Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
scsi: target: core: Fix integer overflow in UNMAP bounds check

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix integer overflow in UNMAP bounds check sbc_execute_unmap() checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow. Add an overflow check matching the pattern already used for WRITE_SAME in the same file.

Affected products

Linux
  • =<5.15.*
  • <5efc3ef4758f8d98c257419fa21daca3227de61a
  • =<6.18.*
  • <51075df70c46e60a9773f2dcd28299e40dac36fb
  • <2bf2d65f76697820dbc4227d13866293576dd90a
  • =<5.10.*
  • <d7aef29573c7c5cdb2dfad939253287a6329c2a4
  • =<6.12.*
  • =<7.0.*
  • <c08ab702c4699c6efb9d60bdb15b73e7a627ee7e
  • <02115986d027ade793e7f6be87e91d6a796d0aa3
  • =<*
  • ==3.10
  • <2e1ed9a7b6ea5bfefb5d80a02b1c71c7dee1f0dd
  • <3.10
  • =<6.1.*
  • <3facdecc3fcf115cc4f9b3d8f118d6705e2456a8
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Affected products

Linux
  • =<6.18.*
  • <fa92a77b0ed4d5f11a71665a232ac5a54a4b055d
  • <b6b7154e9f5d75b608ceb2d05b376de8c638c40e
  • =<6.12.*
  • =<7.0.*
  • <4979252758387b338ca968ba7e0515b0ae2257e3
  • =<*
  • =<6.6.*
  • ==6.4
  • <77ecfa4e27f282d224215895ddfbeb916fc75e24
  • <6.4
  • <1c004f14ccdc11585625c168bb9a7c5e1b8afb0c
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
dm log: fix out-of-bounds write due to region_count overflow

In the Linux kernel, the following vulnerability has been resolved: dm log: fix out-of-bounds write due to region_count overflow The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions. Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc. This can be reproduced by creating a mirror target whose region_count overflows 32 bits: dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0' The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1): $ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ... This leads to a kernel crash in core_in_sync: BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed! Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.

Affected products

Linux
  • <4ec8323b9f0764a14d532b1ae9b87f8a9fecb867
  • <d4ac87567f86a55c3c92e9a5144dcd943a9772a1
  • =<5.15.*
  • =<6.18.*
  • <12bd5b88e91a02785244ff1d20fb157e96e9cdc8
  • =<6.12.*
  • =<7.0.*
  • <44ab8875ae4a2842bde2d756bed195d375e0debb
  • <3ec74da927b4e171a6fc0e77b1188ba4d019af51
  • <c20e36b7631d83e7535877f08af8b0af72c44b1a
  • <2.6.12
  • ==2.6.12
  • =<*
  • <b455903eed4558982be0811f5b7f44f6bbc4ff57
  • <defe483e47173768c227532694dc78cb65db5f09
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
crypto: af_alg - Cap AEAD AD length to 0x80000000

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Cap AEAD AD length to 0x80000000 In order to prevent arithmetic overflows when checking the TX buffer size, cap the associated data length to 0x80000000.

Affected products

Linux
  • <97948906dc8e0ea84775e03e35b60a2063c70193
  • =<6.1.*
  • <a4fe4eb580bbc7439f649a496d4cf38415a4021c
  • =<5.15.*
  • =<6.18.*
  • ==4.1
  • =<6.12.*
  • <4.1
  • =<7.0.*
  • <a9f68d9ed38dd6e5a6c6d75b03d25c1c133e321d
  • <265ac26d1c5e17b34d497cbda1f754a1ec8552bc
  • <a1c5672faf8e93e38c2deac3979cc767ca5cf918
  • <f8a5203596797f394ff3f9aa4005597a92249802
  • <e4c4a5074532eaaa14951994a3aad0d479aa7431
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: disable BH before calling udp_tunnel_xmit_skb()

In the Linux kernel, the following vulnerability has been resolved: sctp: disable BH before calling udp_tunnel_xmit_skb() udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path: udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit() dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU. Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit(). Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths. In my testing, after enabling the SCTP over UDP: # ip net exec ha sysctl -w net.sctp.udp_port=9899 # ip net exec ha sysctl -w net.sctp.encap_port=9899 # ip net exec hb sysctl -w net.sctp.udp_port=9899 # ip net exec hb sysctl -w net.sctp.encap_port=9899 # ip net exec ha iperf3 -s - without this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver - with this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver

Affected products

Linux
  • <2cd7e6971fc2787408ceef17906ea152791448cf
  • ==5.11
  • =<7.0.*
  • <790093245e35040c2adb15f48970020425aa3f47
  • <5.11
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Do not allow deleting local storage in NMI

In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfree_rcu(), call_rcu() or call_rcu_tasks_trace() in NMI or reentrant. Since deleting selem in NMI is an unlikely use case, partially mitigate it by returning error when calling from bpf_xxx_storage_delete() helpers in NMI. Note that, it is still possible to deadlock through reentrant. A full mitigation requires returning error when irqs_disabled() is true, which, however is too heavy-handed for bpf_xxx_storage_delete(). The long-term solution requires _nolock versions of call_rcu. Another possible solution is to defer the free through irq_work [0], but it would grow the size of selem, which is non-ideal. The check is only needed in bpf_selem_unlink(), which is used by helpers and syscalls. bpf_selem_unlink_nofail() is fine as it is called during map and owner tear down that never run in NMI or reentrant. [0] https://lore.kernel.org/bpf/20260205190233.912-1-alexei.starovoitov@gmail.com/

Affected products

Linux
  • <350de5b8a9befaa2a68861c51f671d4f5f751ca5
  • <5.13
  • =<7.0.*
  • ==5.13
  • =<*
  • <e84acaf936970b5b0be2c93bbf255295ba9406df
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: xt_policy: fix strict mode inbound policy matching

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_policy: fix strict mode inbound policy matching match_policy_in() walks sec_path entries from the last transform to the first one, but strict policy matching needs to consume info->pol[] in the same forward order as the rule layout. Derive the strict-match policy position from the number of transforms already consumed so that multi-element inbound rules are matched consistently.

Affected products

Linux
  • <938867e870fb5471bb16f442aeac81326e05bf65
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • <392cc1d8408b5665215c1e9290bbf0f92339b043
  • ==2.6.17
  • <2.6.17
  • =<7.0.*
  • <eb323f7b82d2e2f638de0cc2a177803eb20e0707
  • <b130a6eefa02bd4d475f2f059da8bcfb3e7d18d9
  • <fc1c518bb1f054831ecabb32da9b8e1dff9699c6
  • =<*
  • <4b2b4d7d4e203c92db8966b163edfacb1f0e1e29
  • <f98b7f85e04b40e28b08c461ded0cc79f14f5509
  • <82664d0f1ba25e4f9a71994954abae24c60f4067
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: return VMA snapshot from task_vma iterator

In the Linux kernel, the following vulnerability has been resolved: bpf: return VMA snapshot from task_vma iterator Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap_lock: vm_lock -> i_rwsem -> mmap_lock -> vm_lock Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot. The verifier only trusts vm_mm and vm_file pointers (see BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference- counted with get_file() under the lock and released via fput() on the next iteration or in _destroy(). vm_mm is already correct because lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.

Affected products

Linux
  • <6.7
  • =<6.18.*
  • <83b8802c034e843b83a3e1ef6f30cdd4e9ec291c
  • <13860ca37b8df0b856ee1ce3bdbd7c327d5f53e8
  • =<7.0.*
  • <592226d138378601ae28eb890e2bbc23ec3600f7
  • ==6.7
  • =<*
  • =<6.12.*
  • <4cbee026db54cad39c39db4d356100cb133412b3
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13025
8.3 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed …

Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
fsnotify: fix inode reference leak in fsnotify_recalc_mask()

In the Linux kernel, the following vulnerability has been resolved: fsnotify: fix inode reference leak in fsnotify_recalc_mask() fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- */ fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

Affected products

Linux
  • <5c80289503da3658e3df80280598c68d181eadbd
  • <b740cc86816bbc87902ae9db74cd21abde3c8d63
  • <4aca914ac152f5d055ddcb36704d1e539ac08977
  • =<6.18.*
  • <5.19
  • =<6.12.*
  • <5.11
  • =<7.0.*
  • <8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
  • ==4f145b67c075324b13d6ae7d5abb6e7a1dbac26d
  • ==5.19
  • =<*
  • <5.16
  • ==ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe