Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.

Affected products

Linux
  • =<6.18.*
  • <4bfdf0a9855df55e9e031ca6a25b855820590c70
  • =<*
  • <d5de9cb5355db36438edc621dde3673e3f235767
  • =<6.6.*
  • =<7.0.*
  • =<6.12.*
  • <d77583ca33299fede0c194744ef2284e7ba5b763
  • ==5.1
  • <8fb4a23df5b7c02929b62e5dbc270ec7c42b8134
  • <5.1
  • <5401fb4fe10fac6134c308495df18ed74aebb9c4
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-55892
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Vim: Out-of-bounds Write in Spell File Prefix Dump

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

Affected products

vim
  • ==< 9.2.0662
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
devlink: Release nested relation on devlink free

In the Linux kernel, the following vulnerability has been resolved: devlink: Release nested relation on devlink free devlink relation state is normally released from devl_unregister(), which calls devlink_rel_put(). This misses devlink instances that get a nested relation before registration and then fail probe before devl_register() is reached. That flow can happen for SFs. The child devlink gets linked to its parent before registration, then a later probe error calls devlink_free() directly. Since the instance was never registered, devl_unregister() is not called and devlink->rel is leaked. Release any pending relation from devlink_free() as well. The registered path is unchanged because devl_unregister() already clears devlink->rel before devlink_free() runs.

Affected products

Linux
  • ==6.7
  • =<6.18.*
  • <927f96861f939c0b517d13ed27bf4fabbfc1cfb3
  • <3522b21fd7e1863d0734537737bd59f1b90d0190
  • <a9137286884703113b1c9e6403bd6d7d97b14754
  • =<6.12.*
  • =<7.0.*
  • <11324d52b0c63f4f202b35793c6507a575e9a689
  • <6.7
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: revalidate bridge ports

In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A mere NULL check isn't sufficient, however. As sashiko review points out userspace can not only remove the port from the bridge, it could also place the device in a different virtual device, e.g. macvlan. If this happens, we must drop the packet, there is no way for us to reinject it into the bridge path. Switch to _upper API, we don't need the bridge port structure. Also, this fix keeps another bug intact: Both nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER too aggressive, which prevents certain logging features when queueing in bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old CONFIG_BRIDGE_NETFILTER cruft is off. Fixes tag is a common ancestor, this was always broken.

Affected products

Linux
  • <ccb9fd4b87538ccf19ccff78ee26700526d94867
  • =<6.18.*
  • ==2.6.36
  • =<7.0.*
  • <4beffcd726e2a731cea4dc18e1fbc55c8d76f1a0
  • =<6.12.*
  • <d4b1301fd3c9e5e105fd3767c68bc4ba558bb228
  • <43330a1e8aace6b5a8de9aba127e9e394ab49b0f
  • <2.6.36
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
thunderbolt: Clamp XDomain response data copy to allocation size

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.

Affected products

Linux
  • =<5.10.*
  • <0b334279a82d79fb4723bd4f614305de1ab69caa
  • =<6.18.*
  • <906035d5c3784570191d259cbf9a0ac1617852b5
  • =<6.1.*
  • <322e93448d908434ae5545660fcbe8f5a7a8e141
  • =<6.6.*
  • =<7.0.*
  • =<5.15.*
  • =<6.12.*
  • ==4.15
  • <6021d39ccd979713b39b980286020d8f9a45efd1
  • <fcbd0cdab92838854a5818be7ed8a097164ef6d5
  • <4.15
  • <89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d
  • <5db10c8ad8c09f72c847dfeef3d876098257f505
  • <05a43157676c243c248d1c6d9dcecbe6eba2f35d
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bnxt_en: Fix NULL pointer dereference

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer dereference PCIe errors detected by a Root Port or Downstream Port cause error recovery services to run on all subordinate devices regardless of administrative state. The .error_detected() callback, bnxt_io_error_detected(), disables and synchronizes IRQs via bnxt_disable_int_sync(), which calls bnxt_cp_num_to_irq_num() to map completion rings to IRQs using bp->bnapi. Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe error recovery on a closed NIC can dereference a NULL pointer. Check if bp->bnapi is NULL before disabling and synchronizing IRQs.

Affected products

Linux
  • =<6.18.*
  • =<*
  • =<6.1.*
  • <4.17
  • <580844a9683afe7974856dd5b7886447435b3474
  • =<6.6.*
  • <59c5a3e69c7630a811565937e64be70b08436761
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <d930276f2cddd0b7294cac7a8fe7b877f6d9e08d
  • <08e57d014ea19f303d5d57a849beb846f37788b7
  • ==4.17
  • <3884976f87448e269908ae61bd5d62d54ce9c0c7
  • <964b1c3eb71afe58bb61c8b984164447e000ae8a
  • <1a418ad0e5e525d1d117dd1601681f75455af320
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: mvpp2: limit XDP frame size to the RX buffer

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

Affected products

Linux
  • <910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e
  • <f3c6aa078927e6fe8121c9c591ddee8716c5305a
  • =<6.18.*
  • =<6.1.*
  • <a3ee9231ccec6ec3be2de89c56f897055fd9eab1
  • ==5.9
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <ec8e1e5842bc0dbd4c272761f4db3651eecd0339
  • <3b8b0c3631b19faee53f0d15a49924129b063eec
  • <994bd2b58d2bd08aa97ec0836cc813cfcb00d749
  • <9545cc5ef18ca22d031f2f47c157192460652359
  • <5.9
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync hci_get_route() returns a reference-counted hci_dev pointer via hci_dev_hold(). The function exits normally or with an error without ever releasing it.

Affected products

Linux
  • =<6.18.*
  • <6.12.94
  • <5cbf290b79351971f20c7a533247e8d58a3f970c
  • <6.12
  • <33d677d2e3713d98012c3dbd4a9207f7d785b854
  • =<7.0.*
  • =<6.12.*
  • ==6.13
  • <23e8eb16820b866528fb300dc67fe3f67f00ef62
  • ==bfec1e55314896bf4a4cfdb3a9ad4872be9f06ed
  • <6.13
  • <4bbec25f47b930101294fd310c627c3f53e9661f
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: fix leak if split 6 GHz scanning fails

In the Linux kernel, the following vulnerability has been resolved: wifi: fix leak if split 6 GHz scanning fails rdev->int_scan_req is leaked if cfg80211_scan() fails. Note that it's supposed to be released at ___cfg80211_scan_done() but this doesn't happen as rdev->scan_req is NULL at that point, too, leading to the early return from the freeing function. unreferenced object 0xffff8881161d0800 (size 512): comm "wpa_supplicant", pid 379, jiffies 4294749765 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 f0 81 13 16 81 88 ff ff ................ backtrace (crc c867fdb6): kmemleak_alloc+0x89/0x90 __kmalloc_noprof+0x2fd/0x410 cfg80211_scan+0x133/0x730 nl80211_trigger_scan+0xc69/0x1cc0 genl_family_rcv_msg_doit+0x204/0x2f0 genl_rcv_msg+0x431/0x6b0 netlink_rcv_skb+0x143/0x3f0 genl_rcv+0x27/0x40 netlink_unicast+0x4f6/0x820 netlink_sendmsg+0x797/0xce0 __sock_sendmsg+0xc4/0x160 ____sys_sendmsg+0x5e4/0x890 ___sys_sendmsg+0xf8/0x180 __sys_sendmsg+0x136/0x1e0 __x64_sys_sendmsg+0x76/0xc0 x64_sys_call+0x13f0/0x17d0 Found by Linux Verification Center (linuxtesting.org).

Affected products

Linux
  • =<6.18.*
  • <5.10
  • =<7.0.*
  • <a24134ddc18b4d440714365637d440b7121447b9
  • ==5.10
  • <fb8db813eba2e56ee001c9fb5c2ce2cb78c42642
  • <e8694f7cc29287e843648d1075177b9a2000d957
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data. Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <6.16
  • <5c65b96b549ea2dcfde497436bf9e048deb87758
  • <dafc9f57140e66a10945127aa7433c3d715dc253
  • =<6.18.*
  • <cdd8bbdbee763fdf5bf343e6f7d4e79347739f62
  • ==15da883c010cbc2a84aec1738b6ad6ee477846de
  • ==6.16
  • =<*
  • <6.12.94
  • =<6.1.*
  • <6.6.143
  • <1338ee049a8910ba6c9cee963920e978e6893c7d
  • <10b0e832cc05d7aef4b92bed912cbd4a395d0862
  • <02f50e8bb69f9b22516163a09922f5537d3b12d1
  • =<7.0.*
  • =<6.12.*
  • <6.16