Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
soc/tegra: cbb: Fix cross-fabric target timeout lookup

In the Linux kernel, the following vulnerability has been resolved: soc/tegra: cbb: Fix cross-fabric target timeout lookup When a fabric receives an error interrupt, the error may have occurred on a different fabric. The target timeout lookup was using the wrong base address (cbb->regs) with offsets from a different fabric's target map, causing a kernel page fault. Unable to handle kernel paging request at virtual address ffff80000954cc00 pc : tegra234_cbb_get_tmo_slv+0xc/0x28 Call trace: tegra234_cbb_get_tmo_slv+0xc/0x28 print_err_notifier+0x6c0/0x7d0 tegra234_cbb_isr+0xe4/0x1b4 Add tegra234_cbb_get_fabric() to look up the correct fabric device using fab_id, and use its base address for accessing target timeout registers.

Affected products

Linux
  • =<*
  • ==6.17
  • =<7.0.*
  • <a5f51b04cbb3ae0f9cb2c4488952b775ebb0ccbf
  • =<6.18.*
  • <c892d0d4fe5ec05d3fdfb1616c3c0e3c12ef5abc
  • <8445d69a5cabd8d6cb2bf0f8b798be205f53afa2
  • <6.17
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison

In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'. Fix the loop condition to use '<' for consistency and correctness.

Affected products

Linux
  • =<6.6.*
  • =<*
  • <760ab35040aca8399021fdb9ff1db1089feb7194
  • <2.6.37
  • =<7.0.*
  • <1fb7f356547d9688822315cd2b205ff0bd5429b4
  • ==2.6.37
  • <d5403ae28085761d58b555645bc7d5feadb10073
  • <2a0673836f019e7c032acbf48d022d5ccf02a845
  • <c60a2710b73838d250cda57344c049b89abc5d52
  • =<5.15.*
  • =<6.18.*
  • <819d8ebad3200a53de99bd7e297bc428e41ced54
  • =<5.10.*
  • <426cd8eedac89b86148d4478990eeef16e8a2520
  • =<6.1.*
  • <01b61e8dda9b0fdb0d4cda43de25f4e390554d7b
  • =<6.12.*
Dismissed
(exclusively hosted service)
Permalink CVE-2026-57920
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (exclusively hosted service) suggestion
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of …

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.

Affected products

InControl
  • <2026-06-03
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
io_uring/napi: cap busy_poll_to 10 msec

In the Linux kernel, the following vulnerability has been resolved: io_uring/napi: cap busy_poll_to 10 msec Currently there's no cap on the maximum amount of time that napi is allowed to poll if no events are found, which can lead to kernel complaints on a task being stuck as there's no conditional rescheduling done within that loop. Just cap it to 10 msec in total, that's already way above any kind of sane value that will reap any benefits, yet low enough that it's nowhere near being able to trigger preemption complaints.

Affected products

Linux
  • =<*
  • <df8599ee18c0e5fe343ffe0b4c379636b8bb839a
  • <cb3af525f8dfb8930f0c123e5755fa967a12d5c1
  • =<7.0.*
  • <39767f944a8c9e696566c37ad5b20131406c4b8d
  • <6.9
  • =<6.18.*
  • ==6.9
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
usb: typec: ps883x: Fix Oops at unbind

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ps883x: Fix Oops at unbind When trying to unbind a device in order to bind to it vfio-platform as: echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind I get the following Oops: [ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0 That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe.

Affected products

Linux
  • <37a3d1b6827783f26d2f8e6c7683e253ba79ae93
  • =<*
  • <6.15
  • ==6.15
  • =<7.0.*
  • =<6.18.*
  • <381133848a033c2086cf9cafb226f425bd0414ff
  • <c404d0ac0cb085cb7077ba32c334cc4042feb81a
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-48930
5.6 MEDIUM
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
A flaw in Node.js TLS hostname handling can cause Embedded-nul …

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Affected products

node
  • =<24.16.0
  • =<22.22.3
  • =<26.3.0
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
x86/kexec: Push kjump return address even for non-kjump kexec

In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Push kjump return address even for non-kjump kexec The version of purgatory code shipped by kexec-tools attempts to look above the top of its stack to find a return address for a kjump, even in a non-kjump kexec. After the commit in Fixes: the word above the stack might not be there, leading to a fault (which is at least now caught by my exception-handling code in kexec). That commit fixed things for the actual kjump path, but no longer "gratuitously" pushes the unused return address to the stack in the non-kjump path. Put that *back* in the non-kjump path, to prevent purgatory from crashing when trying to access it.

Affected products

Linux
  • <786a45757dcdf8f2beb9d4a6db605db16c18b2b4
  • <7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c
  • =<*
  • =<7.0.*
  • ==6.14
  • =<6.18.*
  • <6.14
  • <b0bd7a850e1f082560959707dbf57b0402071646
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done() Local sashiko review pointed it out that group->domain could be NULL when a default domain fails to allocate during the first probe, which can crash at domain->ops->attach_dev dereference in __iommu_attach_device() invoked by pci_dev_reset_iommu_done(). pci_dev_reset_iommu_prepare() is fine as an old_domain pointer can be NULL. Skip the re-attach in pci_dev_reset_iommu_done() to fix the bug.

Affected products

Linux
  • ==7.0
  • =<*
  • =<7.0.*
  • <17194cd0dd236e732d116d50840d795ca50ef196
  • <7.0
  • <d769711fcddd005f1e654b3bde547140917fe696
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-48928
4.2 MEDIUM
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
A inconsistency in Node.js hostname matching can cause a trust-policy …

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Affected products

node
  • =<24.16.0
  • =<22.22.3
  • =<26.3.0
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths In dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace(). Both functions check: if (!dc_dmub_srv || !dc_dmub_srv->dmub) and then call DC_LOG_ERROR() inside that block. DC_LOG_ERROR() uses dc_dmub_srv->ctx internally. So if dc_dmub_srv is NULL, the logging itself can dereference a NULL pointer and cause a crash. Fix this by splitting the checks. First check if dc_dmub_srv is NULL and return immediately. Then check dc_dmub_srv->dmub and log the error only when dc_dmub_srv is valid. Fixes the below: ../display/dc/dc_dmub_srv.c:962 dc_dmub_srv_log_diagnostic_data() error: we previously assumed 'dc_dmub_srv' could be null (see line 961) ../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_enable_dpia_trace() error: we previously assumed 'dc_dmub_srv' could be null (see line 1166)

Affected products

Linux
  • =<*
  • <4ae3e16f4b3bf64140f773629b765d605ee079a9
  • =<7.0.*
  • <b37a978e6d8c33fbfa4abc5dcca4c7cfc6d01f22
  • <5.14
  • ==5.14