Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ipv6: sit: reload inner IPv6 header after GSO offloads

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

Affected products

Linux
  • =<6.18.*
  • =<*
  • <cb658c2f5f7977c2a1c77c9f239f4bc8196edb5c
  • <fddd41445a0537b093e6b3f6232c9933cad1e48b
  • <1132e5edc2866c3530be17622153a597095f0e43
  • =<6.1.*
  • =<6.6.*
  • =<5.15.*
  • <2fa49b2715e1bad12ce3b0fa64e234d9582c8193
  • <3.18
  • =<6.12.*
  • =<7.0.*
  • <0bfa7bba1f41aaf5f0604dc712bb4701493e3aa0
  • <f0e42f0c4337b1f220de1ddd63f47197c7dee4de
  • <59f80c919713250fe5d25a4d9aea4e49580fa1d4
  • ==3.18
  • =<5.10.*
  • <9c67b44edb3598d234efae6e44649eb993c03da5
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: validate embedded INIT chunk and address list lengths in cookie

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.

Affected products

Linux
  • ==2.6.12
  • =<6.18.*
  • <7560afb8cddafd829e709d7ea09230e45a825557
  • =<7.0.*
  • <512a9bb77c04ac9927648ea58af617e472be96e6
  • <6f4c80a2a7e6d06753b89a578b710a2499a5e62b
  • <2.6.12
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries. With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind: DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core] Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.

Affected products

Linux
  • =<6.18.*
  • <5.3
  • <0aabca726b43d833721034e97d99efcc8237b22a
  • =<6.12.*
  • =<7.0.*
  • <7b3eeba50fbc3b45f279037c29a87a90e8bac1e1
  • <2789b74ae1f4b68333c9d5eec2f3354d07b16e61
  • <b69004f5a6ad32da84d8aa5b23b9c0caafe6252e
  • ==5.3
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: add pskb_may_pull() to skb_gro_receive_list()

In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receive_list() skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without first ensuring the data is in the linear area via pskb_may_pull(). When the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in page fragments) while skb_gro_offset is non-zero (after IP+TCP header parsing). The skb_pull() then decrements skb->len by skb_gro_offset but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len) in __skb_pull(). The UDP fraglist GRO path already contains this guard at udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides centralized protection for all callers (TCP, UDP, and any future protocols), and ensures the precondition of skb_pull() is satisfied before it is called. On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the skb is not held as a new GRO head and is instead delivered through the normal receive path, matching the UDP handling.

Affected products

Linux
  • <0cde3a004119db637b401c54e77536e4145fc0b4
  • ==6.10
  • <f2bb3434544454099a5b6dec213567267b05d79d
  • =<6.18.*
  • <6.10
  • <848571dcbbbea7ba44dd4f7ebe1fbb274afe08ac
  • =<7.0.*
  • =<6.12.*
  • <9e636c995b7beeb74ea882968248752821c244c4
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Affected products

Linux
  • =<6.18.*
  • <80df409e1a483676826a6c66e693dba6ac507751
  • =<6.6.*
  • <72775977e89c25c99ee84d2c5baa3f86a8ba5cb4
  • =<7.0.*
  • =<6.12.*
  • ==6.2
  • <6.2
  • <459c6f35c58cf0fd5247e55d73ddaa29571d9b7e
  • <2d86aeb46d5f69c704065a8c69822582787272a1
  • <e634408d2b0cd939cfe019398a21fb47b7a8ffe3
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
timers/migration: Fix livelock in tmigr_handle_remote_up()

In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix livelock in tmigr_handle_remote_up() tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu == smp_processor_id(), assuming the local softirq path already handled this CPU's timers. This assumption is wrong because jiffies can advance after the handling of the CPU's global timers in run_timer_base(BASE_GLOBAL) and before tmigr_handle_remote() evaluates the expiry times. As a consequence a timer which expires after the CPU local timer wheel advanced and becomes expired in the remote handling is ignored and the callback is never invoked and removed from the timer wheel. What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it as expired, and the event is re-queued with expires == now on each iteration. The goto-again loop spins indefinitely. Fix this by calling timer_expire_remote() unconditionally. That's minimal overhead for the common case as __run_timer_base() returns immediately if there is nothing to expire in the local wheel. [ tglx: Amend change log and add a comment ]

Affected products

Linux
  • =<6.18.*
  • ==6.9
  • <6.9
  • =<7.0.*
  • =<6.12.*
  • <d486b4934a8e504376b85cdb3766f306d57aff5b
  • <1d6c2062b77be09ec15d6bf637b2e2221c4482fc
  • <07b3b83587fb3012619f4439389b64a955fc7836
  • <d338e61ea94052a786aac9f58e9f0d8520afa0fd
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: MGMT: validate advertising TLV before type checks

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].

Affected products

Linux
  • <de23fb62259aa01d294f77238ae3b835eb674413
  • =<6.18.*
  • =<6.1.*
  • <2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57
  • =<6.6.*
  • <18fea1cb0c2599752e908c8217490f73ddd33e00
  • =<6.12.*
  • =<7.0.*
  • <1a3c8ffbb469859b076445af44bdfa6a711d483e
  • =<5.15.*
  • <f7093ac233c1e7f51d125534f46067772a113175
  • <4.9
  • <06fcbd79c3c360a50f9be9d370769bbd738d0976
  • <74c08e4db35a476c3462aeb65846f955be732626
  • ==4.9
  • <13ad995071a06570668dd8daab3616c247c72080
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-0934
3.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.

Affected products

GitLab
  • <18.11.6
  • <19.1.1
  • <19.0.3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/gem: Try to fix change_handle ioctl, attempt 4

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, attempt 4 [airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not good enough to figure this out in private. The story thus far: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") tried to fix a race condition between the gem_close and gem_change_handle ioctls, but got a few things wrong: - There's a confusion with the local variable handle, which is actually the new handle, and so the two-stage trick was actually applied to the wrong idr slot. 7164d78559b0 ("drm/gem: fix race between change_handle and handle_delete") tried to fix that by adding yet another code block, but forgot to add the error handling. Which meant we now have two paths, both kinda wrong. - dc366607c41c ("drm: Replace old pointer to new idr") tried to apply another fix, but inconsistently, again because of the handle confusion - this would be the right fix (kinda, somewhat, it's a mess) if we'd do the two-stage approach for the new handle. Except that wasn't the intent of the original fix. We also didn't have an igt merged for the original ioctl, which is a big no-go. This was attempted to address off-list in the original bugfix, and amd QA people claimed the bug was fixed now. Very clearly that's not the case. Here's my attempt to sort this out: - Rename the local variable to new_handle, the old aliasing with args->handle is just too dangerously confusing. - Merge the gem obj lookup with the two-stage idr_replace so that we avoid getting ourselves confused there. - This means we don't have a surplus temporary reference anymore, only an inherited from the idr. A concurrent gem_close on the new_handle could steal that. Fix that with the same two-stage approach create_tail uses. This is a bit overkill as documented in the comment, but I also don't trust my ability to understand this all correctly, so go with the established pattern we have from other ioctls instead for maximum paranoia. - Adjust error paths. I've tried to make the error and success paths common, because they are identical except for which handle is removed and on which we call idr_replace to (re)install the object again. But that made things messier to read, so I've left it at the more verbose version, which unfortunately hides the symmetry in the entire code flow a bit. - While at it, also replace the 7 space indent with 1 tab. And finally, because I flat out don't trust my abilities here at all anymore: - Disable the ioctl until we have the igt situation and everything else sorted out on-list and with full consensus. v2: Sashiko noticed that I didn't handle the error path for idr_replace correctly, it must be checked with IS_ERR_OR_NULL like in gem_handle_delete. So yeah, definitely should just the existing paths 1:1 because this is endless amounts of tricky. Also add the Fixes: line for the original ioctl, I forgot that too.

Affected products

Linux
  • <1a4f03d22fb655e5f192244fb2c87d8066fcfca2
  • ==cde2c9257cbe8463b9dcf7b1075177b72b5fd938
  • <7.0.13
  • <1d9b93df7fc768228906e24220591ec1cddad391
  • ==38f12d0e10d83b66fa1466400d876a3a8da31542
  • ==318b995cffcfcaa69a234d28123a3f4ae186a9df
  • <6.18.36
  • ==0dfa42cfe4dbe114533480503934f43e33c1e83d
  • <c0639ede2f24ac224b2079cd35ecd5fd8ad4e3cd
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
mmc: dw_mmc-rockchip: Add missing private data for very old controllers

In the Linux kernel, the following vulnerability has been resolved: mmc: dw_mmc-rockchip: Add missing private data for very old controllers The really old controllers (rk2928, rk3066, rk3188) do not support UHS speeds at all, and thus never handled phase data. For that reason it never had a parse_dt callback and no driver private data at all. Commit ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating support") makes the private data sort of mandatory, because the init function checks whether phases are configured internally or through the clock controller. This results in the old SoCs then experiencing NULL-pointer dereferences when they try to access that private-data struct. While we could have if (priv) conditionals in all places, it's way less cluttery to just give the old types their private-data struct.

Affected products

Linux
  • <8d9eca906e76d3dd40e5f2c79701f066678f2e62
  • =<6.18.*
  • <6.12.94
  • <7f8007be13e6cc1e0a508fe461f9a91ba9a28b8c
  • =<7.0.*
  • <6.19
  • =<6.12.*
  • <6.18.36
  • <1e9a4850afa0ceb63984fb1a9f3e86d0fc4fd18f
  • ==6.19
  • <b1180ff50cca48807893ecde7d1f81d573c88c85
  • =<*