Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
thunderbolt: Bound root directory content to block size

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Bound root directory content to block size __tb_property_parse_dir() does not check that content_offset + content_len fits within block_len for the root directory case. When rootdir->length equals or exceeds block_len - 2, the entry loop reads past the allocated property block. Add a bounds check after computing content_offset and content_len to reject directories whose content extends past the block.

Affected products

Linux
  • =<5.10.*
  • =<6.18.*
  • =<6.1.*
  • <b212bc161d8a9937b42153723a4a3f2f74fab528
  • <60ba6217460792356a238299edd675d91d46bab4
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • ==4.15
  • <65423079c7420e3dbf9a7aa345c243a3f5752e5d
  • <5c7657d38d07268124782f03519f07c22a5814fb
  • <4.15
  • <4d0b1524caadb04c10a71f3f88692c63dcb39115
  • <1912be23daf4afc8d24ce916021ab68ca4c679db
  • <0a32040a48db8cf35de48b85d6115df5623e4964
  • <cbeb68cbaa0a6f979ef428a7f2d0268c082ba166
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: phonet: free phonet_device after RCU grace period

In the Linux kernel, the following vulnerability has been resolved: net: phonet: free phonet_device after RCU grace period phonet_device_destroy() removes a phonet_device from the per-net device list with list_del_rcu(), but frees it immediately. RCU readers walking the same list can still hold a pointer to the object after it has been removed, leading to a slab-use-after-free. Use kfree_rcu(), matching the lifetime rule already used by phonet_address_del() for the same object type.

Affected products

Linux
  • =<6.18.*
  • <2.6.33
  • ==2.6.33
  • <bff309ea51f1395c1ef8be8b75ce62d28a319113
  • <52b8f5ef82c886f7cd24617915e4b1579ddfd001
  • =<7.0.*
  • <71de0177b28da751f407581a4515cf4d762f6296
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
thunderbolt: Limit XDomain response copy to actual frame size

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Limit XDomain response copy to actual frame size tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions. Use the minimum of frame size and expected response size for the copy length.

Affected products

Linux
  • <c55da494dfb445fb28df3a9d293c2be6a299cd01
  • =<6.18.*
  • <4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb
  • =<6.1.*
  • <a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • ==4.15
  • <033dfa63bf6be2653441a1dccae4a8313a91bb9d
  • <fc261397295b8ad0654cec747b0ec25ea0011995
  • <b5daa920f44cb582272fc9bfaeb67408776cbaef
  • <4.15
  • <b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4
  • <7720654b4842bcdfeb64bc002f6186041849e1e7
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
USB: serial: kl5kusb105: fix bulk-out buffer overflow

In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.

Affected products

Linux
  • <60af1fd82983c26604102e63a3fcc822c186cceb
  • =<5.10.*
  • <70d86e355c564b5510fde61361df014f5476c83e
  • =<6.1.*
  • =<6.18.*
  • <0a57320f71941d4e0b1307453c9a1f0939afe666
  • =<6.6.*
  • <2.6.35
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <14147b7963685957839c76ba8094924e22777d79
  • <96d47e40bf9db4a9efd5c8fb53287a508d165f14
  • <a1288cd700f721c1a119c4f1e8efa234e59caada
  • <bde742b076cbe26ecc89c8c68c76ae076a524d02
  • ==2.6.35
  • <372f33ebed747d91870f57c0a2e62884a870bffa
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf netvsc_copy_to_send_buf() copies page buffer entries into the VMBus send buffer using phys_to_virt() on the entry PFN. Entries for the RNDIS header and the skb linear data come from kmalloc'd memory and are always in the kernel direct map, but entries for skb fragments reference page cache or user pages, which on 32-bit x86 with CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page phys_to_virt() returns an address outside the direct map and the subsequent memcpy() faults on the transmit softirq path, which is fatal. Map the pages with kmap_local_page() instead, handling two properties of the page buffer entries: - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity, not a native PFN. Reconstruct the physical address first and derive the native page from it, so the mapping stays correct where PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages). - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN grouping in the page buffer array"), an entry describes a full physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, while kmap_local_page() maps a single page. Copy page by page, splitting at native page boundaries. The copy path only handles packets smaller than the send section size (6144 bytes by default); larger packets take the cp_partial path where only the RNDIS header is copied. So entries here are bounded by the section size and a copy is split at most once on 4K-page systems. On !CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and no mapping work is added.

Affected products

Linux
  • =<6.18.*
  • =<6.1.*
  • <09b8a7aa5a341bb345dc492aac139525efa13515
  • <a82d4251918f37d9c5aab7b365157669fb885ec3
  • =<6.6.*
  • ==3.16
  • <918c0c988239aa5ab96b254e504d191af6191061
  • <3.16
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <fe7221b4346418d27ec2daccfc09df6692b76f0b
  • <0b38870d81ab3a04c1ab0598d9d3285f5d9d0584
  • <004e9ecfe6c5384f9e0b2f6f6389d42ec22789af
  • <16514afeb7d3d121072ba9a0b640d6c1c5507db0
  • <695c59cf7bf707e6ff8cea01916ee50e86616933
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: guard timestamp cmsgs to real error queue skbs

In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb from sk_error_queue. That assumption is not true for AF_PACKET sockets: outgoing packet taps are also delivered to packet sockets with skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET instead of struct sock_exterr_skb. If such an skb is received with timestamping enabled, the generic timestamp cmsg path can read AF_PACKET control-buffer state as sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop counter overlaps opt_stats. An odd drop count makes the path emit SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear skbs this copies past the linear head and can trigger hardened usercopy or disclose adjacent heap contents. Keep skb_is_err_queue() local to net/socket.c, but make it verify that the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal receive ownership and no longer pass as error-queue skbs, while legitimate sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free ownership.

Affected products

Linux
  • ==cdaf15b43bd31003220cb080bcbbd57787a2fca9
  • <ad9a0374ee6d11048e1f74cd5180bad58b9848b4
  • =<6.6.*
  • <4.11
  • <24a0d548d3a765cd4558224e4f8e06e14cba26e3
  • <e0665b2a8e90bb08bd205062c75662b502d31797
  • <4.11
  • ==4.11
  • =<6.18.*
  • =<5.10.*
  • =<*
  • =<6.1.*
  • <1ee90b77b727df903033db873c75caac5c27ec98
  • <b903e9b5629ec8dd6db92174070045bf81ad7060
  • <3dde4fb941fa5649ab809f6cd3e20e0c424a4e31
  • <71ff5cdd5da61d0438e902aa0fd68c28bc901abe
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <eb51a9ad3ceb01bc6c0fb608dbc856e03ee6f24a
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
mm/list_lru: drain before clearing xarray entry on reparent

In the Linux kernel, the following vulnerability has been resolved: mm/list_lru: drain before clearing xarray entry on reparent memcg_reparent_list_lrus() clears the dying memcg's xarray entry with xas_store(&xas, NULL) before reparenting its per-node lists into the parent. This opens a window where a concurrent list_lru_del() arriving for the dying memcg sees xa_load() == NULL, walks to the parent in lock_list_lru_of_memcg(), takes the parent's per-node lock, and calls list_del_init() on an item still physically linked on the dying memcg's list. If another in-flight thread holds the dying memcg's per-node lock at the same moment (another list_lru_del, or a list_lru_walk_one running an isolate callback), both threads modify ->next/->prev pointers on the same physical list under different locks. Adjacent items can corrupt each other's links. Fix it by reversing the order: reparent each per-node list and mark the child's list lru dead and then clear the xarray entry. Any concurrent list_lru op that finds the still-set xarray entry either takes the dying memcg's per-node lock (synchronizing with the drain) or sees LONG_MIN and walks to the parent, where the items now live.

Affected products

Linux
  • =<6.18.*
  • =<*
  • =<7.0.*
  • <98733f3f0becb1ae0701d021c1748e974e5fa55c
  • ==6.13
  • <2b66496d794e98f7aeec7688573051f22ec40bac
  • <6.13
  • <c19ff4351214f059349788e13e70e74325831ff6
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
nvmem: core: fix use-after-free bugs in error paths

In the Linux kernel, the following vulnerability has been resolved: nvmem: core: fix use-after-free bugs in error paths Fix several instances of error paths in which we call __nvmem_device_put() - which may end up freeing the underlying memory and other resources - and then keep on using the nvmem structure. Always put the reference to the nvmem device as the last step before returning the error code.

Affected products

Linux
  • =<6.18.*
  • <4.20
  • <5b6b6fc491899d583eaa75344e094796ae9b530b
  • ==4.20
  • <e0d38bf47a72da2f02c9fa6f752cd66d977cd7f7
  • =<7.0.*
  • =<6.12.*
  • <cb85ef5a227b3662b88f4d849a1aad43bfe7f5ae
  • <40e2a459c0dd1333b2343831480a0ad80dc07614
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-11379
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.

Affected products

GitLab
  • <18.11.6
  • <19.1.1
  • <19.0.3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

In the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0 task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal. Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().

Affected products

Linux
  • <6.2
  • ==8a1fc8d698ac5e5916e3082a0f74450d71f9611f
  • <6.7
  • <6.13
  • ==6d52dfcb2a5db86e346cf51f8fcf2071b8085166
  • <7.0.13
  • <6.18.36
  • ==d8cce4773c2b23d819baf5abedc62f7b430e8745
  • <a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53
  • <40a25d59e85b3c8709ac2424d44f65610467871e
  • <55363fa0a04524d11efeaadee734d2db1756ed27