Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nft_ct: bail out on template ct in get eval

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: bail out on template ct in get eval I noticed this issue while looking at a historic syzbot report [1]. A rule like the one below is enough to trigger the bug: table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } } The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers. Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack. [1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c

Affected products

Linux
  • ==4.1
  • =<6.18.*
  • =<6.6.*
  • =<7.0.*
  • =<6.12.*
  • <f071b0bf078146368d18e4eec386bf2ddc0ab7e0
  • <8470f676eadeab99132708acb1a85915664d6115
  • <3027ecbdb5fdf9200251c21d4818e4c447ef78e1
  • <2e154b5f53f1b0b490c7b8b02499f90feb86b1d5
  • <af80f78ce984649e1698b841cd33f4fa505ad828
  • <4.1
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ptp: ocp: fix resource freeing order

In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix resource freeing order Commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events") added a call to ptp_disable_all_events() which changes the configuration of pins if they support EXTTS events. In ptp_ocp_detach() pins resources are freed before ptp_clock_unregister() and it leads to use-after-free during driver removal. Fix it by changing the order of free/unregister calls. To avoid irq handler running on the other core while ptp device unregistering, call synchronize_irq() after HW is configured to stop producing irqs and no irqs are in-flight.

Affected products

Linux
  • <6.18
  • =<7.0.*
  • ==6.18
  • <aa03698bb28d3be5ee180adb185395054b342b04
  • <627366c51145a07f675b1800fb5ea2ec960bd900
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: bridge: make ebt_snat ARP rewrite writable

In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: make ebt_snat ARP rewrite writable The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a. However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data: skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it. Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits().

Affected products

Linux
  • <153ea96c806aea395daba907a4f88480b6ad5093
  • =<6.6.*
  • ==b7d23c2c87584eb429f115c078ed511be8b18e29
  • <bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87
  • <5.5
  • ==5.10
  • ==51ba2945a8ef65ae437c8f9ba05f0343aa82ae5b
  • =<6.18.*
  • <5.10
  • <c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5
  • <5.10
  • =<5.10.*
  • =<*
  • =<6.1.*
  • ==2f3839075a5f8dcf116c1abe35b36b018ac62445
  • <afd64b59c3de9bbbdd3759e834fdc55cda716e0b
  • <b7e91939ba9be805a62a257fa4e227dffbb88fa0
  • <76280b78cc9f23bdc6438e10ad6dff148ef8375b
  • <b18675263db1147c8e1cab625400c13a0d87bd2d
  • <67ba971ae02514d85818fe0c32549ab4bfa3bf49
  • =<5.15.*
  • =<6.12.*
  • <5.9
  • =<7.0.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header. img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically. Fix by rejecting images where img_header->Length exceeds the available destination space.

Affected products

Linux
  • <294692d3296eee3391c348d7ea6401916d27806c
  • ==2.6.12
  • =<5.10.*
  • =<6.1.*
  • <0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae
  • =<6.18.*
  • =<6.6.*
  • <3e187152f44d76d7633a3855ffd0099e1588b82a
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <2fd64bf0ad66ab5de0c73524591d879427ba5aba
  • <2.6.12
  • <130d6567eb148040eed1b73e1414ad6c27d22bd5
  • <5a79b634ee58786ca627268daefa7744f2af2e14
  • <4cb722747ed25971f35cc47ce5c0e79d7f717713
  • <b7faf660eefa2047ebc2959ff76da2b6eae2e9e3
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() There is an bug in which an uninitialized stack variable is used in rseq_exit_user_update() as reported by syzbot: BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline] The local variable: struct rseq_ids ids = { .cpu_id = task_cpu(t), .mm_cid = task_mm_cid(t), .node_id = cpu_to_node(ids.cpu_id), }; According to the C standard, the evaluation order of expressions in an initializer list is indeterminately sequenced. The compiler (Clang, in this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before* `ids.cpu_id` is initialized with `task_cpu(t)`. This is fixed by moving the assignment of ids.node_id outside the structure initialization.

Affected products

Linux
  • <7.0.13
  • <e12d20a63b61aaf9de4772effccf42cc9a003e58
  • <6d99479799c69c3cb588fcda19c81d8f61d64ecd
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes.

Affected products

Linux
  • =<5.10.*
  • =<6.18.*
  • <ecea4967c2bff92c2fafbc59893f711b39f7b152
  • =<6.1.*
  • <c6e5c2be09f814377d7f1ce97370a5b7b3e02814
  • <e85eb5feca8e254905ffa6c57a3c99c89a674a0f
  • =<6.6.*
  • <e1e3a05efe5954d5bad01157d79429d39a67a7ae
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <df08fadcf0e5f3708365ec3b6d30b5aafd98bea1
  • <d42679eef34dd590b694ce3b666c5e2ba10cd4bf
  • <5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c
  • <fbe0947420eec18a84638d29468c2d563ce4e6a3
  • ==5.1
  • <5.1
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace. Zero the second register before the memcpy so the full declared span is written.

Affected products

Linux
  • <c7d573551f9286100a055ef696cde6af54549677
  • =<6.18.*
  • <07acb9798477535933bd658ac9fa85b6cb10d995
  • <6.18
  • =<7.0.*
  • <f1e81d571e375d10e50e852223593493d98c1bac
  • ==6.18
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-55693
5.7 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Unreported (U)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Vim: Out-of-bounds Write in Spell File Word Count

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.

Affected products

vim
  • ==< 9.2.0653
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
RDMA/srp: bound SRP_RSP sense copy by the received length

In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: bound SRP_RSP sense copy by the received length srp_process_rsp() copies sense data from rsp->data + resp_data_len, where resp_data_len is the full 32-bit value supplied by the SRP target and is never checked against the number of bytes actually received (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so at most 96 bytes are copied, but the source offset is not bounded. A malicious or compromised SRP target on the InfiniBand/RoCE fabric that the initiator has logged into can return an SRP_RSP with SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer is allocated at the target-chosen max_ti_iu_len, so the source of the sense copy lands past the bytes actually received; with resp_data_len near 0xFFFFFFFF it is gigabytes past the buffer and the read faults. Copy the sense data only if it has not been truncated, that is, only if the response header, the response data, and the sense region fit within the bytes actually received; otherwise drop the sense and log. The in-tree iSER and NVMe-RDMA receive paths already bound their parse by wc->byte_len; this brings ib_srp into line with them.

Affected products

Linux
  • ==2.6.15
  • =<6.18.*
  • <3523e53ff95f1837ec3f57ff7558532bcb2661b7
  • =<6.1.*
  • <f92a285db7ff6e598591ccbfb551be155c5f4d57
  • =<6.6.*
  • <0d64bc200ebe4f275b27438c6e593903e0b16fe1
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <2.6.15
  • <2015038195939eac54a1ee83c9d98ef1a8ccbbce
  • <ed77cc819ad631264787cade5ae5ec4c535ec6bb
  • <3889517c2ec7f364914aea8209abfff735f7ecde
  • <0b9ee09d5e849591f17d98c078033dadea967293
  • <13e91fd076306f5d0cdfa14f53d69e37274723c4
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcomm_connect_ind() then locks the listener, queues a child socket on it, and may notify it after unlocking it. The buggy scenario involves two paths, with each column showing the order within that path: rfcomm_connect_ind(): listener close: 1. Find parent in 1. close() enters rfcomm_get_sock_by_channel() rfcomm_sock_release(). 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown() without pinning parent. closes the listener. 3. Call lock_sock(parent) and 3. rfcomm_sock_kill() bt_accept_enqueue(parent, unlinks and puts parent. sk, true). 4. Read parent flags and may 4. parent can be freed. call sk_state_change(). If close wins the race, parent can be freed before rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the deferred-setup callback. Take a reference on the listener before leaving rfcomm_sk_list.lock. After lock_sock() succeeds, recheck that it is still in BT_LISTEN before queueing a child, cache the deferred-setup bit while the parent is locked, and drop the reference after the last parent use. KASAN reported a slab-use-after-free in lock_sock_nested() from rfcomm_connect_ind(), with the freeing stack going through rfcomm_sock_kill() and rfcomm_sock_release().

Affected products

Linux
  • ==2.6.12
  • <1f73f92f66251065a5f39b09a47cf05ea14d3107
  • =<5.10.*
  • =<6.1.*
  • =<6.18.*
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • <b0e33e409715c617e2a20f46f99aa5403a14dfda
  • =<7.0.*
  • <de31973ef00e5aa55496f84cf6a44bb157a34e02
  • <8802413ce63175fb522a2bd609fb043a3550c720
  • <2.6.12
  • <a07d741c077d4e34b16458241a94d29039386553
  • <f5ec76bdbeb80f75ad0be204371afffee0f8fac8
  • <43c441edacf953b39517a44f5e5e10a93618b226
  • <6f4462d12133106460d7c046b95aad2491e3fddf
  • =<*