Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: mvpp2: sync RX data at the hardware packet offset

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: sync RX data at the hardware packet offset mvpp2 programs the RX queue packet offset, so hardware writes received data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the unused headroom and misses the same number of bytes at the packet tail. On non-coherent DMA systems this can leave the CPU reading stale cache contents for the end of the received frame. Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range offset so the sync covers the Marvell header and packet data actually written by hardware.

Affected products

Linux
  • <5.5
  • <23548007b3c66d628fc7d6b80d1e23be04ea10d9
  • =<6.18.*
  • =<6.1.*
  • =<6.6.*
  • <60412bdd1b2576659eac23a23d2d9ff96228a643
  • =<5.15.*
  • <bede0f481b9137d73d1cf64309cbe4b94818a5d6
  • <a13199fa224e9f776f4005d5037df03aa9ea8f37
  • =<6.12.*
  • =<7.0.*
  • <a3ad9b5767c89531fc7dae951b51b0933dcf7051
  • ==5.5
  • <19f8bc139e9b149d1e5bf75ae761d1bb8dd3e7d8
  • <180235600934bef6add3be637c296d6cf3272e67
  • <e302206ad84a407a7e5f3f6fe767ff5efaace689
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-57520
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Affected products

server
  • <2026.5.0
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: openvswitch: fix possible kfree_skb of ERR_PTR

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible kfree_skb of ERR_PTR After the patch in the "Fixes" tag, the allocation of the "reply" skb can happen either before or after locking the ovs_mutex. However, error cleanups still follow the classical reversed order, assuming "reply" is allocated before locking: it is freed after unlocking. If "reply" allocation happens after locking the mutex and it fails, "reply" is left with an ERR_PTR, and execution jumps to the correspondent cleanup stage which will try to free an invalid pointer. Fix this by setting the pointer to NULL after having saved its error value.

Affected products

Linux
  • =<6.18.*
  • =<6.1.*
  • <0bb5b2dc1b90aa7dd1473fc8c4d813a29255ff8d
  • ==3.16
  • <ecc55aad3390129a87106841f4b68bf3d70c9264
  • <3.16
  • =<5.15.*
  • <895d1dd9057cde1687fa0f4286d47ceed0b82997
  • =<6.6.*
  • =<6.12.*
  • =<7.0.*
  • <ee30dd2909d8b98619f4341c70ec8dc8e155ab02
  • <e3d509a1b71396e1452060dbf84a805fd1c3c549
  • <971b1b37774f13acc5add0a2843f8598446b8598
  • <25fdf53698535fe8790237f5a8a9626791429785
  • <e248fb2e680deb2bd37bac551b72638fe4938a76
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
tee: optee: prevent use-after-free when the client exits before the supplicant

In the Linux kernel, the following vulnerability has been resolved: tee: optee: prevent use-after-free when the client exits before the supplicant Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race.

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <5.10.259
  • <6.14
  • <5.5
  • <5.15.210
  • =<6.18.*
  • <724d0caffd4204b46f78efe22f18f8338031c6e1
  • <9a0dc9279d0907b198f205a693aedf696b08145d
  • <6.14
  • ==21234efe2a8474a6d2d01ea9573319de7858ce44
  • <373152c94e57e9592b68c100e224fbd943cfd608
  • =<5.10.*
  • =<*
  • <6.12.94
  • =<6.1.*
  • <387a926ee166814611acecb960207fe2f3c4fd3e
  • ==3eb4911364c764572e9db4ab900a57689a54e8ce
  • <d366a01475f927402c96a3fe78bfc06b924fc87d
  • <416259cb5bffecaaae5f76539deb535a8c1b2c34
  • <ae847ab29ded2d7cece4d5970f0edefa4137bf2f
  • <6.6.143
  • <d5b57bb314d79e99bebb58a53588fa11dd4dbf69
  • ==6.14
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netlabel: validate unlabeled address and mask attribute lengths

In the Linux kernel, the following vulnerability has been resolved: netlabel: validate unlabeled address and mask attribute lengths netlbl_unlabel_addrinfo_get() used the address attribute length to determine whether the attribute data could be read as an IPv4 or IPv6 address, but did not independently validate the corresponding mask attribute length. A crafted Generic Netlink request could therefore provide a valid IPv4/IPv6 address attribute with a shorter mask attribute, which would later be read as a full struct in_addr or struct in6_addr. NLA_BINARY policy lengths are maximum lengths by default, so use NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask attributes. This rejects short attributes during policy validation and also exposes the exact length requirements through policy introspection.

Affected products

Linux
  • =<6.18.*
  • <95bda3eac0b1454c2cee98d58d9ba6dd8391e843
  • =<6.1.*
  • <975a84fd741440853380d37465b6e226cf47254c
  • =<6.6.*
  • =<5.15.*
  • <71c52da13c3737493b42d20d9f33de34e03b3156
  • <07a18f5c90dd3d586b73242f5a5bbf0a72f2fdc6
  • =<6.12.*
  • =<7.0.*
  • <9772589b57e44aedc240211c5c3f7a684a034d3a
  • ==2.6.25
  • <672f0f3b8f875ffe6525a37847eafa7648c4c0c6
  • <0c4bb32ad7fdc2dc6a8050f41eb04d4bda56b6c8
  • <2.6.25
  • <ccfe292a966079c61ea68a2da303b2a336170993
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
accel/ivpu: Fix signed integer truncation in IPC receive

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix signed integer truncation in IPC receive Fix potential buffer overflow where firmware-supplied data_size is cast to signed int before being used in min_t(). Large unsigned values (>= 0x80000000) become negative, causing unsigned wraparound and oversized memcpy operations that can overflow the stack buffer. Change min_t(int, ...) to min() as both values are unsigned and can be handled by min() without explicit cast.

Affected products

Linux
  • =<6.18.*
  • <d9faef564438d1e4579c692c046603e7ada7bdf4
  • ==6.8
  • =<7.0.*
  • <6.8
  • <4788556d4dd9d717037e385de178974e9649231d
  • =<6.12.*
  • <45cb105b8642c65e9be286f7058e92314efe7ea3
  • <2821bf2b79e47f87e1dbdd9d25c78240965a97d6
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
gpio: mvebu: fix NULL pointer dereference in suspend/resume

In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix NULL pointer dereference in suspend/resume mvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO banks during suspend/resume, but not all banks have PWM functionality. GPIO banks without PWM have mvchip->mvpwm set to NULL. Calling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer dereference when it tries to access mvpwm->blink_select. Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write [00000020] *pgd=00000000 Internal error: Oops: 815 [#1] PREEMPT ARM Modules linked in: CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353 Hardware name: Marvell Armada 370/XP (Device Tree) PC is at regmap_mmio_read+0x38/0x54 LR is at regmap_mmio_read+0x38/0x54 pc : [<c05fd2ac>] lr : [<c05fd2ac>] psr: 200f0013 sp : f0c11d10 ip : 00000000 fp : c100d2f0 r10: c14fb854 r9 : 00000000 r8 : 00000000 r7 : c1799c00 r6 : 00000020 r5 : 00000020 r4 : c179c7c0 r3 : f0a231a0 r2 : 00000020 r1 : 00000020 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 135ec059 DAC: 00000051 Call trace: regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac _regmap_bus_reg_read from _regmap_read+0x60/0x154 _regmap_read from regmap_read+0x3c/0x60 regmap_read from mvebu_gpio_suspend+0xa4/0x14c mvebu_gpio_suspend from dpm_run_callback+0x54/0x180 dpm_run_callback from device_suspend+0x124/0x630 device_suspend from dpm_suspend+0x124/0x270 dpm_suspend from dpm_suspend_start+0x64/0x6c dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8 suspend_devices_and_enter from pm_suspend+0x2fc/0x308 pm_suspend from state_store+0x6c/0xc8 state_store from kernfs_fop_write_iter+0x10c/0x1f8 kernfs_fop_write_iter from vfs_write+0x270/0x468 vfs_write from ksys_write+0x70/0xf0 ksys_write from ret_fast_syscall+0x0/0x54 Add a NULL check for mvchip->mvpwm before calling the PWM suspend/resume functions.

Affected products

Linux
  • =<6.18.*
  • <4.12
  • =<6.6.*
  • <b9ad50d7505ebd48282ec3630258dc820fc85c81
  • =<6.12.*
  • =<7.0.*
  • <c9677a9274ffb44987ec209dc8ec9f2d34946956
  • ==4.12
  • <6136c1474db88272231573e222896e1998d34662
  • <7db09011ce62162d72897fc4856b4425245dfe35
  • <4ef24338eda3c7e96d6f94a988266ff16ed3985d
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netdev: fix double-free in netdev_nl_bind_rx_doit()

In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdev_nl_bind_rx_doit() Sashiko flags that genlmsg_reply() always consumes the skb. The error path calls nlmsg_free(rsp) so we can't jump directly to it. Let's not unbind, just propagate the error to the user. This is the typical way of handling genlmsg_reply() failures. They shouldn't happen unless user does something silly like calling the kernel with an already-full rcvbuf.

Affected products

Linux
  • <e055ca9205d3eb6aec3e5fe4ecc18abbbf18c599
  • <9b019376cbee10c4f9184d1745fa37d156e36f30
  • =<6.18.*
  • ==6.12
  • <c299321bc6232770ce378d6fa6bc46004d2d7fdb
  • <c849de7d8757a7af801fc4a4058f71d481d367f2
  • =<6.12.*
  • =<7.0.*
  • <6.12
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
accel/ivpu: Add bounds check for firmware runtime memory

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add bounds check for firmware runtime memory Validate that the firmware runtime memory specified in the image header is properly aligned and sized to hold the firmware image. This prevents errors during memory allocation and image transfer.

Affected products

Linux
  • <f8ab60ae9309e76d9a09c601c10cc222e25b3d5b
  • =<7.0.*
  • <6.19
  • ==6.19
  • <1d0b597facdd3c0239c88e8797c1014e1ea0ef15
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms. Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands. Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. The Bluetooth Core spec wording for MTUExceeded says the reject identifier shall match the first request command in the packet, and that packets containing only responses shall be silently discarded. Linux intentionally deviates from that prescription: silently discarding desynchronizes the peer because the remote stack never learns its responses were dropped, and locating the first request command requires walking command headers past MTUsig, i.e. processing bytes from a packet we have already decided is too large to process. We therefore always emit one reject and use the identifier from the first command header, a single fixed-offset byte read. The unrestricted BR/EDR signaling parser and ECHO_REQ response path both trace to the initial git import; no later introducing commit is available for a Fixes tag.

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <5.10.259
  • <fa5823126239b3e453fac1a2fe50726c7f4a55e1
  • <5.15.210
  • =<6.18.*
  • <e2b8acf9405bd9b1baf1c54dc897b0905db689bf
  • <b20e8a98dd29b121f58fcdf51e8576119aba536a
  • <dedc92b96dc1d8919a3bdf2495ede68922ef7ebc
  • <a8335f3db15bd1e0e82e0db5d488fabc7d10d1ab
  • <e05c4ac575b457978a7ef441053394169084869c
  • =<5.10.*
  • =<*
  • <6.12.94
  • =<6.1.*
  • <214a2042b16b3c8d798a8b9ef9f36094f13a9859
  • <dd214733544427587a95f66dbf3adff072568990
  • <6.6.143
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <7.0.13
  • <6.18.36