Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
libceph: Fix potential out-of-bounds access in osdmap_decode()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in osdmap_decode() When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message. This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osd*sizeof(*map->osd_weight).

Affected products

Linux
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • <ee933694645dac062d65fc2743f92bc06fa0db6b
  • <48df98d12b15360cd56af5c1f460307b340c1197
  • =<6.12.*
  • =<7.0.*
  • <35d0ed82d03e5ee77ea4f31f20e29562a7721649
  • <5.3
  • <8713bbc4b2b9ad78f803978e54b7e49dd21bd9be
  • =<*
  • <36a79759a288961b1ff28a68ec2d1f56f6848098
  • <3f2575bb7f955d42569d96c3e04fa958a0dcf4b4
  • <0d2dd7e6bb74fd7712aa73457a4a821906c6863a
  • ==5.3
  • =<5.10.*
  • <e7187f33c02488697ec0d01d82bf7a3f8deaba8f
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13023
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 …

Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13024
4.2 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Insufficient validation of untrusted input in Navigation in Google Chrome …

Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()

In the Linux kernel, the following vulnerability has been resolved: drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() In case if we get errors in cdns_mhdp_link_up() or cdns_mhdp_reg_read() in atomic_enable, we will go to cdns_mhdp_modeset_retry_fn() and will hit NULL pointer while trying to access the mutex. We need the connector to be set before that. Unlike in legacy cases with flag !DRM_BRIDGE_ATTACH_NO_CONNECTOR, we do not have connector initialised in bridge_attach(), so add the mhdp->connector_ptr in device structure to handle both cases with DRM_BRIDGE_ATTACH_NO_CONNECTOR and !DRM_BRIDGE_ATTACH_NO_CONNECTOR, set it in atomic_enable() earlier to avoid possible NULL pointer dereference in recovery paths like modeset_retry_fn() with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set.

Affected products

Linux
  • <6.6
  • =<6.18.*
  • <a3611554e599d1a24b45fd8415bacb72ce861e4b
  • <cf2ac2cac8b319f89b3a3851ca0c5ffb6a549575
  • =<7.0.*
  • <1af3b42e08a957e53bab8e1897393fe0a27d9fbf
  • ==6.6
  • <5302015daf26ef6b48e067f2b86c9482ac19e015
  • =<*
  • <43d6508ddbf9fb974fbc359a033154f78c9d4c8b
  • =<6.12.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
pppoe: drop PFC frames

In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.

Affected products

Linux
  • <cb3beef35ab5e0c1afca9fd7648c6ae499786377
  • =<5.15.*
  • =<6.18.*
  • <8a5e840babc5c0fbd10c73728a13192347771ec6
  • =<6.12.*
  • <ba758fdf1399f310b30098b6faa3fd043de47dd2
  • <5.0
  • =<7.0.*
  • <0cab5d077dd1efd2bd1a47271acc35894f945b4f
  • <cc1ff87bce1ccd38410ab10960f576dcd17db679
  • <2b5c3c040d020e3ab3b9a8887031202d96843b1e
  • <fcca1df05322bb04e344dd1178b54b76a08eb7c3
  • <49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71
  • =<*
  • ==5.0
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ceph: put folios not suitable for writeback

In the Linux kernel, the following vulnerability has been resolved: ceph: put folios not suitable for writeback The batch holds references to the folios (see `filemap_get_folios`, `folio_batch_release`), so we need to `folio_put` the folios we remove. Tested on v6.18.

Affected products

Linux
  • <86921e890fe1dea9791fb70bec552516fd47716a
  • <544576f0f05c4a759806acddfaaeb686f14fb4b0
  • =<7.0.*
  • <7.0.10
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Fix ld_{abs,ind} failure path analysis in subprogs

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysis in subprogs Usage of ld_{abs,ind} instructions got extended into subprogs some time ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These are only allowed in subprograms when the latter are BTF annotated and have scalar return types. The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 + exit) from legacy cBPF times. While the enforcement is on scalar return types, the verifier must also simulate the path of abnormal exit if the packet data load via ld_{abs,ind} failed. This is currently not the case. Fix it by having the verifier simulate both success and failure paths, and extend it in similar ways as we do for tail calls. The success path (r0=unknown, continue to next insn) is pushed onto stack for later validation and the r0=0 and return to the caller is done on the fall-through side.

Affected products

Linux
  • <d846d83bdacbd8f14fc45c63b8c1d22608452e1c
  • ==5.10
  • =<7.0.*
  • <ee861486e377edc55361c08dcbceab3f6b6577bd
  • =<*
  • <5.10
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Fix OOB in pcpu_init_value

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix OOB in pcpu_init_value An out-of-bounds read occurs when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the same value_size that is not rounded up to 8 bytes. The issue happens when: 1. A CGROUP_STORAGE map is created with value_size not aligned to 8 bytes (e.g., 4 bytes) 2. A pcpu map is created with the same value_size (e.g., 4 bytes) 3. Update element in 2 with data in 1 pcpu_init_value assumes that all sources are rounded up to 8 bytes, and invokes copy_map_value_long to make a data copy, However, the assumption doesn't stand since there are some cases where the source may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data. the verifier verifies exactly the size that the source claims, not the size rounded up to 8 bytes by kernel, an OOB happens when the source has only 4 bytes while the copy size(4) is rounded up to 8.

Affected products

Linux
  • =<6.18.*
  • ==5.10
  • ==c602ad2b52dcbca5af08e5137bd5575c039b52e3
  • <5.5
  • =<7.0.*
  • <576afddfee8d1108ee299bf10f581593540d1a36
  • ==ab68b940dd6f7b5f8e2557937162dcb8a0583a05
  • <e19c5ed9f1922a6854073f8651a63fa7be26e9e9
  • <5.10
  • <6086079e6d1c32ba4c4b422612b8aebb1129a96c
  • =<*
  • <5.10
  • <634a793d0e1c822412095d25a1338f8831ad894c
  • =<6.12.*
  • <e0378419b0e20178b5d100b27c9cc7e51064202e
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: ena: PHC: Fix potential use-after-free in get_timestamp

In the Linux kernel, the following vulnerability has been resolved: net: ena: PHC: Fix potential use-after-free in get_timestamp Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired. If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it. With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.

Affected products

Linux
  • <6.17
  • =<6.18.*
  • =<7.0.*
  • <95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98
  • <ca9ed40f28949353911dcb524ff8fff2f3409c97
  • =<*
  • ==6.17
  • <e42c755582f0960e684298762f0ab927b3778376
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: brcmfmac: Fix error pointer dereference

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix error pointer dereference The function brcmf_chip_add_core() can return an error pointer and is not checked. Add checks for error pointer. Detected by Smatch: drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1010 brcmf_chip_recognition() error: 'core' dereferencing possible ERR_PTR() drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1013 brcmf_chip_recognition() error: 'core' dereferencing possible ERR_PTR() drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1016 brcmf_chip_recognition() error: 'core' dereferencing possible ERR_PTR() drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1019 brcmf_chip_recognition() error: 'core' dereferencing possible ERR_PTR() drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1022 brcmf_chip_recognition() error: 'core' dereferencing possible ERR_PTR() [add missing wifi: prefix]

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <bd6c906e0c4af6d5d0c49c3c4ee090b4913da17d
  • <d3f280be48f1c672cb10e8026c236d0cca60048a
  • =<7.0.*
  • <dd8592fc6007a451c3e4b9025de365e39de8178a
  • ==3.15
  • <2e0e5a43ed126f896a4ad31ade66c90270601bae
  • <3.15
  • <a3b45090a91e2f0b9715870d8f8d9ca2fdfbc1af
  • =<*
  • <cbea71b4480394708f9a6e007a0385acfe5e1ec8
  • =<5.10.*
  • <99ef547659178eef6d6ba4738a9d989ce90cf909
  • =<6.1.*
  • <334c68750eee84c2327db1d152be83ff5ad8e20b
  • =<6.6.*