Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
platform/x86: dell-wmi-sysman: bound enumeration string aggregation

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: bound enumeration string aggregation populate_enum_data() aggregates firmware-provided value-modifier and possible-value strings into fixed 512-byte struct members. The current code bounds each individual source string but then appends every string and separator with raw strcat() and no remaining-space check. Switch the aggregation loops to a bounded append helper and reject enumeration packages whose combined strings do not fit in the destination buffers. [ij: add include]

Affected products

Linux
  • <c5683ca4949a514fbe656c6d0d08c4c126e21db9
  • ==5.11
  • =<5.15.*
  • <7b3dc1f764bf24eb99474a5de8173b0b43a8b071
  • <90b118d264845f7aaf539ac49f7c75f1f29590e2
  • <3c34471c26abc52a37f5ad90949e2e4b8027eb14
  • =<6.18.*
  • =<6.12.*
  • <ba0843c1955864401295f7ba3b420afe19f2266d
  • =<7.0.*
  • <75c738d4f27fa18a2a033de153bd40302bde6a66
  • <5.11
  • =<*
  • <5a04f9a36930792f6d64e28d43609e158d09b665
  • =<6.1.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
gfs2: add some missing log locking

In the Linux kernel, the following vulnerability has been resolved: gfs2: add some missing log locking Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(), gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock, but these functions require exclusion against concurrent transactions. To fix that, add a non-locking __gfs2_log_flush() function. Then, in gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log flushing functions and __gfs2_log_flush().

Affected products

Linux
  • <3b28eb75afe520972bacc833850c2b30aa0824cd
  • <98e8bf249c790d56de1abc4a5f8bd68035a00921
  • <fe2c8d051150b90b3ccb85f89e3b1d636cb88ec8
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • ==5.7
  • =<7.0.*
  • <ca95342cb1b39062a03c115830286f0a426053d5
  • <f2f225cf505ac016132ded21690f3ba0a080a4e8
  • <49d9be0722da3a4a893ba905720cba1921834ec3
  • =<*
  • <5.7
  • =<6.1.*
  • <bf5fcd9c37c2546beaf7b401d31aefd89017dc3d
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nat: use kfree_rcu to release ops

In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release ops Florian Westphal says: "Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks. However, in v5.14 I added the ability to dump the active netfilter hooks from userspace. This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath. The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though. But once that changes the nat ops structures have to be deferred too." Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.

Affected products

Linux
  • =<6.18.*
  • <5.14
  • =<7.0.*
  • <32fdd2e38e7435a368d88f5977a7d6585ebc8b0e
  • ==5.14
  • =<*
  • <6eda0d771f94267f73f57c94630aa47e90957915
  • <3c7511f38ab511b791196b13ae48bf4973bf7dfd
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
md: fix array_state=clear sysfs deadlock

In the Linux kernel, the following vulnerability has been resolved: md: fix array_state=clear sysfs deadlock When "clear" is written to array_state, md_attr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, md_attr_store() currently drops the mddev reference before calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs_break_active_protection() can become the last kobject reference protecting the md kobject. That allows sysfs_unbreak_active_protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs_drain() in the call chain. Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadata_version echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raid_disks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/array_state 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state The warning looks like: WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfs_remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40 ... Call Trace: kernfs_drain __kernfs_remove kernfs_remove_by_name_ns sysfs_remove_group sysfs_remove_groups __kobject_del kobject_put md_attr_store kernfs_fop_write_iter vfs_write ksys_write Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.

Affected products

Linux
  • <6.17
  • =<6.18.*
  • <92ad0ec509ffb188d8f849b63148664df37b4a52
  • =<7.0.*
  • <2aa72276fab9851dbd59c2daeb4b590c5a113908
  • =<*
  • <62c44566da7493ee48ef17e8507bb798338a07cb
  • ==6.17
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on

In the Linux kernel, the following vulnerability has been resolved: PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on When PERST# is deasserted twice (assert -> deassert -> assert -> deassert), a CBB (Control Backbone) timeout occurs at DBI register offset 0x8bc (PCIE_MISC_CONTROL_1_OFF). This happens because pci_epc_deinit_notify() and dw_pcie_ep_cleanup() are called before reset_control_deassert() powers on the controller core. The call chain that causes the timeout: pex_ep_event_pex_rst_deassert() pci_epc_deinit_notify() pci_epf_test_epc_deinit() pci_epf_test_clear_bar() pci_epc_clear_bar() dw_pcie_ep_clear_bar() __dw_pcie_ep_reset_bar() dw_pcie_dbi_ro_wr_en() <- Accesses 0x8bc DBI register reset_control_deassert(pcie->core_rst) <- Core powered on HERE The DBI registers, including PCIE_MISC_CONTROL_1_OFF (0x8bc), are only accessible after the controller core is powered on via reset_control_deassert(pcie->core_rst). Accessing them before this point results in a CBB timeout because the hardware is not yet operational. Fix this by moving pci_epc_deinit_notify() and dw_pcie_ep_cleanup() to after reset_control_deassert(pcie->core_rst), ensuring the controller is fully powered on before any DBI register accesses occur.

Affected products

Linux
  • <010983063a806720b45778d191335f8ea864fea3
  • =<6.18.*
  • <b059a41bdd5b202b2b9d7708403fb43c69689e53
  • ==70212c2300971506e986d95000d2745529cac9d7
  • <ce899f9c019591b73ef84b9afa332ed53beece25
  • <6.13
  • ==6.13
  • =<7.0.*
  • =<*
  • <34b3eef48d980cd37b876e128bbf314f69fb5d70
  • <6.12.91
  • <6.12
  • =<6.12.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Fix abuse of kprobe_write_ctx via freplace

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobe_write_ctx via freplace uprobe programs are allowed to modify struct pt_regs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct pt_regs via kprobe+freplace when the kprobe attaches to kernel functions. For example, SEC("?kprobe") int kprobe(struct pt_regs *regs) { return 0; } SEC("?freplace") int freplace_kprobe(struct pt_regs *regs) { regs->di = 0; return 0; } freplace_kprobe prog will attach to kprobe prog. kprobe prog will attach to a kernel function. Without this patch, when the kernel function runs, its first arg will always be set as 0 via the freplace_kprobe prog. To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow attaching freplace programs on kprobe programs with different kprobe_write_ctx values.

Affected products

Linux
  • <9836cadbd96c7e0dbb0018fa60e7872dd31ac4f8
  • =<6.18.*
  • <b312cf41b9e43f442613053f6cad39898e1baf96
  • =<7.0.*
  • ==6.18
  • =<*
  • <611fe4b79af72d00d80f2223354284447daafae9
  • <6.18
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13021
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 …

Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: bcmgenet: fix leaking free_bds

In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: fix leaking free_bds While reclaiming the tx queue we fast forward the write pointer to drop any data in flight. These dropped frames are not added back to the pool of free bds. We also need to tell the netdev that we are dropping said data.

Affected products

Linux
  • <3f3168300efb839028328d720ab3962f91d6a0d0
  • <6.15
  • <3c3abbcfa05bad17965498ff7cc94c2418fa94b3
  • =<6.18.*
  • <ac4a29c331ecb5b10240c44247a8e010c95bc15b
  • <52b9f80993698138b90e5ca3a72550a2501f2a96
  • =<7.0.*
  • <150d06aae1839a6564ab200ef0e7291c3528bbb0
  • ==6.15
  • =<*
  • <25ff3a3e47ea635ec08dc93e84dd2bfe15abfebb
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
block: fix zones_cond memory leak on zone revalidation error paths

In the Linux kernel, the following vulnerability has been resolved: block: fix zones_cond memory leak on zone revalidation error paths When blk_revalidate_disk_zones() fails after disk_revalidate_zone_resources() has allocated args.zones_cond, the memory is leaked because no error path frees it.

Affected products

Linux
  • <29153d128384fa7c48a8ca8d34094b1cbe2d5bdc
  • <2a2f520fda824b5a25c93f2249578ea150c24e06
  • =<7.0.*
  • <6.19
  • =<*
  • ==6.19
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
usb: typec: Fix error pointer dereference

In the Linux kernel, the following vulnerability has been resolved: usb: typec: Fix error pointer dereference The variable tps->partner is checked for an error pointer and then if it is, it sends an error message but does not return and then immediately dereferenced a few lines below: tps->partner = typec_register_partner(tps->port, &desc); if (IS_ERR(tps->partner)) dev_warn(tps->dev, "%s: failed to register partnet\n", __func__); if (desc.identity) { typec_partner_set_identity(tps->partner); cd321x->cur_partner_identity = st.partner_identity; } Add early return and fix spelling mistake in error message. Detected by Smatch: drivers/usb/typec/tipd/core.c:827 cd321x_update_work() error: 'tps->partner' dereferencing possible ERR_PTR()

Affected products

Linux
  • =<6.18.*
  • <f2529d08fcb429ea01bb87c326342f41483f8b2f
  • =<7.0.*
  • <9e31082f92c913d74fefb4e60cd0284e605ba3a3
  • ==6.18
  • =<*
  • <19951118fb22b5ad512379ee64510fe0e2c40eb3
  • <6.18