r\nprogram's map, not its own. With mismatching sizes, this can result\r\nin an unintended out-of-bounds access.\r\n\r\nTo fix this issue, we need to extend bpf_map_owner with an array of\r\nstorage_cookie[] to match on i) the exact maps from the original\r\nprogram if the second program was using bpf_get_local_storage(), or\r\nii) allow the tail call combination if the second program was not\r\nusing any of the cgroup local storage maps.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38502" }, { "cve": "CVE-2025-38552", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: plug races between subflow fail and subflow creation\r\n\r\nWe have races similar to the one addressed by the previous patch between\r\nsubflow failing and additional subflow creation. They are just harder to\r\ntrigger.\r\n\r\nThe solution is similar. Use a separate flag to track the condition\r\n'socket state prevent any additional subflow creation' protected by the\r\nfallback lock.\r\n\r\nThe socket fallback makes such flag true, and also receiving or sending\r\nan MP_FAIL option.\r\n\r\nThe field 'allow_infinite_fallback' is now always touched under the\r\nrelevant lock, we can drop the ONCE annotation on write.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38552" }, { "cve": "CVE-2025-38614", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don't\nlimit the depth of the resulting tree for two reasons:\n\n - They don't look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38614" }, { "cve": "CVE-2025-38670", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\r\n\r\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\r\nto different stacks along with the Shadow Call Stack if it is enabled.\r\nThose two stack changes cannot be done atomically and both functions\r\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\r\nis very much broken : if interrupted, we can end up with mismatched stacks\r\nand Shadow Call Stack leading to clobbered stacks.\r\n\r\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\r\nbut x18 stills points to the old task's SCS. When the interrupt handler\r\ntries to save the task's SCS pointer, it will save the old task\r\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\r\nclobbering it.\r\n\r\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\r\nto the IRQ stack and when switching back. In both cases, we can be\r\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\r\nthe task stack. The nested interrupt handler pushes its return addresses\r\non the IRQ SCS. It then detects that SP points to the task stack,\r\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\r\nthe IRQ SCS pointer, which it will also use !\r\n\r\nThis leads to tasks returning to addresses on the wrong SCS,\r\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\r\nor FPAC if enabled.\r\n\r\nThis is possible on a default config, but unlikely.\r\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\r\ninstead the GIC is responsible for filtering what interrupts the CPU\r\nshould receive based on priority.\r\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\r\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\r\nfrequently depending on the system configuration and workload, leading\r\nto unpredictable kernel panics.\r\n\r\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\r\nDo the same in `call_on_irq_stack()`, but restore and mask around\r\nthe branch.\r\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\r\nof behaviour between all configurations.\r\n\r\nIntroduce and use an assembly macro for saving and masking DAIF,\r\nas the existing one saves but only masks IF.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38670" }, { "cve": "CVE-2025-38676", "cwe": { "id": "CWE-805", "name": "Buffer Access with Incorrect Length Value" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\niommu/amd: Avoid stack buffer overflow from kernel cmdline\r\n\r\nWhile the kernel command line is considered trusted in most environments,\r\navoid writing 1 byte past the end of \"acpiid\" if the \"str\" argument is\r\nmaximum length.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38676" }, { "cve": "CVE-2025-38677", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in dnode page\n\nAs Jiaming Zhang reported:\n\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x17e/0x800 mm/kasan/report.c:480\n kasan_report+0x147/0x180 mm/kasan/report.c:593\n data_blkaddr fs/f2fs/f2fs.h:3053 [inline]\n f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]\n f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855\n f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195\n prepare_write_begin fs/f2fs/data.c:3395 [inline]\n f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594\n generic_perform_write+0x2c7/0x910 mm/filemap.c:4112\n f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]\n f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x546/0xa90 fs/read_write.c:686\n ksys_write+0x149/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is in the corrupted image, there is a dnode has the same\nnode id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to\naccess block address in dnode at offset 934, however it parses the dnode\nas inode node, so that get_dnode_addr() returns 360, then it tries to\naccess page address from 360 + 934 * 4 = 4096 w/ 4 bytes.\n\nTo fix this issue, let's add sanity check for node id of all direct nodes\nduring f2fs_get_dnode_of_data().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38677" }, { "cve": "CVE-2025-38679", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: venus: Fix OOB read due to missing payload bound check\r\n\r\nCurrently, The event_seq_changed() handler processes a variable number\r\nof properties sent by the firmware. The number of properties is indicated\r\nby the firmware and used to iterate over the payload. However, the\r\npayload size is not being validated against the actual message length.\r\n\r\nThis can lead to out-of-bounds memory access if the firmware provides a\r\nproperty count that exceeds the data available in the payload. Such a\r\ncondition can result in kernel crashes or potential information leaks if\r\nmemory beyond the buffer is accessed.\r\n\r\nFix this by properly validating the remaining size of the payload before\r\neach property access and updating bounds accordingly as properties are\r\nparsed.\r\n\r\nThis ensures that property parsing is safely bounded within the received\r\nmessage buffer and protects against malformed or malicious firmware\r\nbehavior.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38679" }, { "cve": "CVE-2025-38680", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\r\n\r\nThe buffer length check before calling uvc_parse_format() only ensured\r\nthat the buffer has at least 3 bytes (buflen > 2), buf the function\r\naccesses buffer[3], requiring at least 4 bytes.\r\n\r\nThis can lead to an out-of-bounds read if the buffer has exactly 3 bytes.\r\n\r\nFix it by checking that the buffer has at least 4 bytes in\r\nuvc_parse_format().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38680" }, { "cve": "CVE-2025-38681", "cwe": { "id": "CWE-366", "name": "Race Condition within a Thread" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\r\n\r\nMemory hot remove unmaps and tears down various kernel page table regions\r\nas required. The ptdump code can race with concurrent modifications of\r\nthe kernel page tables. When leaf entries are modified concurrently, the\r\ndump code may log stale or inconsistent information for a VA range, but\r\nthis is otherwise not harmful.\r\n\r\nBut when intermediate levels of kernel page table are freed, the dump code\r\nwill continue to use memory that has been freed and potentially\r\nreallocated for another purpose. In such cases, the ptdump code may\r\ndereference bogus addresses, leading to a number of potential problems.\r\n\r\nTo avoid the above mentioned race condition, platforms such as arm64,\r\nriscv and s390 take memory hotplug lock, while dumping kernel page table\r\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\r\n\r\nSimilar race condition exists while checking for pages that might have\r\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\r\nwhich in turn calls ptdump_check_wx(). Instead of solving this race\r\ncondition again, let's just move the memory hotplug lock inside generic\r\nptdump_check_wx() which will benefit both the scenarios.\r\n\r\nDrop get_online_mems() and put_online_mems() combination from all existing\r\nplatform ptdump code paths.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38681" }, { "cve": "CVE-2025-38683", "cwe": { "id": "CWE-820", "name": "Missing Synchronization" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhv_netvsc: Fix panic during namespace deletion with VF\r\n\r\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\r\nreceived on netvsc NIC. During deletion of the namespace,\r\ndefault_device_exit_batch() >> default_device_exit_net() is called. When\r\nnetvsc NIC is moved back and registered to the default namespace, it\r\nautomatically brings VF NIC back to the default namespace. This will cause\r\nthe default_device_exit_net() >> for_each_netdev_safe loop unable to detect\r\nthe list end, and hit NULL ptr:\r\n\r\n[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\r\n[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\r\n[ 231.450246] #PF: supervisor read access in kernel mode\r\n[ 231.450579] #PF: error_code(0x0000) - not-present page\r\n[ 231.450916] PGD 17b8a8067 P4D 0\r\n[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\r\n[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\r\n[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\r\n[ 231.452692] Workqueue: netns cleanup_net\r\n[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\r\n[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\r\n[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\r\n[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\r\n[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\r\n[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\r\n[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\r\n[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\r\n[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\r\n[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\r\n[ 231.458434] Call Trace:\r\n[ 231.458600] \r\n[ 231.458777] ops_undo_list+0x100/0x220\r\n[ 231.459015] cleanup_net+0x1b8/0x300\r\n[ 231.459285] process_one_work+0x184/0x340\r\n\r\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\r\nchanging the netdev list when default_device_exit_net() is using it.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38683" }, { "cve": "CVE-2025-38684", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: ets: use old 'nbands' while purging unused classes\r\n\r\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\r\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\r\nwe purge unused DWRR queues; the value of 'q->nbands' is the new one, and\r\nthe cleanup should be done with the old one. The problem is here since my\r\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\r\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\r\nassigning a new value of 'q->nbands', so that all purge operations find a\r\nconsistent configuration:\r\n\r\n - old 'q->nbands' because it's needed by ets_class_find()\r\n - old 'q->nstrict' because it's needed by ets_class_is_strict()\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000000\r\n #PF: supervisor read access in kernel mode\r\n #PF: error_code(0x0000) - not-present page\r\n PGD 0 P4D 0\r\n Oops: Oops: 0000 [#1] SMP NOPTI\r\n CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\r\n Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\r\n RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\r\n Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\r\n RSP: 0018:ffffba186009f400 EFLAGS: 00010202\r\n RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\r\n RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\r\n RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\r\n R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\r\n R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\r\n FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\r\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\r\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n PKRU: 55555554\r\n Call Trace:\r\n \r\n ets_class_qlen_notify+0x65/0x90 [sch_ets]\r\n qdisc_tree_reduce_backlog+0x74/0x110\r\n ets_qdisc_change+0x630/0xa40 [sch_ets]\r\n __tc_modify_qdisc.constprop.0+0x216/0x7f0\r\n tc_modify_qdisc+0x7c/0x120\r\n rtnetlink_rcv_msg+0x145/0x3f0\r\n netlink_rcv_skb+0x53/0x100\r\n netlink_unicast+0x245/0x390\r\n netlink_sendmsg+0x21b/0x470\r\n ____sys_sendmsg+0x39d/0x3d0\r\n ___sys_sendmsg+0x9a/0xe0\r\n __sys_sendmsg+0x7a/0xd0\r\n do_syscall_64+0x7d/0x160\r\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\r\n RIP: 0033:0x7f2155114084\r\n Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\r\n RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\r\n RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\r\n RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\r\n RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\r\n R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\r\n R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\r\n \r\n\r\n [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\r\n [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38684" }, { "cve": "CVE-2025-38685", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix vmalloc out-of-bounds write in fast_imageblit\n\nThis issue triggers when a userspace program does an ioctl\nFBIOPUT_CON2FBMAP by passing console number and frame buffer number.\nIdeally this maps console to frame buffer and updates the screen if\nconsole is visible.\n\nAs part of mapping it has to do resize of console according to frame\nbuffer info. if this resize fails and returns from vc_do_resize() and\ncontinues further. At this point console and new frame buffer are mapped\nand sets display vars. Despite failure still it continue to proceed\nupdating the screen at later stages where vc_data is related to previous\nframe buffer and frame buffer info and display vars are mapped to new\nframe buffer and eventully leading to out-of-bounds write in\nfast_imageblit(). This bheviour is excepted only when fg_console is\nequal to requested console which is a visible console and updates screen\nwith invalid struct references in fbcon_putcs().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38685" }, { "cve": "CVE-2025-38687", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: fix race between polling and detaching\r\n\r\nsyzbot reports a use-after-free in comedi in the below link, which is\r\ndue to comedi gladly removing the allocated async area even though poll\r\nrequests are still active on the wait_queue_head inside of it. This can\r\ncause a use-after-free when the poll entries are later triggered or\r\nremoved, as the memory for the wait_queue_head has been freed. We need\r\nto check there are no tasks queued on any of the subdevices' wait queues\r\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\r\nioctl.\r\n\r\nTasks will read-lock `dev->attach_lock` before adding themselves to the\r\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\r\nhandler by write-locking `dev->attach_lock` before checking that all of\r\nthe subdevices are safe to be deleted. This includes testing for any\r\nsleepers on the subdevices' wait queues. It remains locked until the\r\ndevice has been detached. This requires the `comedi_device_detach()`\r\nfunction to be refactored slightly, moving the bulk of it into new\r\nfunction `comedi_device_detach_locked()`.\r\n\r\nNote that the refactor of `comedi_device_detach()` results in\r\n`comedi_device_cancel_all()` now being called while `dev->attach_lock`\r\nis write-locked, which wasn't the case previously, but that does not\r\nmatter.\r\n\r\nThanks to Jens Axboe for diagnosing the problem and co-developing this\r\npatch.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38687" }, { "cve": "CVE-2025-38691", "cwe": { "id": "CWE-908", "name": "Use of Uninitialized Resource" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix uninited ptr deref in block/scsi layout\n\nThe error occurs on the third attempt to encode extents. When function\next_tree_prepare_commit() reallocates a larger buffer to retry encoding\nextents, the \"layoutupdate_pages\" page array is initialized only after the\nretry loop. But ext_tree_free_commitdata() is called on every iteration\nand tries to put pages in the array, thus dereferencing uninitialized\npointers.\n\nAn additional problem is that there is no limit on the maximum possible\nbuffer_size. When there are too many extents, the client may create a\nlayoutcommit that is larger than the maximum possible RPC size accepted\nby the server.\n\nDuring testing, we observed two typical scenarios. First, one memory page\nfor extents is enough when we work with small files, append data to the\nend of the file, or preallocate extents before writing. But when we fill\na new large file without preallocating, the number of extents can be huge,\nand counting the number of written extents in ext_tree_encode_commit()\ndoes not help much. Since this number increases even more between\nunlocking and locking of ext_tree, the reallocated buffer may not be\nlarge enough again and again.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38691" }, { "cve": "CVE-2025-38693", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar\r\n\r\nIn w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add\r\ncheck on msg[0].len to prevent crash.\r\n\r\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38693" }, { "cve": "CVE-2025-38694", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\r\n\r\nIn dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and\r\nmsg[0].len is zero, former checks on msg[0].buf would be passed. If accessing\r\nmsg[0].buf[2] without sanity check, null pointer deref would happen. We add\r\ncheck on msg[0].len to prevent crash. Similar issue occurs when access\r\nmsg[1].buf[0] and msg[1].buf[1].\r\n\r\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38694" }, { "cve": "CVE-2025-38695", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure\r\n\r\nIf a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the\r\nresultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may\r\noccur before sli4_hba.hdwqs are allocated. This may result in a null\r\npointer dereference when attempting to take the abts_io_buf_list_lock for\r\nthe first hardware queue. Fix by adding a null ptr check on\r\nphba->sli4_hba.hdwq and early return because this situation means there\r\nmust have been an error during port initialization.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38695" }, { "cve": "CVE-2025-38696", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nMIPS: Don't crash in stack_top() for tasks without ABI or vDSO\r\n\r\nNot all tasks have an ABI associated or vDSO mapped,\r\nfor example kthreads never do.\r\nIf such a task ever ends up calling stack_top(), it will derefence the\r\nNULL ABI pointer and crash.\r\n\r\nThis can for example happen when using kunit:\r\n\r\n mips_stack_top+0x28/0xc0\r\n arch_pick_mmap_layout+0x190/0x220\r\n kunit_vm_mmap_init+0xf8/0x138\r\n __kunit_add_resource+0x40/0xa8\r\n kunit_vm_mmap+0x88/0xd8\r\n usercopy_test_init+0xb8/0x240\r\n kunit_try_run_case+0x5c/0x1a8\r\n kunit_generic_run_threadfn_adapter+0x28/0x50\r\n kthread+0x118/0x240\r\n ret_from_kernel_thread+0x14/0x1c\r\n\r\nOnly dereference the ABI point if it is set.\r\n\r\nThe GIC page is also included as it is specific to the vDSO.\r\nAlso move the randomization adjustment into the same conditional.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38696" }, { "cve": "CVE-2025-38697", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: upper bound check of tree index in dbAllocAG\r\n\r\nWhen computing the tree index in dbAllocAG, we never check if we are\r\nout of bounds realative to the size of the stree.\r\nThis could happen in a scenario where the filesystem metadata are\r\ncorrupted.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38697" }, { "cve": "CVE-2025-38698", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: Regular file corruption check\r\n\r\nThe reproducer builds a corrupted file on disk with a negative i_size value.\r\nAdd a check when opening this file to avoid subsequent operation failures.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38698" }, { "cve": "CVE-2025-38699", "cwe": { "id": "CWE-415", "name": "Double Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bfa: Double-free fix\r\n\r\nWhen the bfad_im_probe() function fails during initialization, the memory\r\npointed to by bfad->im is freed without setting bfad->im to NULL.\r\n\r\nSubsequently, during driver uninstallation, when the state machine enters\r\nthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,\r\nit attempts to free the memory pointed to by bfad->im again, thereby\r\ntriggering a double-free vulnerability.\r\n\r\nSet bfad->im to NULL if probing fails.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38699" }, { "cve": "CVE-2025-38700", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated\r\n\r\nIn case of an ib_fast_reg_mr allocation failure during iSER setup, the\r\nmachine hits a panic because iscsi_conn->dd_data is initialized\r\nunconditionally, even when no memory is allocated (dd_size == 0). This\r\nleads invalid pointer dereference during connection teardown.\r\n\r\nFix by setting iscsi_conn->dd_data only if memory is actually allocated.\r\n\r\nPanic trace:\r\n------------\r\n iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12\r\n iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers\r\n BUG: unable to handle page fault for address: fffffffffffffff8\r\n RIP: 0010:swake_up_locked.part.5+0xa/0x40\r\n Call Trace:\r\n complete+0x31/0x40\r\n iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]\r\n iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]\r\n iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]\r\n iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]\r\n ? netlink_lookup+0x12f/0x1b0\r\n ? netlink_deliver_tap+0x2c/0x200\r\n netlink_unicast+0x1ab/0x280\r\n netlink_sendmsg+0x257/0x4f0\r\n ? _copy_from_user+0x29/0x60\r\n sock_sendmsg+0x5f/0x70", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38700" }, { "cve": "CVE-2025-38701", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not BUG when INLINE_DATA_FL lacks system.data xattr\n\nA syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()\nwhen an inode had the INLINE_DATA_FL flag set but was missing the\nsystem.data extended attribute.\n\nSince this can happen due to a maiciouly fuzzed file system, we\nshouldn't BUG, but rather, report it as a corrupted file system.\n\nAdd similar replacements of BUG_ON with EXT4_ERROR_INODE() ii\next4_create_inline_data() and ext4_inline_data_truncate().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38701" }, { "cve": "CVE-2025-38702", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fix potential buffer overflow in do_register_framebuffer()\n\nThe current implementation may lead to buffer overflow when:\n1. Unregistration creates NULL gaps in registered_fb[]\n2. All array slots become occupied despite num_registered_fb < FB_MAX\n3. The registration loop exceeds array bounds\n\nAdd boundary check to prevent registered_fb[FB_MAX] access.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38702" }, { "cve": "CVE-2025-38706", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\r\n\r\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\r\nleads to null pointer dereference.\r\nThis was reproduced with topology loading and marking a link as ignore\r\ndue to missing hardware component on the system.\r\nOn module removal the soc_tplg_remove_link() would call\r\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\r\nno runtime was created.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38706" }, { "cve": "CVE-2025-38707", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Add sanity check for file name\r\n\r\nThe length of the file name should be smaller than the directory entry size.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38707" }, { "cve": "CVE-2025-38708", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: add missing kref_get in handle_write_conflicts\n\nWith `two-primaries` enabled, DRBD tries to detect \"concurrent\" writes\nand handle write conflicts, so that even if you write to the same sector\nsimultaneously on both nodes, they end up with the identical data once\nthe writes are completed.\n\nIn handling \"superseeded\" writes, we forgot a kref_get,\nresulting in a premature drbd_destroy_device and use after free,\nand further to kernel crashes with symptoms.\n\nRelevance: No one should use DRBD as a random data generator, and apparently\nall users of \"two-primaries\" handle concurrent writes correctly on layer up.\nThat is cluster file systems use some distributed lock manager,\nand live migration in virtualization environments stops writes on one node\nbefore starting writes on the other node.\n\nWhich means that other than for \"test cases\",\nthis code path is never taken in real life.\n\nFYI, in DRBD 9, things are handled differently nowadays. We still detect\n\"write conflicts\", but no longer try to be smart about them.\nWe decided to disconnect hard instead: upper layers must not submit concurrent\nwrites. If they do, that's their fault.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38708" }, { "cve": "CVE-2025-38711", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb/server: avoid deadlock when linking with ReplaceIfExists\r\n\r\nIf smb2_create_link() is called with ReplaceIfExists set and the name\r\ndoes exist then a deadlock will happen.\r\n\r\nksmbd_vfs_kern_path_locked() will return with success and the parent\r\ndirectory will be locked. ksmbd_vfs_remove_file() will then remove the\r\nfile. ksmbd_vfs_link() will then be called while the parent is still\r\nlocked. It will try to lock the same parent and will deadlock.\r\n\r\nThis patch moves the ksmbd_vfs_kern_path_unlock() call to *before*\r\nksmbd_vfs_link() and then simplifies the code, removing the file_present\r\nflag variable.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38711" }, { "cve": "CVE-2025-38712", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()\r\n\r\nWhen the volume header contains erroneous values that do not reflect\r\nthe actual state of the filesystem, hfsplus_fill_super() assumes that\r\nthe attributes file is not yet created, which later results in hitting\r\nBUG_ON() when hfsplus_create_attributes_file() is called. Replace this\r\nBUG_ON() with -EIO error with a message to suggest running fsck tool.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38712" }, { "cve": "CVE-2025-38713", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\r\n\r\nThe hfsplus_readdir() method is capable to crash by calling\r\nhfsplus_uni2asc():\r\n\r\n[ 667.121659][ T9805] ==================================================================\r\n[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10\r\n[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805\r\n[ 667.124578][ T9805]\r\n[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)\r\n[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\r\n[ 667.124890][ T9805] Call Trace:\r\n[ 667.124893][ T9805] \r\n[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0\r\n[ 667.124911][ T9805] print_report+0xd0/0x660\r\n[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610\r\n[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180\r\n[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10\r\n[ 667.124942][ T9805] kasan_report+0xc6/0x100\r\n[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10\r\n[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10\r\n[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360\r\n[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0\r\n[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10\r\n[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0\r\n[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20\r\n[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0\r\n[ 667.125022][ T9805] ? lock_acquire+0x30/0x80\r\n[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20\r\n[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0\r\n[ 667.125044][ T9805] ? putname+0x154/0x1a0\r\n[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10\r\n[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0\r\n[ 667.125069][ T9805] iterate_dir+0x296/0xb20\r\n[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0\r\n[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10\r\n[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200\r\n[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10\r\n[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0\r\n[ 667.125143][ T9805] do_syscall_64+0xc9/0x480\r\n[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9\r\n[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48\r\n[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9\r\n[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9\r\n[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004\r\n[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110\r\n[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260\r\n[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n[ 667.125207][ T9805] \r\n[ 667.125210][ T9805]\r\n[ 667.145632][ T9805] Allocated by task 9805:\r\n[ 667.145991][ T9805] kasan_save_stack+0x20/0x40\r\n[ 667.146352][ T9805] kasan_save_track+0x14/0x30\r\n[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0\r\n[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550\r\n[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0\r\n[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0\r\n[ 667.148174][ T9805] iterate_dir+0x296/0xb20\r\n[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0\r\n[ 667.148937][ T9805] do_syscall_64+0xc9/0x480\r\n[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n[ 667.149809][ T9805]\r\n[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000\r\n[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048\r\n[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of\r\n[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)\r\n[ 667.1\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38713" }, { "cve": "CVE-2025-38714", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()\r\n\r\nThe hfsplus_bnode_read() method can trigger the issue:\r\n\r\n[ 174.852007][ T9784] ==================================================================\r\n[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360\r\n[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784\r\n[ 174.854059][ T9784]\r\n[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)\r\n[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\r\n[ 174.854286][ T9784] Call Trace:\r\n[ 174.854289][ T9784] \r\n[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0\r\n[ 174.854305][ T9784] print_report+0xd0/0x660\r\n[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610\r\n[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180\r\n[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\r\n[ 174.854337][ T9784] kasan_report+0xc6/0x100\r\n[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\r\n[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360\r\n[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380\r\n[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10\r\n[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0\r\n[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310\r\n[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40\r\n[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0\r\n[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0\r\n[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10\r\n[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10\r\n[ 174.854436][ T9784] ? __asan_memset+0x23/0x50\r\n[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320\r\n[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10\r\n[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0\r\n[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40\r\n[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0\r\n[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10\r\n[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0\r\n[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10\r\n[ 174.854525][ T9784] ? down_write+0x148/0x200\r\n[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10\r\n[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0\r\n[ 174.854549][ T9784] do_unlinkat+0x490/0x670\r\n[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10\r\n[ 174.854565][ T9784] ? __might_fault+0xbc/0x130\r\n[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550\r\n[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110\r\n[ 174.854592][ T9784] do_syscall_64+0xc9/0x480\r\n[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167\r\n[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08\r\n[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\r\n[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167\r\n[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50\r\n[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40\r\n[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0\r\n[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n[ 174.854658][ T9784] \r\n[ 174.854661][ T9784]\r\n[ 174.879281][ T9784] Allocated by task 9784:\r\n[ 174.879664][ T9784] kasan_save_stack+0x20/0x40\r\n[ 174.880082][ T9784] kasan_save_track+0x14/0x30\r\n[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0\r\n[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550\r\n[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890\r\n[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10\r\n[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520\r\n[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38714" }, { "cve": "CVE-2025-38715", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfs: fix slab-out-of-bounds in hfs_bnode_read()\r\n\r\nThis patch introduces is_bnode_offset_valid() method that checks\r\nthe requested offset value. Also, it introduces\r\ncheck_and_correct_requested_length() method that checks and\r\ncorrect the requested length (if it is necessary). These methods\r\nare used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),\r\nhfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent\r\nthe access out of allocated memory and triggering the crash.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38715" }, { "cve": "CVE-2025-38721", "cwe": { "id": "CWE-772", "name": "Missing Release of Resource after Effective Lifetime" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n if (res < 0) {\n nf_conntrack_get(&ct->ct_general); // HERE\n cb->args[1] = (unsigned long)ct;\n ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet->count from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n if (res < 0) {\n\t\tif (ct != last)\n\t nf_conntrack_get(&ct->ct_general);\n\nBut this reference counting isn't needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a 'skip hint', not the actual\nobject so we can apply the same cookie strategy there as well.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38721" }, { "cve": "CVE-2025-38723", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nLoongArch: BPF: Fix jump offset calculation in tailcall\r\n\r\nThe extra pass of bpf_int_jit_compile() skips JIT context initialization\r\nwhich essentially skips offset calculation leaving out_offset = -1, so\r\nthe jmp_offset in emit_bpf_tail_call is calculated by\r\n\r\n\"#define jmp_offset (out_offset - (cur_offset))\"\r\n\r\nis a negative number, which is wrong. The final generated assembly are\r\nas follow.\r\n\r\n54:\tbgeu \t$a2, $t1, -8\t # 0x0000004c\r\n58:\taddi.d \t$a6, $s5, -1\r\n5c:\tbltz \t$a6, -16\t # 0x0000004c\r\n60:\talsl.d \t$t2, $a2, $a1, 0x3\r\n64:\tld.d \t$t2, $t2, 264\r\n68:\tbeq \t$t2, $zero, -28\t # 0x0000004c\r\n\r\nBefore apply this patch, the follow test case will reveal soft lock issues.\r\n\r\ncd tools/testing/selftests/bpf/\r\n./test_progs --allow=tailcalls/tailcall_bpf2bpf_1\r\n\r\ndmesg:\r\nwatchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38723" }, { "cve": "CVE-2025-38724", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38724" }, { "cve": "CVE-2025-38725", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: asix_devices: add phy_mask for ax88772 mdio bus\r\n\r\nWithout setting phy_mask for ax88772 mdio bus, current driver may create\r\nat most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.\r\nDLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy\r\ndevice will bind to net phy driver. This is creating issue during system\r\nsuspend/resume since phy_polling_mode() in phy_state_machine() will\r\ndirectly deference member of phydev->drv for non-main phy devices. Then\r\nNULL pointer dereference issue will occur. Due to only external phy or\r\ninternal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud\r\nthe issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38725" }, { "cve": "CVE-2025-38727", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket's read memory allocation\nconstraints. Firstly, it has:\n\n rmem < READ_ONCE(sk->sk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket's receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)\n\nThe checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is\nequal to sk->sk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n (t=26000 jiffies g=230833 q=259957)\n NMI backtrace for cpu 0\n CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n Call Trace:\n \n dump_stack lib/dump_stack.c:120\n nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n update_process_times kernel/time/timer.c:1953\n tick_sched_handle kernel/time/tick-sched.c:227\n tick_sched_timer kernel/time/tick-sched.c:1399\n __hrtimer_run_queues kernel/time/hrtimer.c:1652\n hrtimer_interrupt kernel/time/hrtimer.c:1717\n __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n \n\n netlink_attachskb net/netlink/af_netlink.c:1234\n netlink_unicast net/netlink/af_netlink.c:1349\n kauditd_send_queue kernel/audit.c:776\n kauditd_thread kernel/audit.c:897\n kthread kernel/kthread.c:328\n ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38727" }, { "cve": "CVE-2025-38728", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb3: fix for slab out of bounds on mount to ksmbd\r\n\r\nWith KASAN enabled, it is possible to get a slab out of bounds\r\nduring mount to ksmbd due to missing check in parse_server_interfaces()\r\n(see below):\r\n\r\n BUG: KASAN: slab-out-of-bounds in\r\n parse_server_interfaces+0x14ee/0x1880 [cifs]\r\n Read of size 4 at addr ffff8881433dba98 by task mount/9827\r\n\r\n CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G\r\n OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)\r\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\r\n Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,\r\n BIOS 2.13.1 06/14/2019\r\n Call Trace:\r\n \r\n dump_stack_lvl+0x9f/0xf0\r\n print_report+0xd1/0x670\r\n __virt_addr_valid+0x22c/0x430\r\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\r\n ? kasan_complete_mode_report_info+0x2a/0x1f0\r\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\r\n kasan_report+0xd6/0x110\r\n parse_server_interfaces+0x14ee/0x1880 [cifs]\r\n __asan_report_load_n_noabort+0x13/0x20\r\n parse_server_interfaces+0x14ee/0x1880 [cifs]\r\n ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]\r\n ? trace_hardirqs_on+0x51/0x60\r\n SMB3_request_interfaces+0x1ad/0x3f0 [cifs]\r\n ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]\r\n ? SMB2_tcon+0x23c/0x15d0 [cifs]\r\n smb3_qfs_tcon+0x173/0x2b0 [cifs]\r\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\r\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\r\n ? do_raw_spin_unlock+0x5d/0x200\r\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\r\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\r\n cifs_mount_get_tcon+0x369/0xb90 [cifs]\r\n ? dfs_cache_find+0xe7/0x150 [cifs]\r\n dfs_mount_share+0x985/0x2970 [cifs]\r\n ? check_path.constprop.0+0x28/0x50\r\n ? save_trace+0x54/0x370\r\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\r\n ? __lock_acquire+0xb82/0x2ba0\r\n ? __kasan_check_write+0x18/0x20\r\n cifs_mount+0xbc/0x9e0 [cifs]\r\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\r\n ? do_raw_spin_unlock+0x5d/0x200\r\n ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]\r\n cifs_smb3_do_mount+0x263/0x1990 [cifs]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38728" }, { "cve": "CVE-2025-38729", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: Validate UAC3 power domain descriptors, too\r\n\r\nUAC3 power domain descriptors need to be verified with its variable\r\nbLength for avoiding the unexpected OOB accesses by malicious\r\nfirmware, too.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38729" }, { "cve": "CVE-2025-38732", "cwe": { "id": "CWE-911", "name": "Improper Update of Reference Count" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_reject: don't leak dst refcount for loopback packets\r\n\r\nrecent patches to add a WARN() when replacing skb dst entry found an\r\nold bug:\r\n\r\nWARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]\r\nWARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]\r\nWARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234\r\n[..]\r\nCall Trace:\r\n nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325\r\n nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27\r\n expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]\r\n ..\r\n\r\nThis is because blamed commit forgot about loopback packets.\r\nSuch packets already have a dst_entry attached, even at PRE_ROUTING stage.\r\n\r\nInstead of checking hook just check if the skb already has a route\r\nattached to it.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38732" }, { "cve": "CVE-2025-38735", "cwe": { "id": "CWE-664", "name": "Improper Control of a Resource Through its Lifetime" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngve: prevent ethtool ops after shutdown\r\n\r\nA crash can occur if an ethtool operation is invoked\r\nafter shutdown() is called.\r\n\r\nshutdown() is invoked during system shutdown to stop DMA operations\r\nwithout performing expensive deallocations. It is discouraged to\r\nunregister the netdev in this path, so the device may still be visible\r\nto userspace and kernel helpers.\r\n\r\nIn gve, shutdown() tears down most internal data structures. If an\r\nethtool operation is dispatched after shutdown(), it will dereference\r\nfreed or NULL pointers, leading to a kernel panic. While graceful\r\nshutdown normally quiesces userspace before invoking the reboot\r\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\r\nthis path.\r\n\r\nFix by calling netif_device_detach() in shutdown().\r\nThis marks the device as detached so the ethtool ioctl handler\r\nwill skip dispatching operations to the driver.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38735" }, { "cve": "CVE-2025-38736", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: asix_devices: Fix PHY address mask in MDIO bus initialization\r\n\r\nSyzbot reported shift-out-of-bounds exception on MDIO bus initialization.\r\n\r\nThe PHY address should be masked to 5 bits (0-31). Without this\r\nmask, invalid PHY addresses could be used, potentially causing issues\r\nwith MDIO bus operations.\r\n\r\nFix this by masking the PHY address with 0x1f (31 decimal) to ensure\r\nit stays within the valid range.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-38736" }, { "cve": "CVE-2025-39673", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp: fix race conditions in ppp_fill_forward_path\r\n\r\nppp_fill_forward_path() has two race conditions:\r\n\r\n1. The ppp->channels list can change between list_empty() and\r\n list_first_entry(), as ppp_lock() is not held. If the only channel\r\n is deleted in ppp_disconnect_channel(), list_first_entry() may\r\n access an empty head or a freed entry, and trigger a panic.\r\n\r\n2. pch->chan can be NULL. When ppp_unregister_channel() is called,\r\n pch->chan is set to NULL before pch is removed from ppp->channels.\r\n\r\nFix these by using a lockless RCU approach:\r\n- Use list_first_or_null_rcu() to safely test and access the first list\r\n entry.\r\n- Convert list modifications on ppp->channels to their RCU variants and\r\n add synchronize_net() after removal.\r\n- Check for a NULL pch->chan before dereferencing it.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39673" }, { "cve": "CVE-2025-39675", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()\r\n\r\nThe function mod_hdcp_hdcp1_create_session() calls the function\r\nget_first_active_display(), but does not check its return value.\r\nThe return value is a null pointer if the display list is empty.\r\nThis will lead to a null pointer dereference.\r\n\r\nAdd a null pointer check for get_first_active_display() and return\r\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.\r\n\r\nThis is similar to the commit c3e9826a2202\r\n(\"drm/amd/display: Add null pointer check for get_first_active_display()\").\r\n\r\n(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39675" }, { "cve": "CVE-2025-39676", "cwe": { "id": "CWE-394", "name": "Unexpected Status Code or Return Value" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qla4xxx: Prevent a potential error pointer dereference\r\n\r\nThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,\r\nbut qla4xxx_ep_connect() returns error pointers. Propagating the error\r\npointers will lead to an Oops in the caller, so change the error pointers\r\nto NULL.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39676" }, { "cve": "CVE-2025-39681", "cwe": { "id": "CWE-369", "name": "Divide By Zero" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\r\n\r\nSince\r\n\r\n 923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\r\n\r\nresctrl_cpu_detect() has been moved from common CPU initialization code to\r\nthe vendor-specific BSP init helper, while Hygon didn't put that call in their\r\ncode.\r\n\r\nThis triggers a division by zero fault during early booting stage on our\r\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\r\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\r\n\r\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\r\n\r\n [ bp: Massage commit message. ]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39681" }, { "cve": "CVE-2025-39682", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix handling of zero-length records on the rx_list\r\n\r\nEach recvmsg() call must process either\r\n - only contiguous DATA records (any number of them)\r\n - one non-DATA record\r\n\r\nIf the next record has different type than what has already been\r\nprocessed we break out of the main processing loop. If the record\r\nhas already been decrypted (which may be the case for TLS 1.3 where\r\nwe don't know type until decryption) we queue the pending record\r\nto the rx_list. Next recvmsg() will pick it up from there.\r\n\r\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\r\nsince in that case we decrypted directly to the user space buffer,\r\nand we don't have an skb to queue (darg.skb points to the ciphertext\r\nskb for access to metadata like length).\r\n\r\nOnly data records are allowed zero-copy, and we break the processing\r\nloop after each non-data record. So we should never zero-copy and\r\nthen find out that the record type has changed. The corner case\r\nwe missed is when the initial record comes from rx_list, and it's\r\nzero length.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39682" }, { "cve": "CVE-2025-39683", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser->buffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release->\nftrace_process_regex->strsep->strpbrk. We can solve this problem by\nlimiting access to parser->buffer when trace_get_user failed.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39683" }, { "cve": "CVE-2025-39684", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\r\n\r\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\r\nbuffer is allocated to hold `insn->n` samples (each of which is an\r\n`unsigned int`). For some instruction types, `insn->n` samples are\r\ncopied back to user-space, unless an error code is being returned. The\r\nproblem is that not all the instruction handlers that need to return\r\ndata to userspace fill in the whole `insn->n` samples, so that there is\r\nan information leak. There is a similar syzbot report for\r\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\r\nthe time of writing.\r\n\r\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\r\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\r\na specific handler for that instruction, but do have an `INSN_BITS`\r\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\r\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\r\nto userspace will be uninitialized kernel data.\r\n\r\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\r\nnever returns an error, even if it fails to fill the buffer.\r\n\r\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\r\nthat uninitialized parts of the allocated buffer are zeroed before\r\nhandling each instruction.\r\n\r\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\r\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\r\nalways necessary to clear the whole buffer.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39684" }, { "cve": "CVE-2025-39685", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: pcl726: Prevent invalid irq number\r\n\r\nThe reproducer passed in an irq number(0x80008000) that was too large,\r\nwhich triggered the oob.\r\n\r\nAdded an interrupt number check to prevent users from passing in an irq\r\nnumber that was too large.\r\n\r\nIf `it->options[1]` is 31, then `1 << it->options[1]` is still invalid\r\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\r\nPossible solutions include reducing the upper bound on the\r\n`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.\r\n\r\nThe old code would just not attempt to request the IRQ if the\r\n`options[1]` value were invalid. And it would still configure the\r\ndevice without interrupts even if the call to `request_irq` returned an\r\nerror. So it would be better to combine this test with the test below.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39685" }, { "cve": "CVE-2025-39686", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: Make insn_rw_emulate_bits() do insn->n samples\r\n\r\nThe `insn_rw_emulate_bits()` function is used as a default handler for\r\n`INSN_READ` instructions for subdevices that have a handler for\r\n`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default\r\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\r\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\r\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\r\n`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`\r\ninstructions are supposed to be able read or write multiple samples,\r\nindicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently\r\nonly handles a single sample. For `INSN_READ`, the comedi core will\r\ncopy `insn->n` samples back to user-space. (That triggered KASAN\r\nkernel-infoleak errors when `insn->n` was greater than 1, but that is\r\nbeing fixed more generally elsewhere in the comedi core.)\r\n\r\nMake `insn_rw_emulate_bits()` either handle `insn->n` samples, or return\r\nan error, to conform to the general expectation for `INSN_READ` and\r\n`INSN_WRITE` handlers.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39686" }, { "cve": "CVE-2025-39687", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: light: as73211: Ensure buffer holes are zeroed\r\n\r\nGiven that the buffer is copied to a kfifo that ultimately user space\r\ncan read, ensure we zero it.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39687" }, { "cve": "CVE-2025-39689", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn't have to differentiate when to free the\niterator's hash between writers and readers.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39689" }, { "cve": "CVE-2025-39691", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/buffer: fix use-after-free when call bh_read() helper\r\n\r\nThere's issue as follows:\r\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\r\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\r\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\r\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\r\nCall Trace:\r\n \r\n dump_stack_lvl+0x55/0x70\r\n print_address_description.constprop.0+0x2c/0x390\r\n print_report+0xb4/0x270\r\n kasan_report+0xb8/0xf0\r\n end_buffer_read_sync+0xe3/0x110\r\n end_bio_bh_io_sync+0x56/0x80\r\n blk_update_request+0x30a/0x720\r\n scsi_end_request+0x51/0x2b0\r\n scsi_io_completion+0xe3/0x480\r\n ? scsi_device_unbusy+0x11e/0x160\r\n blk_complete_reqs+0x7b/0x90\r\n handle_softirqs+0xef/0x370\r\n irq_exit_rcu+0xa5/0xd0\r\n sysvec_apic_timer_interrupt+0x6e/0x90\r\n \r\n\r\n Above issue happens when do ntfs3 filesystem mount, issue may happens\r\n as follows:\r\n mount IRQ\r\nntfs_fill_super\r\n read_cache_page\r\n do_read_cache_folio\r\n filemap_read_folio\r\n mpage_read_folio\r\n\t do_mpage_readpage\r\n\t ntfs_get_block_vbo\r\n\t bh_read\r\n\t submit_bh\r\n\t wait_on_buffer(bh);\r\n\t blk_complete_reqs\r\n\t\t\t\t scsi_io_completion\r\n\t\t\t\t scsi_end_request\r\n\t\t\t\t blk_update_request\r\n\t\t\t\t end_bio_bh_io_sync\r\n\t\t\t\t\t end_buffer_read_sync\r\n\t\t\t\t\t __end_buffer_read_notouch\r\n\t\t\t\t\t unlock_buffer\r\n\r\n wait_on_buffer(bh);--> return will return to caller\r\n\r\n\t\t\t\t\t put_bh\r\n\t\t\t\t\t --> trigger stack-out-of-bounds\r\nIn the mpage_read_folio() function, the stack variable 'map_bh' is\r\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\r\nwait_on_buffer() returns to continue processing, the stack variable\r\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\r\nprocess, calling put_bh() may result in stack overrun.\r\n\r\nIf the bh is not allocated on the stack, it belongs to a folio. Freeing\r\na buffer head which belongs to a folio is done by drop_buffers() which\r\nwill fail to free buffers which are still locked. So it is safe to call\r\nput_bh() before __end_buffer_read_notouch().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39691" }, { "cve": "CVE-2025-39692", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()\r\n\r\nWe can't call destroy_workqueue(smb_direct_wq); before stop_sessions()!\r\n\r\nOtherwise already existing connections try to use smb_direct_wq as\r\na NULL pointer.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39692" }, { "cve": "CVE-2025-39693", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Avoid a NULL pointer dereference\r\n\r\n[WHY]\r\nAlthough unlikely drm_atomic_get_new_connector_state() or\r\ndrm_atomic_get_old_connector_state() can return NULL.\r\n\r\n[HOW]\r\nCheck returns before dereference.\r\n\r\n(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39693" }, { "cve": "CVE-2025-39694", "cwe": { "id": "CWE-1285", "name": "Improper Validation of Specified Index, Position, or Offset in Input" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/sclp: Fix SCCB present check\r\n\r\nTracing code called by the SCLP interrupt handler contains early exits\r\nif the SCCB address associated with an interrupt is NULL. This check is\r\nperformed after physical to virtual address translation.\r\n\r\nIf the kernel identity mapping does not start at address zero, the\r\nresulting virtual address is never zero, so that the NULL checks won't\r\nwork. Subsequently this may result in incorrect accesses to the first\r\npage of the identity mapping.\r\n\r\nFix this by introducing a function that handles the NULL case before\r\naddress translation.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39694" }, { "cve": "CVE-2025-39697", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn't\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let's take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39697" }, { "cve": "CVE-2025-39701", "cwe": { "id": "CWE-1025", "name": "Comparison Using Wrong Factors" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: pfr_update: Fix the driver update version check\r\n\r\nThe security-version-number check should be used rather\r\nthan the runtime version check for driver updates.\r\n\r\nOtherwise, the firmware update would fail when the update binary had\r\na lower runtime version number than the current one.\r\n\r\n[ rjw: Changelog edits ]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39701" }, { "cve": "CVE-2025-39702", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: Fix MAC comparison to be constant-time\r\n\r\nTo prevent timing attacks, MACs need to be compared in constant time.\r\nUse the appropriate helper function for this.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39702" }, { "cve": "CVE-2025-39703", "cwe": { "id": "CWE-1286", "name": "Improper Validation of Syntactic Correctness of Input" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet, hsr: reject HSR frame if skb can't hold tag\r\n\r\nReceiving HSR frame with insufficient space to hold HSR tag in the skb\r\ncan result in a crash (kernel BUG):\r\n\r\n[ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1\r\n[ 45.392559] ------------[ cut here ]------------\r\n[ 45.392912] kernel BUG at net/core/skbuff.c:211!\r\n[ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\r\n[ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef)\r\n[ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\r\n[ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0\r\n\r\n\r\n\r\n[ 45.402911] Call Trace:\r\n[ 45.403105] \r\n[ 45.404470] skb_push+0xcd/0xf0\r\n[ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0\r\n[ 45.406513] br_forward_finish+0x128/0x260\r\n[ 45.408483] __br_forward+0x42d/0x590\r\n[ 45.409464] maybe_deliver+0x2eb/0x420\r\n[ 45.409763] br_flood+0x174/0x4a0\r\n[ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0\r\n[ 45.411618] br_handle_frame+0xac3/0x1230\r\n[ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0\r\n[ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0\r\n[ 45.424478] __netif_receive_skb+0x22/0x170\r\n[ 45.424806] process_backlog+0x242/0x6d0\r\n[ 45.425116] __napi_poll+0xbb/0x630\r\n[ 45.425394] net_rx_action+0x4d1/0xcc0\r\n[ 45.427613] handle_softirqs+0x1a4/0x580\r\n[ 45.427926] do_softirq+0x74/0x90\r\n[ 45.428196] \r\n\r\nThis issue was found by syzkaller.\r\n\r\nThe panic happens in br_dev_queue_push_xmit() once it receives a\r\ncorrupted skb with ETH header already pushed in linear data. When it\r\nattempts the skb_push() call, there's not enough headroom and\r\nskb_push() panics.\r\n\r\nThe corrupted skb is put on the queue by HSR layer, which makes a\r\nsequence of unintended transformations when it receives a specific\r\ncorrupted HSR frame (with incomplete TAG).\r\n\r\nFix it by dropping and consuming frames that are not long enough to\r\ncontain both ethernet and hsr headers.\r\n\r\nAlternative fix would be to check for enough headroom before skb_push()\r\nin br_dev_queue_push_xmit().\r\n\r\nIn the reproducer, this is injected via AF_PACKET, but I don't easily\r\nsee why it couldn't be sent over the wire from adjacent network.\r\n\r\nFurther Details:\r\n\r\nIn the reproducer, the following network interface chain is set up:\r\n\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 veth0_to_hsr \u251c\u2500\u2500\u2500\u2524 hsr_slave0 \u253c\u2500\u2500\u2500\u2510\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\r\n \u2502 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n \u251c\u2500\u2524 hsr0 \u251c\u2500\u2500\u2500\u2510\r\n \u2502 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\r\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502 \u2502\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\r\n\u2502 veth1_to_hsr \u253c\u2500\u2500\u2500\u2524 hsr_slave1 \u251c\u2500\u2500\u2500\u2518 \u2514\u2524 \u2502\r\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u250c\u253c bridge \u2502\r\n \u2502\u2502 \u2502\r\n \u2502\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2502\r\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502\r\n \u2502 ... \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\r\n\r\nTo trigger the events leading up to crash, reproducer sends a corrupted\r\nHSR fr\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39703" }, { "cve": "CVE-2025-39706", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdkfd: Destroy KFD debugfs after destroy KFD wq\r\n\r\nSince KFD proc content was moved to kernel debugfs, we can't destroy KFD\r\ndebugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior\r\nto kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens\r\nwhen /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but\r\nkfd_process_destroy_wq calls kfd_debugfs_remove_process. This line\r\n debugfs_remove_recursive(entry->proc_dentry);\r\ntries to remove /sys/kernel/debug/kfd/proc/ while\r\n/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel\r\nNULL pointer.\r\n\r\n(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39706" }, { "cve": "CVE-2025-39709", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: venus: protect against spurious interrupts during probe\r\n\r\nMake sure the interrupt handler is initialized before the interrupt is\r\nregistered.\r\n\r\nIf the IRQ is registered before hfi_create(), it's possible that an\r\ninterrupt fires before the handler setup is complete, leading to a NULL\r\ndereference.\r\n\r\nThis error condition has been observed during system boot on Rb3Gen2.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39709" }, { "cve": "CVE-2025-39710", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: venus: Add a check for packet size after reading from shared memory\r\n\r\nAdd a check to ensure that the packet size does not exceed the number of\r\navailable words after reading the packet header from shared memory. This\r\nensures that the size provided by the firmware is safe to process and\r\nprevent potential out-of-bounds memory access.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39710" }, { "cve": "CVE-2025-39713", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\r\n\r\nIn the interrupt handler rain_interrupt(), the buffer full check on\r\nrain->buf_len is performed before acquiring rain->buf_lock. This\r\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\r\nrain->buf_len is concurrently accessed and modified in the work\r\nhandler rain_irq_work_handler() under the same lock.\r\n\r\nMultiple interrupt invocations can race, with each reading buf_len\r\nbefore it becomes full and then proceeding. This can lead to both\r\ninterrupts attempting to write to the buffer, incrementing buf_len\r\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\r\n\r\nFix this bug by moving the spin_lock() to before the buffer full\r\ncheck. This ensures that the check and the subsequent buffer modification\r\nare performed atomically, preventing the race condition. An corresponding\r\nspin_unlock() is added to the overflow path to correctly release the\r\nlock.\r\n\r\nThis possible bug was found by an experimental static analysis tool\r\ndeveloped by our team.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39713" }, { "cve": "CVE-2025-39714", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: usbtv: Lock resolution while streaming\r\n\r\nWhen an program is streaming (ffplay) and another program (qv4l2)\r\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\r\nto copy to unmapped memory.\r\n\r\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\r\nbut the video plane buffer isn't adjusted, so it overflows.\r\n\r\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39714" }, { "cve": "CVE-2025-39715", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Revise gateway LWS calls to probe user read access\r\n\r\nWe use load and stbys,e instructions to trigger memory reference\r\ninterruptions without writing to memory. Because of the way read\r\naccess support is implemented, read access interruptions are only\r\ntriggered at privilege levels 2 and 3. The kernel and gateway\r\npage execute at privilege level 0, so this code never triggers\r\na read access interruption. Thus, it is currently possible for\r\nuser code to execute a LWS compare and swap operation at an\r\naddress that is read protected at privilege level 3 (PRIV_USER).\r\n\r\nFix this by probing read access rights at privilege level 3 and\r\nbranching to lws_fault if access isn't allowed.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39715" }, { "cve": "CVE-2025-39716", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Revise __get_user() to probe user read access\r\n\r\nBecause of the way read access support is implemented, read access\r\ninterruptions are only triggered at privilege levels 2 and 3. The\r\nkernel executes at privilege level 0, so __get_user() never triggers\r\na read access interruption (code 26). Thus, it is currently possible\r\nfor user code to access a read protected address via a system call.\r\n\r\nFix this by probing read access rights at privilege level 3 (PRIV_USER)\r\nand setting __gu_err to -EFAULT (-14) if access isn't allowed.\r\n\r\nNote the cmpiclr instruction does a 32-bit compare because COND macro\r\ndoesn't work inside asm.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39716" }, { "cve": "CVE-2025-39718", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvsock/virtio: Validate length in packet header before skb_put()\r\n\r\nWhen receiving a vsock packet in the guest, only the virtqueue buffer\r\nsize is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,\r\nvirtio_vsock_skb_rx_put() uses the length from the packet header as the\r\nlength argument to skb_put(), potentially resulting in SKB overflow if\r\nthe host has gone wonky.\r\n\r\nValidate the length as advertised by the packet header before calling\r\nvirtio_vsock_skb_rx_put().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39718" }, { "cve": "CVE-2025-39719", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: imu: bno055: fix OOB access of hw_xlate array\r\n\r\nFix a potential out-of-bounds array access of the hw_xlate array in\r\nbno055.c.\r\n\r\nIn bno055_get_regmask(), hw_xlate was iterated over the length of the\r\nvals array instead of the length of the hw_xlate array. In the case of\r\nbno055_gyr_scale, the vals array is larger than the hw_xlate array,\r\nso this could result in an out-of-bounds access. In practice, this\r\nshouldn't happen though because a match should always be found which\r\nbreaks out of the for loop before it iterates beyond the end of the\r\nhw_xlate array.\r\n\r\nBy adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be\r\nsure we are iterating over the correct length.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39719" }, { "cve": "CVE-2025-39724", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p->fcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==\n(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock\nto fix this issue.\n\nPanic backtrace:\n[ 0.442336] Oops - unknown exception [#1]\n[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e\n...\n[ 0.442416] console_on_rootfs+0x26/0x70", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39724" }, { "cve": "CVE-2025-39736", "cwe": { "id": "CWE-833", "name": "Deadlock" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock\r\n\r\nWhen netpoll is enabled, calling pr_warn_once() while holding\r\nkmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock\r\ninversion with the netconsole subsystem. This occurs because\r\npr_warn_once() may trigger netpoll, which eventually leads to\r\n__alloc_skb() and back into kmemleak code, attempting to reacquire\r\nkmemleak_lock.\r\n\r\nThis is the path for the deadlock.\r\n\r\nmem_pool_alloc()\r\n -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\r\n -> pr_warn_once()\r\n -> netconsole subsystem\r\n\t -> netpoll\r\n\t -> __alloc_skb\r\n\t\t -> __create_object\r\n\t\t -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\r\n\r\nFix this by setting a flag and issuing the pr_warn_once() after\r\nkmemleak_lock is released.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39736" }, { "cve": "CVE-2025-39737", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()\r\n\r\nA soft lockup warning was observed on a relative small system x86-64\r\nsystem with 16 GB of memory when running a debug kernel with kmemleak\r\nenabled.\r\n\r\n watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]\r\n\r\nThe test system was running a workload with hot unplug happening in\r\nparallel. Then kemleak decided to disable itself due to its inability to\r\nallocate more kmemleak objects. The debug kernel has its\r\nCONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.\r\n\r\nThe soft lockup happened in kmemleak_do_cleanup() when the existing\r\nkmemleak objects were being removed and deleted one-by-one in a loop via a\r\nworkqueue. In this particular case, there are at least 40,000 objects\r\nthat need to be processed and given the slowness of a debug kernel and the\r\nfact that a raw_spinlock has to be acquired and released in\r\n__delete_object(), it could take a while to properly handle all these\r\nobjects.\r\n\r\nAs kmemleak has been disabled in this case, the object removal and\r\ndeletion process can be further optimized as locking isn't really needed. \r\nHowever, it is probably not worth the effort to optimize for such an edge\r\ncase that should rarely happen. So the simple solution is to call\r\ncond_resched() at periodic interval in the iteration loop to avoid soft\r\nlockup.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39737" }, { "cve": "CVE-2025-39738", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: do not allow relocation of partially dropped subvolumes\r\n\r\n[BUG]\r\nThere is an internal report that balance triggered transaction abort,\r\nwith the following call trace:\r\n\r\n item 85 key (594509824 169 0) itemoff 12599 itemsize 33\r\n extent refs 1 gen 197740 flags 2\r\n ref#0: tree block backref root 7\r\n item 86 key (594558976 169 0) itemoff 12566 itemsize 33\r\n extent refs 1 gen 197522 flags 2\r\n ref#0: tree block backref root 7\r\n ...\r\n BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0\r\n BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117\r\n ------------[ cut here ]------------\r\n BTRFS: Transaction aborted (error -117)\r\n WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]\r\n\r\nAnd btrfs check doesn't report anything wrong related to the extent\r\ntree.\r\n\r\n[CAUSE]\r\nThe cause is a little complex, firstly the extent tree indeed doesn't\r\nhave the backref for 594526208.\r\n\r\nThe extent tree only have the following two backrefs around that bytenr\r\non-disk:\r\n\r\n item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33\r\n refs 1 gen 197740 flags TREE_BLOCK\r\n tree block skinny level 0\r\n (176 0x7) tree block backref root CSUM_TREE\r\n item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33\r\n refs 1 gen 197522 flags TREE_BLOCK\r\n tree block skinny level 0\r\n (176 0x7) tree block backref root CSUM_TREE\r\n\r\nBut the such missing backref item is not an corruption on disk, as the\r\noffending delayed ref belongs to subvolume 934, and that subvolume is\r\nbeing dropped:\r\n\r\n item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439\r\n generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328\r\n last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0\r\n drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2\r\n level 2 generation_v2 198229\r\n\r\nAnd that offending tree block 594526208 is inside the dropped range of\r\nthat subvolume. That explains why there is no backref item for that\r\nbytenr and why btrfs check is not reporting anything wrong.\r\n\r\nBut this also shows another problem, as btrfs will do all the orphan\r\nsubvolume cleanup at a read-write mount.\r\n\r\nSo half-dropped subvolume should not exist after an RW mount, and\r\nbalance itself is also exclusive to subvolume cleanup, meaning we\r\nshouldn't hit a subvolume half-dropped during relocation.\r\n\r\nThe root cause is, there is no orphan item for this subvolume.\r\nIn fact there are 5 subvolumes from around 2021 that have the same\r\nproblem.\r\n\r\nIt looks like the original report has some older kernels running, and\r\ncaused those zombie subvolumes.\r\n\r\nThankfully upstream commit 8d488a8c7ba2 (\"btrfs: fix subvolume/snapshot\r\ndeletion not triggered on mount\") has long fixed the bug.\r\n\r\n[ENHANCEMENT]\r\nFor repairing such old fs, btrfs-progs will be enhanced.\r\n\r\nConsidering how delayed the problem will show up (at run delayed ref\r\ntime) and at that time we have to abort transaction already, it is too\r\nlate.\r\n\r\nInstead here we reject any half-dropped subvolume for reloc tree at the\r\nearliest time, preventing confusion and extra time wasted on debugging\r\nsimilar bugs.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39738" }, { "cve": "CVE-2025-39742", "cwe": { "id": "CWE-369", "name": "Divide By Zero" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\r\n\r\nThe function divides number of online CPUs by num_core_siblings, and\r\nlater checks the divider by zero. This implies a possibility to get\r\nand divide-by-zero runtime error. Fix it by moving the check prior to\r\ndivision. This also helps to save one indentation level.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39742" }, { "cve": "CVE-2025-39743", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: truncate good inode pages when hard link is 0\r\n\r\nThe fileset value of the inode copy from the disk by the reproducer is\r\nAGGR_RESERVED_I. When executing evict, its hard link number is 0, so its\r\ninode pages are not truncated. This causes the bugon to be triggered when\r\nexecuting clear_inode() because nrpages is greater than 0.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39743" }, { "cve": "CVE-2025-39749", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrcu: Protect ->defer_qs_iw_pending from data race\r\n\r\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\r\ninvoked within an interrupts-disabled region of code [1], it will invoke\r\nrcu_read_unlock_special(), which uses an irq-work handler to force the\r\nsystem to notice when the RCU read-side critical section actually ends.\r\nThat end won't happen until interrupts are enabled at the soonest.\r\n\r\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\r\nirq-work handler is used unconditionally.\r\n\r\nThe per-CPU rcu_data structure's ->defer_qs_iw_pending field is\r\nupdated by the irq-work handler and is both read and updated by\r\nrcu_read_unlock_special(). This resulted in the following KCSAN splat:\r\n\r\n------------------------------------------------------------------------\r\n\r\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\r\n\r\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\r\n rcu_read_unlock_special+0x175/0x260\r\n __rcu_read_unlock+0x92/0xa0\r\n rt_spin_unlock+0x9b/0xc0\r\n __local_bh_enable+0x10d/0x170\r\n __local_bh_enable_ip+0xfb/0x150\r\n rcu_do_batch+0x595/0xc40\r\n rcu_cpu_kthread+0x4e9/0x830\r\n smpboot_thread_fn+0x24d/0x3b0\r\n kthread+0x3bd/0x410\r\n ret_from_fork+0x35/0x40\r\n ret_from_fork_asm+0x1a/0x30\r\n\r\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\r\n rcu_preempt_deferred_qs_handler+0x1e/0x30\r\n irq_work_single+0xaf/0x160\r\n run_irq_workd+0x91/0xc0\r\n smpboot_thread_fn+0x24d/0x3b0\r\n kthread+0x3bd/0x410\r\n ret_from_fork+0x35/0x40\r\n ret_from_fork_asm+0x1a/0x30\r\n\r\nno locks held by irq_work/8/88.\r\nirq event stamp: 200272\r\nhardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320\r\nhardirqs last disabled at (200271): [] __schedule+0x129/0xd70\r\nsoftirqs last enabled at (0): [] copy_process+0x4df/0x1cc0\r\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\r\n\r\n------------------------------------------------------------------------\r\n\r\nThe problem is that irq-work handlers run with interrupts enabled, which\r\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\r\nand that interrupt handler might contain an RCU read-side critical\r\nsection, which might invoke rcu_read_unlock_special(). In the strict\r\nKCSAN mode of operation used by RCU, this constitutes a data race on\r\nthe ->defer_qs_iw_pending field.\r\n\r\nThis commit therefore disables interrupts across the portion of the\r\nrcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending\r\nfield. This suffices because this handler is not a fast path.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39749" }, { "cve": "CVE-2025-39752", "cwe": { "id": "CWE-364", "name": "Signal Handler Race Condition" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: rockchip: fix kernel hang during smp initialization\r\n\r\nIn order to bring up secondary CPUs main CPU write trampoline\r\ncode to SRAM. The trampoline code is written while secondary\r\nCPUs are powered on (at least that true for RK3188 CPU).\r\nSometimes that leads to kernel hang. Probably because secondary\r\nCPU execute trampoline code while kernel doesn't expect.\r\n\r\nThe patch moves SRAM initialization step to the point where all\r\nsecondary CPUs are powered down.\r\n\r\nThat fixes rarely hangs on RK3188:\r\n[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000\r\n[ 0.091996] rockchip_smp_prepare_cpus: ncores 4", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39752" }, { "cve": "CVE-2025-39756", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include \n #include \n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, &rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39756" }, { "cve": "CVE-2025-39757", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: Validate UAC3 cluster segment descriptors\r\n\r\nUAC3 class segment descriptors need to be verified whether their sizes\r\nmatch with the declared lengths and whether they fit with the\r\nallocated buffer sizes, too. Otherwise malicious firmware may lead to\r\nthe unexpected OOB accesses.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39757" }, { "cve": "CVE-2025-39759", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\r\n\r\nThere's a race between a task disabling quotas and another running the\r\nrescan ioctl that can result in a use-after-free of qgroup records from\r\nthe fs_info->qgroup_tree rbtree.\r\n\r\nThis happens as follows:\r\n\r\n1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();\r\n\r\n2) Task B enters btrfs_quota_disable() and calls\r\n btrfs_qgroup_wait_for_completion(), which does nothing because at that\r\n point fs_info->qgroup_rescan_running is false (it wasn't set yet by\r\n task A);\r\n\r\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\r\n from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;\r\n\r\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\r\n the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,\r\n but task B is freeing qgroup records from that tree without holding\r\n the lock, resulting in a use-after-free.\r\n\r\nFix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().\r\nAlso at btrfs_qgroup_rescan() don't start the rescan worker if quotas\r\nwere already disabled.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39759" }, { "cve": "CVE-2025-39760", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: core: config: Prevent OOB read in SS endpoint companion parsing\r\n\r\nusb_parse_ss_endpoint_companion() checks descriptor type before length,\r\nenabling a potentially odd read outside of the buffer size.\r\n\r\nFix this up by checking the size first before looking at any of the\r\nfields in the descriptor.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39760" }, { "cve": "CVE-2025-39766", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit\r\n\r\nThe following setup can trigger a WARNING in htb_activate due to\r\nthe condition: !cl->leaf.q->q.qlen\r\n\r\ntc qdisc del dev lo root\r\ntc qdisc add dev lo root handle 1: htb default 1\r\ntc class add dev lo parent 1: classid 1:1 \\\r\n htb rate 64bit\r\ntc qdisc add dev lo parent 1:1 handle f: \\\r\n cake memlimit 1b\r\nping -I lo -f -c1 -s64 -W0.001 127.0.0.1\r\n\r\nThis is because the low memlimit leads to a low buffer_limit, which\r\ncauses packet dropping. However, cake_enqueue still returns\r\nNET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an\r\nempty child qdisc. We should return NET_XMIT_CN when packets are\r\ndropped from the same tin and flow.\r\n\r\nI do not believe return value of NET_XMIT_CN is necessary for packet\r\ndrops in the case of ack filtering, as that is meant to optimize\r\nperformance, not to signal congestion.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39766" }, { "cve": "CVE-2025-39770", "cwe": { "id": "CWE-573", "name": "Improper Following of Specification by Caller" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n \n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39770" }, { "cve": "CVE-2025-39772", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\r\n\r\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\r\nresource, but the mutexes in mode.config are not init, which will\r\naccess an NULL pointer. Just change goto statement to return, because\r\nhibnc_hw_init() doesn't need to free anything.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39772" }, { "cve": "CVE-2025-39773", "cwe": { "id": "CWE-667", "name": "Improper Locking" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix soft lockup in br_multicast_query_expired()\n\nWhen set multicast_query_interval to a large value, the local variable\n'time' in br_multicast_send_query() may overflow. If the time is smaller\nthan jiffies, the timer will expire immediately, and then call mod_timer()\nagain, which creates a loop and may trigger the following soft lockup\nissue.\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]\n CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)\n Call Trace:\n \n __netdev_alloc_skb+0x2e/0x3a0\n br_ip6_multicast_alloc_query+0x212/0x1b70\n __br_multicast_send_query+0x376/0xac0\n br_multicast_send_query+0x299/0x510\n br_multicast_query_expired.constprop.0+0x16d/0x1b0\n call_timer_fn+0x3b/0x2a0\n __run_timers+0x619/0x950\n run_timer_softirq+0x11c/0x220\n handle_softirqs+0x18e/0x560\n __irq_exit_rcu+0x158/0x1a0\n sysvec_apic_timer_interrupt+0x76/0x90\n \n\nThis issue can be reproduced with:\n ip link add br0 type bridge\n echo 1 > /sys/class/net/br0/bridge/multicast_querier\n echo 0xffffffffffffffff >\n \t/sys/class/net/br0/bridge/multicast_query_interval\n ip link set dev br0 up\n\nThe multicast_startup_query_interval can also cause this issue. Similar to\nthe commit 99b40610956a (\"net: bridge: mcast: add and enforce query\ninterval minimum\"), add check for the query interval maximum to fix this\nissue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39773" }, { "cve": "CVE-2025-39776", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/debug_vm_pgtable: clear page table entries at destroy_args()\r\n\r\nThe mm/debug_vm_pagetable test allocates manually page table entries for\r\nthe tests it runs, using also its manually allocated mm_struct. That in\r\nitself is ok, but when it exits, at destroy_args() it fails to clear those\r\nentries with the *_clear functions.\r\n\r\nThe problem is that leaves stale entries. If another process allocates an\r\nmm_struct with a pgd at the same address, it may end up running into the\r\nstale entry. This is happening in practice on a debug kernel with\r\nCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra\r\ndebugging I added (it prints a warning trace if pgtables_bytes goes\r\nnegative, in addition to the warning at check_mm() function):\r\n\r\n[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000\r\n[ 2.539366] kmem_cache info\r\n[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508\r\n[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e\r\n(...)\r\n[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0\r\n[ 2.552816] Modules linked in:\r\n[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY\r\n[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries\r\n[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90\r\n[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)\r\n[ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a\r\n[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0\r\n[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001\r\n[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff\r\n[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000\r\n[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb\r\n[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0\r\n[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000\r\n[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001\r\n[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760\r\n[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0\r\n[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0\r\n[ 2.553199] Call Trace:\r\n[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)\r\n[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0\r\n[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570\r\n[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650\r\n[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290\r\n[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0\r\n[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870\r\n[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150\r\n[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50\r\n[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0\r\n[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\r\n(...)\r\n[ 2.558892] ---[ end trace 0000000000000000 ]---\r\n[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1\r\n[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144\r\n\r\nHere the modprobe process ended up with an allocated mm_struct from the\r\nmm_struct slab that was used before by the debug_vm_pgtable test. That is\r\nnot a problem, since the mm_stru\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39776" }, { "cve": "CVE-2025-39782", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\njbd2: prevent softlockup in jbd2_log_do_checkpoint()\r\n\r\nBoth jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()\r\nperiodically release j_list_lock after processing a batch of buffers to\r\navoid long hold times on the j_list_lock. However, since both functions\r\ncontend for j_list_lock, the combined time spent waiting and processing\r\ncan be significant.\r\n\r\njbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when\r\nneed_resched() is true to avoid softlockups during prolonged operations.\r\nBut jbd2_log_do_checkpoint() only exits its loop when need_resched() is\r\ntrue, relying on potentially sleeping functions like __flush_batch() or\r\nwait_on_buffer() to trigger rescheduling. If those functions do not sleep,\r\nthe kernel may hit a softlockup.\r\n\r\nwatchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]\r\nCPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10\r\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017\r\nWorkqueue: writeback wb_workfn (flush-7:2)\r\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\r\npc : native_queued_spin_lock_slowpath+0x358/0x418\r\nlr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\r\nCall trace:\r\n native_queued_spin_lock_slowpath+0x358/0x418\r\n jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\r\n __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]\r\n add_transaction_credits+0x3bc/0x418 [jbd2]\r\n start_this_handle+0xf8/0x560 [jbd2]\r\n jbd2__journal_start+0x118/0x228 [jbd2]\r\n __ext4_journal_start_sb+0x110/0x188 [ext4]\r\n ext4_do_writepages+0x3dc/0x740 [ext4]\r\n ext4_writepages+0xa4/0x190 [ext4]\r\n do_writepages+0x94/0x228\r\n __writeback_single_inode+0x48/0x318\r\n writeback_sb_inodes+0x204/0x590\r\n __writeback_inodes_wb+0x54/0xf8\r\n wb_writeback+0x2cc/0x3d8\r\n wb_do_writeback+0x2e0/0x2f8\r\n wb_workfn+0x80/0x2a8\r\n process_one_work+0x178/0x3e8\r\n worker_thread+0x234/0x3b8\r\n kthread+0xf0/0x108\r\n ret_from_fork+0x10/0x20\r\n\r\nSo explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid\r\nsoftlockup.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39782" }, { "cve": "CVE-2025-39783", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix configfs group list head handling\n\nDoing a list_del() on the epf_group field of struct pci_epf_driver in\npci_epf_remove_cfs() is not correct as this field is a list head, not\na list entry. This list_del() call triggers a KASAN warning when an\nendpoint function driver which has a configfs attribute group is torn\ndown:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198\nWrite of size 8 at addr ffff00010f4a0d80 by task rmmod/319\n\nCPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE\nHardware name: Radxa ROCK 5B (DT)\nCall trace:\nshow_stack+0x2c/0x84 (C)\ndump_stack_lvl+0x70/0x98\nprint_report+0x17c/0x538\nkasan_report+0xb8/0x190\n__asan_report_store8_noabort+0x20/0x2c\npci_epf_remove_cfs+0x17c/0x198\npci_epf_unregister_driver+0x18/0x30\nnvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]\n__arm64_sys_delete_module+0x264/0x424\ninvoke_syscall+0x70/0x260\nel0_svc_common.constprop.0+0xac/0x230\ndo_el0_svc+0x40/0x58\nel0_svc+0x48/0xdc\nel0t_64_sync_handler+0x10c/0x138\nel0t_64_sync+0x198/0x19c\n...\n\nRemove this incorrect list_del() call from pci_epf_remove_cfs().", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39783" }, { "cve": "CVE-2025-39787", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don't read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that's not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don't read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39787" }, { "cve": "CVE-2025-39788", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\r\n\r\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\r\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\r\nincorrectly as 0.\r\n\r\nThis is because the left hand side of the shift is 1, which is of type\r\nint, i.e. 31 bits wide. Shifting by more than that width results in\r\nundefined behaviour.\r\n\r\nFix this by switching to the BIT() macro, which applies correct type\r\ncasting as required. This ensures the correct value is written to\r\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\r\nwarning:\r\n\r\n UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\r\n shift exponent 32 is too large for 32-bit type 'int'\r\n\r\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\r\nwrite.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39788" }, { "cve": "CVE-2025-39790", "cwe": { "id": "CWE-415", "name": "Double Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Detect events pointing to unexpected TREs\r\n\r\nWhen a remote device sends a completion event to the host, it contains a\r\npointer to the consumed TRE. The host uses this pointer to process all of\r\nthe TREs between it and the host's local copy of the ring's read pointer.\r\nThis works when processing completion for chained transactions, but can\r\nlead to nasty results if the device sends an event for a single-element\r\ntransaction with a read pointer that is multiple elements ahead of the\r\nhost's read pointer.\r\n\r\nFor instance, if the host accesses an event ring while the device is\r\nupdating it, the pointer inside of the event might still point to an old\r\nTRE. If the host uses the channel's xfer_cb() to directly free the buffer\r\npointed to by the TRE, the buffer will be double-freed.\r\n\r\nThis behavior was observed on an ep that used upstream EP stack without\r\n'commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\r\nis written\")'. Where the device updated the events ring pointer before\r\nupdating the event contents, so it left a window where the host was able to\r\naccess the stale data the event pointed to, before the device had the\r\nchance to update them. The usual pattern was that the host received an\r\nevent pointing to a TRE that is not immediately after the last processed\r\none, so it got treated as if it was a chained transaction, processing all\r\nof the TREs in between the two read pointers.\r\n\r\nThis commit aims to harden the host by ensuring transactions where the\r\nevent points to a TRE that isn't local_rp + 1 are chained.\r\n\r\n[mani: added stable tag and reworded commit message]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39790" }, { "cve": "CVE-2025-39794", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: tegra: Use I/O memcpy to write to IRAM\r\n\r\nKasan crashes the kernel trying to check boundaries when using the\r\nnormal memcpy.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39794" }, { "cve": "CVE-2025-39795", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid possible overflow for chunk_sectors check in blk_stack_limits()\n\nIn blk_stack_limits(), we check that the t->chunk_sectors value is a\nmultiple of the t->physical_block_size value.\n\nHowever, by finding the chunk_sectors value in bytes, we may overflow\nthe unsigned int which holds chunk_sectors, so change the check to be\nbased on sectors.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39795" }, { "cve": "CVE-2025-39798", "cwe": { "id": "CWE-273", "name": "Improper Check for Dropped Privileges" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix the setting of capabilities when automounting a new filesystem\n\nCapabilities cannot be inherited when we cross into a new filesystem.\nThey need to be reset to the minimal defaults, and then probed for\nagain.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39798" }, { "cve": "CVE-2025-39800", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: abort transaction on unexpected eb generation at btrfs_copy_root()\r\n\r\nIf we find an unexpected generation for the extent buffer we are cloning\r\nat btrfs_copy_root(), we just WARN_ON() and don't error out and abort the\r\ntransaction, meaning we allow to persist metadata with an unexpected\r\ngeneration. Instead of warning only, abort the transaction and return\r\n-EUCLEAN.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39800" }, { "cve": "CVE-2025-39801", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\r\n\r\nThis commit addresses a rarely observed endpoint command timeout\r\nwhich causes kernel panic due to warn when 'panic_on_warn' is enabled\r\nand unnecessary call trace prints when 'panic_on_warn' is disabled.\r\nIt is seen during fast software-controlled connect/disconnect testcases.\r\nThe following is one such endpoint command timeout that we observed:\r\n\r\n1. Connect\r\n =======\r\n->dwc3_thread_interrupt\r\n ->dwc3_ep0_interrupt\r\n ->configfs_composite_setup\r\n ->composite_setup\r\n ->usb_ep_queue\r\n ->dwc3_gadget_ep0_queue\r\n ->__dwc3_gadget_ep0_queue\r\n ->__dwc3_ep0_do_control_data\r\n ->dwc3_send_gadget_ep_cmd\r\n\r\n2. Disconnect\r\n ==========\r\n->dwc3_thread_interrupt\r\n ->dwc3_gadget_disconnect_interrupt\r\n ->dwc3_ep0_reset_state\r\n ->dwc3_ep0_end_control_data\r\n ->dwc3_send_gadget_ep_cmd\r\n\r\nIn the issue scenario, in Exynos platforms, we observed that control\r\ntransfers for the previous connect have not yet been completed and end\r\ntransfer command sent as a part of the disconnect sequence and\r\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\r\nThis maybe an expected scenario since the controller is processing EP\r\ncommands sent as a part of the previous connect. It maybe better to\r\nremove WARN_ON in all places where device endpoint commands are sent to\r\navoid unnecessary kernel panic due to warn.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39801" }, { "cve": "CVE-2025-39806", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\r\n\r\nA malicious HID device can trigger a slab out-of-bounds during\r\nmt_report_fixup() by passing in report descriptor smaller than\r\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\r\nof the descriptor with 0x25 by first checking if byte offset\r\n607 is 0x15 however it lacks bounds checks to verify if the\r\ndescriptor is big enough before conducting this check. Fix\r\nthis bug by ensuring the descriptor size is at least 608\r\nbytes before accessing it.\r\n\r\nBelow is the KASAN splat after the out of bounds access happens:\r\n\r\n[ 13.671954] ==================================================================\r\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\r\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\r\n[ 13.673297]\r\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\r\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\r\n[ 13.673297] Call Trace:\r\n[ 13.673297] \r\n[ 13.673297] dump_stack_lvl+0x5f/0x80\r\n[ 13.673297] print_report+0xd1/0x660\r\n[ 13.673297] kasan_report+0xe5/0x120\r\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\r\n[ 13.673297] mt_report_fixup+0x103/0x110\r\n[ 13.673297] hid_open_report+0x1ef/0x810\r\n[ 13.673297] mt_probe+0x422/0x960\r\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\r\n[ 13.673297] really_probe+0x1c6/0x6b0\r\n[ 13.673297] __driver_probe_device+0x24f/0x310\r\n[ 13.673297] driver_probe_device+0x4e/0x220\r\n[ 13.673297] __device_attach_driver+0x169/0x320\r\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\r\n[ 13.673297] __device_attach+0x1b8/0x3e0\r\n[ 13.673297] device_initial_probe+0x12/0x20\r\n[ 13.673297] bus_probe_device+0x13d/0x180\r\n[ 13.673297] device_add+0xe3a/0x1670\r\n[ 13.673297] hid_add_device+0x31d/0xa40\r\n[...]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39806" }, { "cve": "CVE-2025-39808", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\r\n\r\nin ntrig_report_version(), hdev parameter passed from hid_probe().\r\nsending descriptor to /dev/uhid can make hdev->dev.parent->parent to null\r\nif hdev->dev.parent->parent is null, usb_dev has\r\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\r\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\r\npage fault error for address(0xffffffffffffff58)\r\n\r\nadd null check logic to ntrig_report_version()\r\nbefore calling hid_to_usb_dev()", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39808" }, { "cve": "CVE-2025-39812", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsctp: initialize more fields in sctp_v6_from_sk()\r\n\r\nsyzbot found that sin6_scope_id was not properly initialized,\r\nleading to undefined behavior.\r\n\r\nClear sin6_scope_id and sin6_flowinfo.\r\n\r\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\r\n __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\r\n sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\r\n sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\r\n sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\r\n sctp_get_port net/sctp/socket.c:8523 [inline]\r\n sctp_listen_start net/sctp/socket.c:8567 [inline]\r\n sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\r\n __sys_listen_socket net/socket.c:1912 [inline]\r\n __sys_listen net/socket.c:1927 [inline]\r\n __do_sys_listen net/socket.c:1932 [inline]\r\n __se_sys_listen net/socket.c:1930 [inline]\r\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\r\n x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\r\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\r\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\r\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nLocal variable addr.i.i created at:\r\n sctp_get_port net/sctp/socket.c:8515 [inline]\r\n sctp_listen_start net/sctp/socket.c:8567 [inline]\r\n sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\r\n __sys_listen_socket net/socket.c:1912 [inline]\r\n __sys_listen net/socket.c:1927 [inline]\r\n __do_sys_listen net/socket.c:1932 [inline]\r\n __se_sys_listen net/socket.c:1930 [inline]\r\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39812" }, { "cve": "CVE-2025-39813", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump) CPU1 (reader)\necho z > /proc/sysrq-trigger\n\n!trace_empty(&iter)\ntrace_iterator_reset(&iter) <- len = size = 0\n cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(&iter)\n __find_next_entry\n ring_buffer_empty_cpu <- all empty\n return NULL\n\ntrace_printk_seq(&iter.seq)\n WARN_ON_ONCE(s->seq.len >= s->seq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the 'iter.seq' is properly populated before\nsubsequent operations.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39813" }, { "cve": "CVE-2025-39817", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\r\n\r\nObserved on kernel 6.6 (present on master as well):\r\n\r\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\r\n Call trace:\r\n kasan_check_range+0xe8/0x190\r\n __asan_loadN+0x1c/0x28\r\n memcmp+0x98/0xd0\r\n efivarfs_d_compare+0x68/0xd8\r\n __d_lookup_rcu_op_compare+0x178/0x218\r\n __d_lookup_rcu+0x1f8/0x228\r\n d_alloc_parallel+0x150/0x648\r\n lookup_open.isra.0+0x5f0/0x8d0\r\n open_last_lookups+0x264/0x828\r\n path_openat+0x130/0x3f8\r\n do_filp_open+0x114/0x248\r\n do_sys_openat2+0x340/0x3c0\r\n __arm64_sys_openat+0x120/0x1a0\r\n\r\nIf dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become\r\nnegative, leadings to oob. The issue can be triggered by parallel\r\nlookups using invalid filename:\r\n\r\n T1\t\t\tT2\r\n lookup_open\r\n ->lookup\r\n simple_lookup\r\n d_add\r\n // invalid dentry is added to hash list\r\n\r\n\t\t\tlookup_open\r\n\t\t\t d_alloc_parallel\r\n\t\t\t __d_lookup_rcu\r\n\t\t\t __d_lookup_rcu_op_compare\r\n\t\t\t hlist_bl_for_each_entry_rcu\r\n\t\t\t // invalid dentry can be retrieved\r\n\t\t\t ->d_compare\r\n\t\t\t efivarfs_d_compare\r\n\t\t\t // oob\r\n\r\nFix it by checking 'guid' before cmp.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39817" }, { "cve": "CVE-2025-39819", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/smb: Fix inconsistent refcnt update\r\n\r\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\r\nSuch inconsistent update could lead to possible resource leaks.\r\n\r\nWhy it is a possible bug:\r\n1. In the comment section of the function, it clearly states that the\r\nreference to `cfile` should be dropped after calling this function.\r\n2. Every control flow path would check and drop the reference to\r\n`cfile`, except the patched one.\r\n3. Existing callers would not handle refcount update of `cfile` if\r\n-ENOMEM is returned.\r\n\r\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\r\ncleanup logic would always be respected. As the problem is caused by the\r\nallocation failure of `vars`, the cleanup logic between label \"finished\"\r\nand \"out\" can be safely ignored. According to the definition of function\r\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\r\nTherefore, the replay logic also gets ignored.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39819" }, { "cve": "CVE-2025-39823", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: x86: use array_index_nospec with indices that come from guest\r\n\r\nmin and dest_id are guest-controlled indices. Using array_index_nospec()\r\nafter the bounds checks clamps these values to mitigate speculative execution\r\nside-channels.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39823" }, { "cve": "CVE-2025-39824", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\r\n\r\nAfter hid_hw_start() is called hidinput_connect() will eventually be\r\ncalled to set up the device with the input layer since the\r\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\r\nall input and output reports are processed and corresponding hid_inputs\r\nare allocated and configured via hidinput_configure_usages(). This\r\nprocess involves slot tagging report fields and configuring usages\r\nby setting relevant bits in the capability bitmaps. However it is possible\r\nthat the capability bitmaps are not set at all leading to the subsequent\r\nhidinput_has_been_populated() check to fail leading to the freeing of the\r\nhid_input and the underlying input device.\r\n\r\nThis becomes problematic because a malicious HID device like a\r\nASUS ROG N-Key keyboard can trigger the above scenario via a\r\nspecially crafted descriptor which then leads to a user-after-free\r\nwhen the name of the freed input device is written to later on after\r\nhid_hw_start(). Below, report 93 intentionally utilises the\r\nHID_UP_UNDEFINED Usage Page which is skipped during usage\r\nconfiguration, leading to the frees.\r\n\r\n0x05, 0x0D, // Usage Page (Digitizer)\r\n0x09, 0x05, // Usage (Touch Pad)\r\n0xA1, 0x01, // Collection (Application)\r\n0x85, 0x0D, // Report ID (13)\r\n0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)\r\n0x09, 0xC5, // Usage (0xC5)\r\n0x15, 0x00, // Logical Minimum (0)\r\n0x26, 0xFF, 0x00, // Logical Maximum (255)\r\n0x75, 0x08, // Report Size (8)\r\n0x95, 0x04, // Report Count (4)\r\n0xB1, 0x02, // Feature (Data,Var,Abs)\r\n0x85, 0x5D, // Report ID (93)\r\n0x06, 0x00, 0x00, // Usage Page (Undefined)\r\n0x09, 0x01, // Usage (0x01)\r\n0x15, 0x00, // Logical Minimum (0)\r\n0x26, 0xFF, 0x00, // Logical Maximum (255)\r\n0x75, 0x08, // Report Size (8)\r\n0x95, 0x1B, // Report Count (27)\r\n0x81, 0x02, // Input (Data,Var,Abs)\r\n0xC0, // End Collection\r\n\r\nBelow is the KASAN splat after triggering the UAF:\r\n\r\n[ 21.672709] ==================================================================\r\n[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\r\n[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\r\n[ 21.673700]\r\n[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\r\n[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\r\n[ 21.673700] Call Trace:\r\n[ 21.673700] \r\n[ 21.673700] dump_stack_lvl+0x5f/0x80\r\n[ 21.673700] print_report+0xd1/0x660\r\n[ 21.673700] kasan_report+0xe5/0x120\r\n[ 21.673700] __asan_report_store8_noabort+0x1b/0x30\r\n[ 21.673700] asus_probe+0xeeb/0xf80\r\n[ 21.673700] hid_device_probe+0x2ee/0x700\r\n[ 21.673700] really_probe+0x1c6/0x6b0\r\n[ 21.673700] __driver_probe_device+0x24f/0x310\r\n[ 21.673700] driver_probe_device+0x4e/0x220\r\n[...]\r\n[ 21.673700]\r\n[ 21.673700] Allocated by task 54:\r\n[ 21.673700] kasan_save_stack+0x3d/0x60\r\n[ 21.673700] kasan_save_track+0x18/0x40\r\n[ 21.673700] kasan_save_alloc_info+0x3b/0x50\r\n[ 21.673700] __kasan_kmalloc+0x9c/0xa0\r\n[ 21.673700] __kmalloc_cache_noprof+0x139/0x340\r\n[ 21.673700] input_allocate_device+0x44/0x370\r\n[ 21.673700] hidinput_connect+0xcb6/0x2630\r\n[ 21.673700] hid_connect+0xf74/0x1d60\r\n[ 21.673700] hid_hw_start+0x8c/0x110\r\n[ 21.673700] asus_probe+0x5a3/0xf80\r\n[ 21.673700] hid_device_probe+0x2ee/0x700\r\n[ 21.673700] really_probe+0x1c6/0x6b0\r\n[ 21.673700] __driver_probe_device+0x24f/0x310\r\n[ 21.673700] driver_probe_device+0x4e/0x220\r\n[...]\r\n[ 21.673700]\r\n[ 21.673700] Freed by task 54:\r\n[ 21.673700] kasan_save_stack+0x3d/0x60\r\n[ 21.673700] kasan_save_track+0x18/0x40\r\n[ 21.673700] kasan_save_free_info+0x3f/0x60\r\n[ 21.673700] __kasan_slab_free+0x3c/0x50\r\n[ 21.673700] kfre\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39824" }, { "cve": "CVE-2025-39825", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix race with concurrent opens in rename(2)\r\n\r\nBesides sending the rename request to the server, the rename process\r\nalso involves closing any deferred close, waiting for outstanding I/O\r\nto complete as well as marking all existing open handles as deleted to\r\nprevent them from deferring closes, which increases the race window\r\nfor potential concurrent opens on the target file.\r\n\r\nFix this by unhashing the dentry in advance to prevent any concurrent\r\nopens on the target.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39825" }, { "cve": "CVE-2025-39826", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rose: convert 'use' field to refcount_t\r\n\r\nThe 'use' field in struct rose_neigh is used as a reference counter but\r\nlacks atomicity. This can lead to race conditions where a rose_neigh\r\nstructure is freed while still being referenced by other code paths.\r\n\r\nFor example, when rose_neigh->use becomes zero during an ioctl operation\r\nvia rose_rt_ioctl(), the structure may be removed while its timer is\r\nstill active, potentially causing use-after-free issues.\r\n\r\nThis patch changes the type of 'use' from unsigned short to refcount_t and\r\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\r\noperate reference counts atomically.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39826" }, { "cve": "CVE-2025-39827", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rose: include node references in rose_neigh refcount\r\n\r\nCurrent implementation maintains two separate reference counting\r\nmechanisms: the 'count' field in struct rose_neigh tracks references from\r\nrose_node structures, while the 'use' field (now refcount_t) tracks\r\nreferences from rose_sock.\r\n\r\nThis patch merges these two reference counting systems using 'use' field\r\nfor proper reference management. Specifically, this patch adds incrementing\r\nand decrementing of rose_neigh->use when rose_neigh->count is incremented\r\nor decremented.\r\n\r\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\r\nrose_clear_route() to properly release references to rose_neigh objects\r\nbefore freeing a rose_node through rose_remove_node().\r\n\r\nThese changes ensure rose_neigh structures are properly freed only when\r\nall references, including those from rose_node structures, are released.\r\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39827" }, { "cve": "CVE-2025-39828", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\r\n\r\nsyzbot reported the splat below. [0]\r\n\r\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\r\nor close(), atmtcp_send_control() is called to send an in-kernel\r\nspecial message.\r\n\r\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\r\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\r\n\r\nThe notable thing is struct atmtcp_control is uAPI but has a\r\nspace for an in-kernel pointer.\r\n\r\n struct atmtcp_control {\r\n \tstruct atmtcp_hdr hdr;\t/* must be first */\r\n ...\r\n \tatm_kptr_t vcc;\t\t/* both directions */\r\n ...\r\n } __ATM_API_ALIGN;\r\n\r\n typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\r\n\r\nThe special message is processed in atmtcp_recv_control() called\r\nfrom atmtcp_c_send().\r\n\r\natmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:\r\n\r\n 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())\r\n 2. vcc_sendmsg()\r\n\r\nThe problem is sendmsg() does not validate the message length and\r\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\r\nby atmtcp_control.\r\n\r\nLet's add a new ->pre_send() hook to validate messages from sendmsg().\r\n\r\n[0]:\r\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\r\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\r\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\r\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\r\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\r\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\r\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\r\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\r\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\r\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\r\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\r\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\r\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\r\nFS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\r\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\r\nCall Trace:\r\n \r\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\r\n sock_sendmsg_nosec net/socket.c:714 [inline]\r\n __sock_sendmsg+0x219/0x270 net/socket.c:729\r\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\r\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\r\n __sys_sendmsg net/socket.c:2700 [inline]\r\n __do_sys_sendmsg net/socket.c:2705 [inline]\r\n __se_sys_sendmsg net/socket.c:2703 [inline]\r\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\r\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\r\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\r\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\nRIP: 0033:0x7f8d7e96a4a9\r\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\r\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\r\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\r\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\r\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\r\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\r\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\r\n \r\nModules linked in:", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39828" }, { "cve": "CVE-2025-39835", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: do not propagate ENODATA disk errors into xattr code\n\nENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;\nnamely, that the requested attribute name could not be found.\n\nHowever, a medium error from disk may also return ENODATA. At best,\nthis medium error may escape to userspace as \"attribute not found\"\nwhen in fact it's an IO (disk) error.\n\nAt worst, we may oops in xfs_attr_leaf_get() when we do:\n\n\terror = xfs_attr_leaf_hasname(args, &bp);\n\tif (error == -ENOATTR) {\n\t\txfs_trans_brelse(args->trans, bp);\n\t\treturn error;\n\t}\n\nbecause an ENODATA/ENOATTR error from disk leaves us with a null bp,\nand the xfs_trans_brelse will then null-deref it.\n\nAs discussed on the list, we really need to modify the lower level\nIO functions to trap all disk errors and ensure that we don't let\nunique errors like this leak up into higher xfs functions - many\nlike this should be remapped to EIO.\n\nHowever, this patch directly addresses a reported bug in the xattr\ncode, and should be safe to backport to stable kernels. A larger-scope\npatch to handle more unique errors at lower levels can follow later.\n\n(Note, prior to 07120f1abdff we did not oops, but we did return the\nwrong error code to userspace.)", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39835" }, { "cve": "CVE-2025-39838", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: prevent NULL pointer dereference in UTF16 conversion\r\n\r\nThere can be a NULL pointer dereference bug here. NULL is passed to\r\n__cifs_sfu_make_node without checks, which passes it unchecked to\r\ncifs_strndup_to_utf16, which in turn passes it to\r\ncifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.\r\n\r\nThis patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and\r\nreturns NULL early to prevent dereferencing NULL pointer.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39838" }, { "cve": "CVE-2025-39839", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39839" }, { "cve": "CVE-2025-39841", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39841" }, { "cve": "CVE-2025-39842", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: prevent release journal inode after journal shutdown\r\n\r\nBefore calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already\r\nbeen executed in ocfs2_dismount_volume(), so osb->journal must be NULL. \r\nTherefore, the following calltrace will inevitably fail when it reaches\r\njbd2_journal_release_jbd_inode().\r\n\r\nocfs2_dismount_volume()->\r\n ocfs2_delete_osb()->\r\n ocfs2_free_slot_info()->\r\n __ocfs2_free_slot_info()->\r\n evict()->\r\n ocfs2_evict_inode()->\r\n ocfs2_clear_inode()->\r\n\t jbd2_journal_release_jbd_inode(osb->journal->j_journal,\r\n\r\nAdding osb->journal checks will prevent null-ptr-deref during the above\r\nexecution path.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39842" }, { "cve": "CVE-2025-39843", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: slub: avoid wake up kswapd in set_track_prepare\r\n\r\nset_track_prepare() can incur lock recursion.\r\nThe issue is that it is called from hrtimer_start_range_ns\r\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\r\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\r\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\r\n\r\nAvoid deadlock caused by implicitly waking up kswapd by passing in\r\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\r\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\r\ngfp_nested_mask().\r\nSince ___slab_alloc() has preemption disabled, we mask out\r\n__GFP_DIRECT_RECLAIM from the flags there.\r\n\r\nThe oops looks something like:\r\n\r\nBUG: spinlock recursion on CPU#3, swapper/3/0\r\n lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\r\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\r\nCall trace:\r\nspin_bug+0x0\r\n_raw_spin_lock_irqsave+0x80\r\nhrtimer_try_to_cancel+0x94\r\ntask_contending+0x10c\r\nenqueue_dl_entity+0x2a4\r\ndl_server_start+0x74\r\nenqueue_task_fair+0x568\r\nenqueue_task+0xac\r\ndo_activate_task+0x14c\r\nttwu_do_activate+0xcc\r\ntry_to_wake_up+0x6c8\r\ndefault_wake_function+0x20\r\nautoremove_wake_function+0x1c\r\n__wake_up+0xac\r\nwakeup_kswapd+0x19c\r\nwake_all_kswapds+0x78\r\n__alloc_pages_slowpath+0x1ac\r\n__alloc_pages_noprof+0x298\r\nstack_depot_save_flags+0x6b0\r\nstack_depot_save+0x14\r\nset_track_prepare+0x5c\r\n___slab_alloc+0xccc\r\n__kmalloc_cache_noprof+0x470\r\n__set_page_owner+0x2bc\r\npost_alloc_hook[jt]+0x1b8\r\nprep_new_page+0x28\r\nget_page_from_freelist+0x1edc\r\n__alloc_pages_noprof+0x13c\r\nalloc_slab_page+0x244\r\nallocate_slab+0x7c\r\n___slab_alloc+0x8e8\r\nkmem_cache_alloc_noprof+0x450\r\ndebug_objects_fill_pool+0x22c\r\ndebug_object_activate+0x40\r\nenqueue_hrtimer[jt]+0xdc\r\nhrtimer_start_range_ns+0x5f8\r\n...", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39843" }, { "cve": "CVE-2025-39844", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: move page table sync declarations to linux/pgtable.h\r\n\r\nDuring our internal testing, we started observing intermittent boot\r\nfailures when the machine uses 4-level paging and has a large amount of\r\npersistent memory:\r\n\r\n BUG: unable to handle page fault for address: ffffe70000000034\r\n #PF: supervisor write access in kernel mode\r\n #PF: error_code(0x0002) - not-present page\r\n PGD 0 P4D 0 \r\n Oops: 0002 [#1] SMP NOPTI\r\n RIP: 0010:__init_single_page+0x9/0x6d\r\n Call Trace:\r\n \r\n __init_zone_device_page+0x17/0x5d\r\n memmap_init_zone_device+0x154/0x1bb\r\n pagemap_range+0x2e0/0x40f\r\n memremap_pages+0x10b/0x2f0\r\n devm_memremap_pages+0x1e/0x60\r\n dev_dax_probe+0xce/0x2ec [device_dax]\r\n dax_bus_probe+0x6d/0xc9\r\n [... snip ...]\r\n \r\n\r\nIt turns out that the kernel panics while initializing vmemmap (struct\r\npage array) when the vmemmap region spans two PGD entries, because the new\r\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\r\nother tasks.\r\n\r\nAnd looking at __populate_section_memmap():\r\n if (vmemmap_can_optimize(altmap, pgmap)) \r\n // does not sync top level page tables\r\n r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\r\n else \r\n // sync top level page tables in x86\r\n r = vmemmap_populate(start, end, nid, altmap);\r\n\r\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\r\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\r\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\r\nthat all tasks in the system can see the new vmemmap area.\r\n\r\nHowever, when vmemmap_can_optimize() returns true, the optimized path\r\nskips synchronization of top-level page tables. This is because\r\nvmemmap_populate_compound_pages() is implemented in core MM code, which\r\ndoes not handle synchronization of the top-level page tables. Instead,\r\nthe core MM has historically relied on each architecture to perform this\r\nsynchronization manually.\r\n\r\nWe're not the first party to encounter a crash caused by not-sync'd top\r\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\r\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\r\nvmemmap area before the corresponding top-level entries were synced. At\r\nthat time, the issue was believed to be triggered only when struct page\r\nwas enlarged for debugging purposes, and the patch did not get further\r\nupdates.\r\n\r\nIt turns out that current approach of relying on each arch to handle the\r\npage table sync manually is fragile because 1) it's easy to forget to sync\r\nthe top level page table, and 2) it's also easy to overlook that the\r\nkernel should not access the vmemmap and direct mapping areas before the\r\nsync.\r\n\r\n# The solution: Make page table sync more code robust and harder to miss\r\n\r\nTo address this, Dave Hansen suggested [3] [4] introducing\r\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\r\nand allow each architecture to explicitly perform synchronization when\r\ninstalling top-level entries. With this approach, we no longer need to\r\nworry about missing the sync step, reducing the risk of future\r\nregressions.\r\n\r\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\r\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\r\nvmalloc and ioremap to synchronize page tables.\r\n\r\npgd_populate_kernel() looks like this:\r\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\r\n p4d_t *p4d)\r\n{\r\n pgd_populate(&init_mm, pgd, p4d);\r\n if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED)\r\n arch_sync_kernel_mappings(addr, addr);\r\n}\r\n\r\nIt is worth noting that vmalloc() and apply_to_range() carefully\r\nsynchronizes page tables by calling p*d_alloc_track() and\r\narch_sync_kernel_mappings(), and thus they are not affected by\r\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39844" }, { "cve": "CVE-2025-39845", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\r\n\r\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\r\npage tables are properly synchronized when calling p*d_populate_kernel().\r\n\r\nFor 5-level paging, synchronization is performed via\r\npgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so\r\nsynchronization is instead performed at the P4D level via\r\np4d_populate_kernel().\r\n\r\nThis fixes intermittent boot failures on systems using 4-level paging and\r\na large amount of persistent memory:\r\n\r\n BUG: unable to handle page fault for address: ffffe70000000034\r\n #PF: supervisor write access in kernel mode\r\n #PF: error_code(0x0002) - not-present page\r\n PGD 0 P4D 0\r\n Oops: 0002 [#1] SMP NOPTI\r\n RIP: 0010:__init_single_page+0x9/0x6d\r\n Call Trace:\r\n \r\n __init_zone_device_page+0x17/0x5d\r\n memmap_init_zone_device+0x154/0x1bb\r\n pagemap_range+0x2e0/0x40f\r\n memremap_pages+0x10b/0x2f0\r\n devm_memremap_pages+0x1e/0x60\r\n dev_dax_probe+0xce/0x2ec [device_dax]\r\n dax_bus_probe+0x6d/0xc9\r\n [... snip ...]\r\n \r\n\r\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\r\nbefore sync_global_pgds() [1]:\r\n\r\n BUG: unable to handle page fault for address: ffffeb3ff1200000\r\n #PF: supervisor write access in kernel mode\r\n #PF: error_code(0x0002) - not-present page\r\n PGD 0 P4D 0\r\n Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\r\n Tainted: [W]=WARN\r\n RIP: 0010:vmemmap_set_pmd+0xff/0x230\r\n \r\n vmemmap_populate_hugepages+0x176/0x180\r\n vmemmap_populate+0x34/0x80\r\n __populate_section_memmap+0x41/0x90\r\n sparse_add_section+0x121/0x3e0\r\n __add_pages+0xba/0x150\r\n add_pages+0x1d/0x70\r\n memremap_pages+0x3dc/0x810\r\n devm_memremap_pages+0x1c/0x60\r\n xe_devm_add+0x8b/0x100 [xe]\r\n xe_tile_init_noalloc+0x6a/0x70 [xe]\r\n xe_device_probe+0x48c/0x740 [xe]\r\n [... snip ...]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39845" }, { "cve": "CVE-2025-39846", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39846" }, { "cve": "CVE-2025-39847", "cwe": { "id": "CWE-772", "name": "Missing Release of Resource after Effective Lifetime" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp: fix memory leak in pad_compress_skb\r\n\r\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\r\nreleasing the old skb. The caller does:\r\n\r\n skb = pad_compress_skb(ppp, skb);\r\n if (!skb)\r\n goto drop;\r\n\r\ndrop:\r\n kfree_skb(skb);\r\n\r\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\r\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\r\n\r\nAlign pad_compress_skb() semantics with realloc(): only free the old\r\nskb if allocation and compression succeed. At the call site, use the\r\nnew_skb variable so the original skb is not lost when pad_compress_skb()\r\nfails.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39847" }, { "cve": "CVE-2025-39848", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: properly unshare skbs in ax25_kiss_rcv()\r\n\r\nBernard Pidoux reported a regression apparently caused by commit\r\nc353e8983e0d (\"net: introduce per netns packet chains\").\r\n\r\nskb->dev becomes NULL and we crash in __netif_receive_skb_core().\r\n\r\nBefore above commit, different kind of bugs or corruptions could happen\r\nwithout a major crash.\r\n\r\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\r\nwithout checking if this skb is shared or not.\r\n\r\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\r\n\r\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\r\n(\"phonet: properly unshare skbs in phonet_rcv()\").", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39848" }, { "cve": "CVE-2025-39849", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()\r\n\r\nIf the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would\r\nlead to memory corruption so add some bounds checking.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39849" }, { "cve": "CVE-2025-39853", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39853" }, { "cve": "CVE-2025-39857", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()\r\n\r\nBUG: kernel NULL pointer dereference, address: 00000000000002ec\r\nPGD 0 P4D 0\r\nOops: Oops: 0000 [#1] SMP PTI\r\nCPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE\r\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\r\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\r\nWorkqueue: smc_hs_wq smc_listen_work [smc]\r\nRIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]\r\n...\r\nCall Trace:\r\n \r\n smcr_buf_map_link+0x211/0x2a0 [smc]\r\n __smc_buf_create+0x522/0x970 [smc]\r\n smc_buf_create+0x3a/0x110 [smc]\r\n smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]\r\n ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]\r\n smc_listen_find_device+0x1dd/0x2b0 [smc]\r\n smc_listen_work+0x30f/0x580 [smc]\r\n process_one_work+0x18c/0x340\r\n worker_thread+0x242/0x360\r\n kthread+0xe7/0x220\r\n ret_from_fork+0x13a/0x160\r\n ret_from_fork_asm+0x1a/0x30\r\n \r\n\r\nIf the software RoCE device is used, ibdev->dma_device is a null pointer.\r\nAs a result, the problem occurs. Null pointer detection is added to\r\nprevent problems.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39857" }, { "cve": "CVE-2025-39860", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) <-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) <-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) <-- last refcnt\n bt_accept_unlink(sk) <-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet's call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39860" }, { "cve": "CVE-2025-39864", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they're not shared via the corresponding\n'hidden_beacon_bss' pointer.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39864" }, { "cve": "CVE-2025-39865", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache -->\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); -->\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39865" }, { "cve": "CVE-2025-39866", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(&inode->i_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode->i_wb\n spin_unlock(&inode->i_lock);\n spin_lock(&wb->list_lock)\n spin_lock(&inode->i_lock)\n inode_io_list_move_locked\n spin_unlock(&wb->list_lock)\n spin_unlock(&inode->i_lock)\n spin_lock(&old_wb->list_lock)\n inode_do_switch_wbs\n spin_lock(&inode->i_lock)\n inode->i_wb = new_wb\n spin_unlock(&inode->i_lock)\n spin_unlock(&old_wb->list_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-39866" }, { "cve": "CVE-2025-40300", "cwe": { "id": "CWE-402", "name": "Transmission of Private Resources into a New Sphere ('Resource Leak')" }, "notes": [ { "category": "summary", "text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/vmscape: Add conditional IBPB mitigation\r\n\r\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\r\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\r\nmitigations already protect kernel/KVM from a malicious guest. Userspace\r\ncan additionally be protected by flushing the branch predictors after a\r\nVMexit.\r\n\r\nSince it is the userspace that consumes the poisoned branch predictors,\r\nconditionally issue an IBPB after a VMexit and before returning to\r\nuserspace. Workloads that frequently switch between hypervisor and\r\nuserspace will incur the most overhead from the new IBPB.\r\n\r\nThis new IBPB is not integrated with the existing IBPB sites. For\r\ninstance, a task can use the existing speculation control prctl() to\r\nget an IBPB at context switch time. With this implementation, the\r\nIBPB is doubled up: one at context switch and another before running\r\nuserspace.\r\n\r\nThe intent is to integrate and optimize these cases post-embargo.\r\n\r\n[ dhansen: elaborate on suboptimal IBPB solution ]", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-40300" }, { "cve": "CVE-2025-43368", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26, iOS 26 and iPadOS 26, macOS Tahoe 26. Processing maliciously crafted web content may lead to an unexpected Safari crash.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-43368" }, { "cve": "CVE-2025-47219", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-47219" }, { "cve": "CVE-2025-48989", "cwe": { "id": "CWE-404", "name": "Improper Resource Shutdown or Release" }, "notes": [ { "category": "summary", "text": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-48989" }, { "cve": "CVE-2025-53057", "cwe": { "id": "CWE-284", "name": "Improper Access Control" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-53057" }, { "cve": "CVE-2025-53066", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-53066" }, { "cve": "CVE-2025-55752", "cwe": { "id": "CWE-23", "name": "Relative Path Traversal" }, "notes": [ { "category": "summary", "text": "Relative Path Traversal vulnerability in Apache Tomcat.\n\nThe fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-55752" }, { "cve": "CVE-2025-55754", "cwe": { "id": "CWE-150", "name": "Improper Neutralization of Escape, Meta, or Control Sequences" }, "notes": [ { "category": "summary", "text": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\n\nTomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.6, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-55754" }, { "cve": "CVE-2025-61748", "cwe": { "id": "CWE-284", "name": "Improper Access Control" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-61748" }, { "cve": "CVE-2025-61795", "cwe": { "id": "CWE-404", "name": "Improper Resource Shutdown or Release" }, "notes": [ { "category": "summary", "text": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat.\n\nIf an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2025-61795" }, { "cve": "CVE-2026-2673", "cwe": { "id": "CWE-757", "name": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')" }, "notes": [ { "category": "summary", "text": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers. The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security. Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-2673" }, { "cve": "CVE-2026-21925", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-21925" }, { "cve": "CVE-2026-21932", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-21932" }, { "cve": "CVE-2026-21933", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-21933" }, { "cve": "CVE-2026-21945", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-21945" }, { "cve": "CVE-2026-21947", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "summary", "text": "Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-21947" }, { "cve": "CVE-2026-22924", "cwe": { "id": "CWE-306", "name": "Missing Authentication for Critical Function" }, "notes": [ { "category": "summary", "text": "The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions.\r\nThis could allow an attacker to disrupt normal operations or perform unauthorized actions, potentially impacting system availability and integrity.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-22924" }, { "cve": "CVE-2026-22925", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "summary", "text": "The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets\r\nThis could allow an attacker to render the service unavailable and cause denial-of-service conditions by overwhelming system resources.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-22925" }, { "cve": "CVE-2026-28387", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages. These SMTP (or other similar) clients are not vulnerable\nto this issue. Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-28387" }, { "cve": "CVE-2026-28388", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-28388" }, { "cve": "CVE-2026-28389", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-28389" }, { "cve": "CVE-2026-28390", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-28390" }, { "cve": "CVE-2026-31789", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "Issue summary: Converting an excessively large OCTET STRING value to\r\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\r\n\r\nImpact summary: A heap buffer overflow may lead to a crash or possibly\r\nan attacker controlled code execution or other undefined behavior.\r\n\r\nIf an attacker can supply a crafted X.509 certificate with an excessively\r\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\r\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\r\nthe size of the buffer needed for the result is calculated as multiplication\r\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\r\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\r\n\r\nApplications and services that print or log contents of untrusted X.509\r\ncertificates are vulnerable to this issue. As the certificates would have\r\nto have sizes of over 1 Gigabyte, printing or logging such certificates\r\nis a fairly unlikely operation and only 32 bit platforms are affected,\r\nthis issue was assigned Low severity.\r\n\r\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\r\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-31789" }, { "cve": "CVE-2026-31790", "cwe": { "id": "CWE-754", "name": "Improper Check for Unusual or Exceptional Conditions" }, "notes": [ { "category": "summary", "text": "Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V5.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109814144/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-31790" } ] }