Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
crypto: eip93 - fix hmac setkey algo selection

In the Linux kernel, the following vulnerability has been resolved: crypto: eip93 - fix hmac setkey algo selection eip93_hmac_setkey() allocates a temporary ahash transform for computing HMAC ipad/opad key material. The allocation uses the driver-specific cra_driver_name (e.g. "sha256-eip93") but passes CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms. Since the EIP93 hash algorithms are the only ones registered under those driver names and they are inherently async, the lookup is self-contradictory and always fails with -ENOENT. When called from the AEAD setkey path, this failure leaves the SA record partially initialized with zeroed digest fields. A subsequent crypto operation then dereferences a NULL pointer in the request context, resulting in a kernel panic: ``` pc : eip93_aead_handle_result+0xc8c/0x1240 [crypto_hw_eip93] lr : eip93_aead_handle_result+0xbec/0x1240 [crypto_hw_eip93] sp : ffffffc082feb820 x29: ffffffc082feb820 x28: ffffff8011043980 x27: 0000000000000000 x26: 0000000000000000 x25: ffffffc078da0bc8 x24: 0000000091043980 x23: ffffff8004d59e50 x22: ffffff8004d59410 x21: ffffff8004d593c0 x20: ffffff8004d593c0 x19: ffffff8004d4f300 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000007fda7aa498 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: fffffffff8127a80 x9 : 0000000000000000 x8 : ffffff8004d4f380 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000008 x3 : 0000000000000009 x2 : 0000000000000008 x1 : 0000000028000003 x0 : ffffff8004d388c0 Code: 910142b6 f94012e0 f9002aa0 f90006d3 (f9400740) ``` The reported symbol eip93_aead_handle_result+0xc8c is a resolution artifact from static functions being merged under the nearest exported symbol. Decoding the faulting sequence: ``` 910142b6 ADD X22, X21, #0x50 f94012e0 LDR X0, [X23, #0x20] f9002aa0 STR X0, [X21, #0x50] f90006d3 STR X19, [X22, #0x8] f9400740 LDR X0, [X26, #0x8] ``` The faulting LDR at [X26, #0x8] is loading ctx->flags (offset 8 in eip93_hash_ctx), where ctx has been resolved to NULL from a partially initialized or unreachable transform context following the failed setkey. Fix this by dropping the CRYPTO_ALG_ASYNC mask from the crypto_alloc_ahash() call. The code already handles async completion correctly via crypto_wait_req(), so there is no requirement to restrict the lookup to synchronous algorithms. Note that hashing a single 64-byte block through the hardware is likely slower than doing it in software due to the DMA round-trip overhead, but offloading it may still spare CPU cycles on the slower embedded cores where this IP is found. [Detailed investigation report of this bug]

Affected products

Linux
  • <fc9310d79fdb117b369a01eb00f4fd5fb4849d4e
  • =<*
  • <6.15
  • ==6.15
  • =<7.0.*
  • =<6.18.*
  • <ec226d3e58bb9f0e26a77346085b6b4d594d53d8
  • <3ba3b02f897b14e34977e1886d95ffe64d907204
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
mailbox: add sanity check for channel array

In the Linux kernel, the following vulnerability has been resolved: mailbox: add sanity check for channel array Fail gracefully if there is no channel array attached to the mailbox controller. Otherwise the later dereference will cause an OOPS which might not be seen because mailbox controllers might instantiate very early. Remove the comment explaining the obvious while here.

Affected products

Linux
  • <9dd7489943324298bb0f385495795a82f1dd6507
  • =<6.6.*
  • =<*
  • <14aed0d4e58389cc6a88acf8610b12d3e476272b
  • <c1aad75595fb67edc7fda8af249d3b886efa1be9
  • =<7.0.*
  • =<6.12.*
  • <5cc3300fab262b26c28bc2fc06df693410c3840b
  • =<6.18.*
  • <3.18
  • =<5.15.*
  • <0f11444271110d9b5bc6316a153c6431abda899c
  • <d44872a569b8fbacde457ff2587a775e5004bb79
  • =<5.10.*
  • ==3.18
  • =<6.1.*
  • <6362c4a7d7e21e68cd9aa04df7cde16befba3a4b
  • <37792091ab28ba030fd8d61184c47d4d51294170
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com

Affected products

Linux
  • <6.13
  • =<*
  • ==68ec78beb4a3fb0877cbaaf49758c85410c05977
  • <cdfe3c9f2c9e28a8651ee463c88ad191ced2f840
  • <9022cb9ac0c2a72a57fa8ebf92ac74f953ca0153
  • =<7.0.*
  • ==6.14
  • <79ea2feb917b05366b49d85573c9c5331f043b2c
  • =<6.18.*
  • <6.14
  • ==df96876be3b064aefc493f760e0639765d13ed0d
  • <6.14
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
pinctrl: pinconf-generic: Fully validate 'pinmux' property

In the Linux kernel, the following vulnerability has been resolved: pinctrl: pinconf-generic: Fully validate 'pinmux' property The pinconf_generic_parse_dt_pinmux() assumes that the 'pinmux' property is not empty when present. This might be not true. With that, the allocator will give a special value in return and not NULL which lead to the crash when trying to access that (invalid) memory. Fix that by fully validating 'pinmux' value, including its length.

Affected products

Linux
  • =<*
  • <6.15
  • ==6.15
  • =<7.0.*
  • <b7842b722169359e7ffe4b838d2496e9e72ac996
  • =<6.18.*
  • <6476aac13805721e16439bd71f0e1703a4154517
  • <c98324ea7849b6e5baa1774f71709b375a2c2f9e
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-48936
3.3 LOW
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
A flaw in Node.js Permission API can cause a local …

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.

Affected products

node
  • =<26.3.0
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-48618
7.7 HIGH
  • CVSS version (CVSS): 3.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
A flaw in Node.js TLS hostname handling can cause Node.js …

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Affected products

node
  • =<24.16.0
  • =<22.22.3
  • =<26.3.0
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
arm_mpam: Check whether the config array is allocated before destroying it

In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Check whether the config array is allocated before destroying it __destroy_component_cfg() is called to free the configuration array. It uses the embedded 'garbage' structure, which means the array has to be allocated. If __destroy_component_cfg() is called from mpam_disable() before the configuration was ever allocated, then a NULL pointer is dereferenced. Check for this case and return early if the configuration is not allocated. __destroy_component_cfg() also frees the mbwu_state as this is allocated by __allocate_component_cfg(). As the mbwu_state is allocated after comp->cfg is set, and is also under mpam_list_lock, only the first pointer needs checking.

Affected products

Linux
  • ==6.19
  • <8eb6dc76eeae5302c0d885906a0e469ef9630a59
  • =<*
  • =<7.0.*
  • <6.19
  • <6ccbb613b42a1f1ba7bfd547a148f644a902a25c
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
power: supply: max77705: Free allocated workqueue and fix removal order

In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Free allocated workqueue and fix removal order Use devm interface for allocating workqueue to fix two bugs at the same time: 1. Driver leaks the memory on remove(), because the workqueue is not destroyed. 2. Driver allocates workqueue and then registers interrupt handlers with devm interface. This means that probe error paths will not use a reversed order, but first destroy the workqueue and then, via devm release handlers, free the interrupt. The interrupt handler schedules work on this exact workqueue, thus if interrupt is hit in this short time window - after destroying workqueue, but before devm() frees the interrupt - the schedulled work will lead to use of freed memory. Change is not equivalent in the workqueue itself: use non-legacy API which does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is used to update power supply (power_supply_changed()) status, thus there is no point to run it for memory reclaim. Note that dev_name() is not directly used in second argument to prevent possible unlikely parsing any "%" character in device name as format.

Affected products

Linux
  • =<*
  • <b98e4e57e34d099a8f846fa54749654082975ea0
  • <6.15
  • ==6.15
  • <1e668baadefb16e81269dbfebf3ffc2672e3a3bb
  • =<7.0.*
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: mana: Guard mana_remove against double invocation

In the Linux kernel, the following vulnerability has been resolved: net: mana: Guard mana_remove against double invocation If PM resume fails (e.g., mana_attach() returns an error), mana_probe() calls mana_remove(), which tears down the device and sets gd->gdma_context = NULL and gd->driver_data = NULL. However, a failed resume callback does not automatically unbind the driver. When the device is eventually unbound, mana_remove() is invoked a second time. Without a NULL check, it dereferences gc->dev with gc == NULL, causing a kernel panic. Add an early return if gdma_context or driver_data is NULL so the second invocation is harmless. Move the dev = gc->dev assignment after the guard so it cannot dereference NULL.

Affected products

Linux
  • =<*
  • =<7.0.*
  • =<6.18.*
  • ==5.16
  • <50271d7ec95144d26808025b508f463780517d3c
  • <bbe5c3c570645a4ceb120979d3ee203a1583d775
  • <a1ddfd2c0b7a48e5239fadd2a24cc4bc2cda90e6
  • <5.16
Dismissed
(max. allowed matches exceeded)
created 2 weeks, 6 days ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
fuse: fix uninit-value in fuse_dentry_revalidate()

In the Linux kernel, the following vulnerability has been resolved: fuse: fix uninit-value in fuse_dentry_revalidate() fuse_dentry_revalidate() may be called with a dentry that didn't had ->d_time initialised. The issue was found with KMSAN, where lookup_open() calls __d_alloc(), followed by d_revalidate(), as shown below: ===================================================== BUG: KMSAN: uninit-value in fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 d_revalidate fs/namei.c:1030 [inline] lookup_open fs/namei.c:4405 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x1614/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...] Uninit was created at: slab_post_alloc_hook mm/slub.c:4466 [inline] slab_alloc_node mm/slub.c:4788 [inline] kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4807 __d_alloc+0x55/0xa00 fs/dcache.c:1740 d_alloc_parallel+0x99/0x2740 fs/dcache.c:2604 lookup_open fs/namei.c:4398 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x135f/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...] =====================================================

Affected products

Linux
  • =<*
  • =<7.0.*
  • =<6.18.*
  • <3ac9117ba3deab8a5dd22847355f861686f4bee7
  • ==6.16
  • <6.16
  • <da3d241c5b925f17a9d8051d7a9e0d454d8e01f6
  • <5a6baf204610589f8a5b5a1cd69d1fe661d9d3cd