Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • <96dca51715d86559ed6ed8028e5445cecb80f3ae
  • =<6.12.*
  • <77a853aec710b2fdf41fa298ea3cbc9a4358f917
  • ==5.7
  • =<7.0.*
  • <42776497cdbc9a665b384a6dcb85f0d4bd927eab
  • <5501d055a1ce3c747141e3955ba8cf034d193f3e
  • =<*
  • <5.7
  • <330b20ec97916961ee0e6c29c06bc0fa7c96e64c
  • <0ccd75c51f620374086f359e906917676e699a1c
  • <fe1188abdae9b7a8199dcdfcf9244d5e5d61eb14
  • <dc89961b76f12aff47124c1df4bdb32a080f4d0c
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
xfrm: espintcp: do not reuse an in-progress partial send

In the Linux kernel, the following vulnerability has been resolved: xfrm: espintcp: do not reuse an in-progress partial send espintcp keeps a single in-flight transmit in ctx->partial. Before building a new sk_msg, espintcp_sendmsg() first tries to flush that state through espintcp_push_msgs(). For blocking callers, espintcp_push_msgs() may return success even when the previous partial send is still pending. espintcp_sendmsg() would then reinitialize emsg->skmsg and reuse ctx->partial while the old transfer still owns that state. Do not rebuild the send message when ctx->partial is still in progress. If espintcp_push_msgs() returns with emsg->len still set, fail the new send instead of overwriting the live partial state. This is a memory-safety fix: reusing the live partial-send state can leave a stale offset attached to a new sk_msg and lead to an out-of- bounds read in the send path. tcp_sendmsg_locked() already handles waiting for send buffer memory, so the fix here is just to preserve espintcp's one-message-at-a-time transmit state.

Affected products

Linux
  • <8c6c691bf062dc0753a139a4ab8cb92a70fcf8f3
  • <aa82a078f70f7ff88ba7d1017134e79d1ac140f2
  • =<5.15.*
  • =<6.1.*
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • <6564e9c7af7e1dc7bfe7f3093b728abe484d7630
  • <ba21439302db9a82fe4edbed1e38a97271529421
  • =<*
  • <1777ceac4bea5e568a5ad44b7f9bb219c1db21b6
  • <c381039ade2e161ab08c0eda73c4f8b9a7115928
  • <37487d55bf3300e3d2c1368da5c2bd3e3834ea4f
  • <5.6
  • ==5.6
  • <f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13034
4.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 …

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
dm cache: fix dirty mapping checking in passthrough mode switching

In the Linux kernel, the following vulnerability has been resolved: dm cache: fix dirty mapping checking in passthrough mode switching As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), dm-cache assumed table reload occurs after suspension, while LVM's table preload breaks this assumption. The dirty mapping check for passthrough mode was designed around this assumption and is performed during table creation, causing the check to fail with preload while metadata updates are ongoing. This risks loading dirty mappings into passthrough mode, resulting in data loss. Reproduce steps: 1. Create a writeback cache with zero migration_threshold to produce dirty mappings dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \ 2 migration_threshold 0" 2. Preload a table in passthrough mode dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" 3. Write to the first cache block to make it dirty fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 4. Resume the inactive table. Now it's possible to load the dirty block into passthrough mode. dmsetup resume cache Fix by moving the checks to the preresume phase to support table preloading. Also remove the unused function dm_cache_metadata_all_clean.

Affected products

Linux
  • <12105c7f18375d7615dad7605d89eadae7eb12a6
  • =<6.1.*
  • <1443c32f24d6d8bcdf4beceef2afc09290b98717
  • <322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8
  • =<5.15.*
  • =<6.18.*
  • <3.13
  • =<6.12.*
  • <5c98a3f1d7a554c9e920aa31daf92af6b5bbb8cc
  • =<7.0.*
  • <c2e86f647561fcf5e1c6eba7d75e9e0c4299c94d
  • <01b22656d8a68dbeae59f8b80866e7b11936b20a
  • ==3.13
  • =<*
  • <bd5a2c1018938e6b32670728bdb32a3f0efff00f
  • <21c503d60a257e54ca3ac58e2721bd24501d5bde
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()

In the Linux kernel, the following vulnerability has been resolved: amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() On failure to set the epp, the function amd_pstate_epp_cpu_init() returns with an error code without freeing the cpudata object that was allocated at the beginning of the function. Ensure that the cpudata object is freed before returning from the function. This memory leak was discovered by Claude Opus 4.6 with the aid of Chris Mason's AI review-prompts (https://github.com/masoncl/review-prompts/tree/main/kernel).

Affected products

Linux
  • <539aabbab190825c77eb455ec35652cb3720625f
  • <7f9aa2359742eaa6ea65ec0d20dafdfd0add9b8b
  • =<6.18.*
  • =<7.0.*
  • <beda3b363546a423e4e29a7395e04c0ac4ff677e
  • <6.14
  • =<*
  • ==6.14
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
s390/ap: use generic driver_override infrastructure

In the Linux kernel, the following vulnerability has been resolved: s390/ap: use generic driver_override infrastructure When the AP masks are updated via apmask_store() or aqmask_store(), ap_bus_revise_bindings() is called after ap_attr_mutex has been released. This calls __ap_revise_reserved(), which accesses the driver_override field without holding any lock, racing against a concurrent driver_override_store() that may free the old string, resulting in a potential UAF. Fix this by using the driver-core driver_override infrastructure, which protects all accesses with an internal spinlock. Note that unlike most other buses, the AP bus does not check driver_override in its match() callback; the override is checked in ap_device_probe() and __ap_revise_reserved() instead. Also note that we do not enable the driver_override feature of struct bus_type, as AP - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n". Additionally, AP has a custom counter that is modified in the corresponding custom driver_override_store().

Affected products

Linux
  • =<7.0.*
  • <6.19
  • <8f2eca0570438b94602da1297353eb7b10dcb6cb
  • =<*
  • <81d6f7c3a70b10ff757ee8b5f8114a190871cf1e
  • ==6.19
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net_sched: fix skb memory leak in deferred qdisc drops

In the Linux kernel, the following vulnerability has been resolved: net_sched: fix skb memory leak in deferred qdisc drops When the network stack cleans up the deferred list via qdisc_run_end(), it operates on the root qdisc. If the root qdisc do not implement the TCQ_F_DEQUEUE_DROPS flag the packets queue to free are never freed and gets stranded on the child's local to_free list. Fix this by making qdisc_dequeue_drop() aware of the root qdisc. It fetches the root qdisc and check for the TCQ_F_DEQUEUE_DROPS flag. If the flag is present, the packet is appended directly to the root's to_free list. Otherwise, drop it directly as it was done before the optimization was implemented.

Affected products

Linux
  • <6.19
  • =<7.0.*
  • <bf26ad92ffda7884825d67b46bd5efe615c3babf
  • =<*
  • ==6.19
  • <a6bd339dbb3514bce690fdcf252e788dfab4ee76
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/rds: Restrict use of RDS/IB to the initial network namespace

In the Linux kernel, the following vulnerability has been resolved: net/rds: Restrict use of RDS/IB to the initial network namespace Prevent using RDS/IB in network namespaces other than the initial one. The existing RDS/IB code will not work properly in non-initial network namespaces.

Affected products

Linux
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <b6a54f5e9ce9b97ae641855378d71c5154a085c0
  • <07035306bf722f4676a1aee35cbeb3732c76194e
  • <ebf71dd4aff46e8e421d455db3e231ba43d2fa8a
  • =<7.0.*
  • <fb407343c0c16e94584707b2dfdd350a5f81b000
  • <3e7f14cd5a51533404e1ae4809caab46073fb5c7
  • <c244b79adffad89a5173cf8bfaa06a6b40bbd09b
  • ==4.3
  • =<*
  • <3174fc703d081d2ca538b22fba734e3ad5b52322
  • <4.3
  • =<5.10.*
  • <a7494479757d60d2413bfaa087f8431a26eea032
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nf_conntrack_sip: don't use simple_strtoul

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: don't use simple_strtoul Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_parse_port() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings. The previous code dereferenced pointers without bounds checks after sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed. Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes: - Bail out if number is > UINT_MAX and indicate a failure, same for too long sequences. While we do accept 05535 as port 5535, we will not accept e.g. 'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261, we should restrict this to not waste cycles when presented with malformed packets with 64k '0' characters. - Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch 'expire=' and 'rports='; both are expected to use base-10. - In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k range. - epaddr_len now returns 0 if the port is invalid, as it already does for invalid ip addresses. This is intentional. nf_conntrack_sip performs lots of guesswork to find the right parts of the message to parse. Being stricter could break existing setups. Connection tracking helpers are designed to allow traffic to pass, not to block it. Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.

Affected products

Linux
  • =<6.1.*
  • ==2.6.26
  • =<5.15.*
  • =<6.18.*
  • <9c6afcb1c3cbb2c0da65b8515ac14d7273872f84
  • =<7.0.*
  • <b3264c977e79d8a25778d4fd11520f00fea1329c
  • <8cd0358379570003659186706e077929d6930c40
  • <2.6.26
  • <7df9863bf538a626e8a684e59cb2c43eac0ef3c8
  • =<*
  • <9f69c323ae0ab517e595c2cc74e0ae0d9d085611
  • <8cf6809cddcbe301aedfc6b51bcd4944d45795f6
  • <523762e3b6933fff81f01dfa3c60c0774044cdab
  • =<6.12.*
  • =<5.10.*
  • <ea2ecd29b8f4433e52607192ca91084f95787ca0
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
libceph: Fix potential out-of-bounds access in crush_decode()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().

Affected products

Linux
  • =<6.18.*
  • <5.15.209
  • <6e70ef53e818c53eab28d7b0026b7fd03dddaba5
  • =<7.0.*
  • <ea0d42137f0c06da71e37ffc647aab4c5309599a
  • <5.10.258
  • =<6.1.*
  • <6.18.33
  • <4c79fc2d598694bda845b46229c9d48b65042970
  • <7.0.10
  • <fb176a99e4c1a5a8448a83d83d3606203ba81faa
  • <ebe76d58a48a48031b98543d86c4cd30a825b622
  • <6.1.175
  • <6.6.141
  • <0f3604cbe4df14c5e58288ac9f57511e726a222d
  • =<5.15.*
  • =<*
  • <6.12.91
  • <cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5
  • =<6.12.*
  • =<5.10.*
  • <3f42508191e129ee6b5ea96578d5cab14f2a013a
  • =<6.6.*