Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: serialize accept_q access

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: serialize accept_q access bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import. Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket.

Affected products

Linux
  • =<5.15.*
  • <d9ce4de05df2385c19e2c7d12f529144e1a44af1
  • =<6.18.*
  • =<6.12.*
  • =<5.10.*
  • =<7.0.*
  • <e83f5e24da741fa9405aeeff00b08c5ee7c37b88
  • <a218bf69eb51fefe59a3976fa8925261141f681c
  • <be43e6b4043113c3b3cf887c3c8350f67140274c
  • <2.6.12
  • =<*
  • ==2.6.12
  • <41c8c1c7923e86e0eb59cfb4279349112756a336
  • <85f8674cae82053f1e6bab295f6a8422cca14db5
  • <8b4c412e001b0c670eb937beab491af974da55b3
  • =<6.1.*
  • <4ec17782fd186f901a7329605d11048b085b945a
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
af_unix: Reject SIOCATMARK on non-stream sockets

In the Linux kernel, the following vulnerability has been resolved: af_unix: Reject SIOCATMARK on non-stream sockets SIOCATMARK reports whether the receive queue is at the urgent mark for MSG_OOB. In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), so they should not support SIOCATMARK either. Return -EOPNOTSUPP for non-stream sockets before checking the receive queue.

Affected products

Linux
  • =<6.18.*
  • <d119775f2bad827edc28071c061fdd4a91f889a5
  • =<7.0.*
  • <5.15
  • <c34c41446acf6c0d13b5b06c809be11e0f7f2729
  • =<*
  • <3147ddf5a41c20c45c2eb69e00b62f10f822056a
  • <645b1ed3259af38b7814242a420bc2081bdd1eb6
  • =<6.12.*
  • ==5.15
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ASoC: qcom: qdsp6: topology: check widget type before accessing data

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: topology: check widget type before accessing data Check widget type before accessing the private data, as this could a virtual widget which is no associated with a dsp graph, container and module. Accessing witout check could lead to incorrect memory access.

Affected products

Linux
  • =<6.18.*
  • <8e8cd78b6000c9d19db249a5a68287158f288ef3
  • <a1a24d4b8c9682f9b7a9138f636ff004c721aef1
  • ==5.16
  • =<6.12.*
  • <6d2491a585202a967ed91f30ec5960024f2536d0
  • =<7.0.*
  • <1ac96689ce2984f4f6ef8892fcb65da377408421
  • =<*
  • <5.16
  • <d5bfdd28e0cdd45043ae6e0ac168a451d59283dc
  • <296810e91f21a21794886c57f954495d8afd7f32
  • =<6.1.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()

In the Linux kernel, the following vulnerability has been resolved: i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers() The xfer structure allocated by renesas_i3c_alloc_xfer() was never freed in the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup attribute to automatically free the memory when the variable goes out of scope.

Affected products

Linux
  • <6.17
  • =<6.18.*
  • =<7.0.*
  • =<*
  • <1b6a7e94be678d34a9ccb9db7e2443ae02ad2bc8
  • <d7665c3b4f575251e449e2656879392346ca612b
  • <ab8f00ffcca0f618fb8198d358f24728950d9860
  • ==6.17
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13032
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Use after free in WebGL in Google Chrome on Android …

Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: mt76: Fix memory leak destroying device

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak destroying device All MT76 rx queues have an associated page_pool even if the queue is not associated to a NAPI (e.g. WED RRO queues with WED enabled). Destroy the page_pool running mt76_dma_cleanup routine during module unload. Moreover returns pages to the page pool if WED is not enabled for WED RRO queues.

Affected products

Linux
  • =<6.18.*
  • <6b470f36616e3448d44b0ef4b1de2a3e3a31b5be
  • ==6.8
  • =<7.0.*
  • <4b7c92fd8b8700fac387ff43c6f6e0c4e05ec93f
  • =<*
  • <6.8
  • <dcbc13d19bef3326c72f324b10f5a3e5fc4d71de
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netdevsim: zero initialize struct iphdr in dummy sk_buff

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Affected products

Linux
  • <6e2cfd0904976e701d7a76b86b694e72af230ab0
  • <978ca6ff789f1f19c03288ac20cc1f4774e88490
  • =<6.1.*
  • =<5.15.*
  • <750d0091bebf44975421268d37484ef87060d263
  • =<6.18.*
  • =<6.12.*
  • <bc6002865e8c4fcf9e94975f7cf023448d8764e2
  • <35eaa6d8d6c2ee65e96f507add856e0eacf24591
  • =<7.0.*
  • <175556c049eaec14efde8c6475e763b7579b9de7
  • <5.4
  • =<*
  • <1b7b6ae0e93b8d512e208b1378d74af052e4f4e7
  • <818f7673ed7f4a29d4b9cee8184c47d6e57162b4
  • =<5.10.*
  • ==5.4
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.

Affected products

Linux
  • =<7.0.*
  • <7.0.10
  • <821365487aa58d06bda65c676ba215d506ba9768
  • <c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
vdpa: use generic driver_override infrastructure

In the Linux kernel, the following vulnerability has been resolved: vdpa: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Affected products

Linux
  • <fb5cb4913ce333cc4647722e8c2b8378e12f2464
  • =<6.18.*
  • <654ef9c33e138ede6734ac286282df9faf83cd11
  • =<7.0.*
  • <85bb534ff12aab6916058897b39c748940a7a4c6
  • ==5.17
  • =<*
  • <5.17
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ice: fix potential NULL pointer deref in error path of ice_set_ringparam()

In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

Affected products

Linux
  • <fa28351f970fa5138c7c5dedfe5dea480a0ee065
  • <c54e3c270384829336b2526033d44ce1aa6dc67c
  • =<7.0.*
  • ==6.18
  • =<*
  • <6.18