Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c)

Affected products

Linux
  • =<6.18.*
  • =<6.6.*
  • =<7.0.*
  • =<6.12.*
  • ==5.19
  • <d02f05d30f35b036f7cbaf72de634affb5b38ec6
  • <d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64
  • <5.19
  • <352ea59028ea48a6fff77f19ae28f98f71946a80
  • <16dad1fb0d783a4008de30e32d0038c393de05b1
  • <2c5b66c9b4057b385566940935ebc32f6e6ebfd2
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node. The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36. Fix both issues by: - Returning -ENODEV when connector->base.state or state->crtc is NULL - Clamping write_size to min(size, sizeof(data)) (cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)

Affected products

Linux
  • =<6.18.*
  • <c90954cdea4d6998ec345de0d840d030c145b89e
  • <adf67034b1f61f7119295208085bfd43f85f56af
  • <a2de1d71891a038a9346b2c1a72b88c8350f2479
  • =<6.1.*
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • ==5.2
  • <bb6f705b73b5f191f14ad004e2c8c4b615806187
  • <7fc4fab4acc307ad2903312c195872b2953d32c3
  • <ee9cfcf77a8e8af637396dc00966df5f701e661c
  • <b781f90a9528555c709e59789550893581ef0be4
  • <5.2
  • <7ae95c0275c330b5dbae806f8e431720edad776f
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iomap: avoid potential null folio->mapping deref during error reporting

In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping deref during error reporting When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(folio->mapping->host, ...). This is called after ifs->read_bytes_pending has been decremented by the bytes attempted to be read. For a folio split across multiple read completions, the folio is only guaranteed to stay locked while read_bytes_pending > 0. Once iomap_finish_folio_read() decrements read_bytes_pending, another in-flight read can complete and end the read on the folio, which unlocks it. This allows truncate logic to run and detach the folio (set folio->mapping to NULL). The error reporting path then can dereference a NULL folio->mapping. As reported by Sam Sun, this is the race that can occur: CPU0: failed completion CPU1: final completion CPU2: truncate ----------------------- ---------------------- -------------- read_bytes_pending -= len finished = false /* preempted before fserror_report_io() */ read_bytes_pending -= len finished = true folio_end_read() truncate clears folio->mapping fserror_report_io( folio->mapping->host, ...) ^ NULL deref Fix this by reporting the error first before decrementing ifs->read_bytes_pending.

Affected products

Linux
  • <1ad453817a4077230d1ba88eb0868f05f824449a
  • ==7.0
  • =<7.0.*
  • <7.0
  • <2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/sched: act_api: use RCU with deferred freeing for action lifecycle

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred freeing for action lifecycle When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action. Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER: 0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree(). Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu(). Let's illustrate the new restored code path: 0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.

Affected products

Linux
  • =<5.10.*
  • <b60e9391142e983fab2be53497aa8f71fdd09cd5
  • =<6.18.*
  • <18af5d2ef0c4f65787fd1280c8b23286b9f2a835
  • =<6.1.*
  • <4.14
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • ==4.14
  • <5dd51e09020c65aa53cf128e5e3517cd53b3c113
  • =<7.0.*
  • <91d105d2cbe002f9c7b43a6183adedc37e1da1f7
  • <5057e1aca011e51ef51498c940ef96f3d3e8a305
  • <1f1b98fea6b9ea30507d0f2fbff6750292d097e2
  • <98b2e40879abf0245be5a5b7af69e0f6ff524ac3
  • <8b136f18ac4b2ace5aaad3305b3f8a5d8165a009
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <4d1c3c26c2ab1842e139e61983395d64bd2e518b
  • <fb0707ce00eef4e2d60c3020e1c0432739703e4a
  • <3f32d52ec604c659725d865cf8cc6a17a33f9c6a
  • <5.15.210
  • =<6.18.*
  • <d6be8e59af412623e3d874be3a048406c0edfe60
  • <8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117
  • =<*
  • <6.12.94
  • =<6.1.*
  • <6.6.143
  • <029571d51140650783be4fb98fe7cb4754752086
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <7.0.13
  • <6.18.36
  • <5f8b39452fb16f507c9e4d8b4a83ce27e893307c
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-5796
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

Affected products

GitLab
  • <18.11.6
  • <19.1.1
  • <19.0.3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
accel/ivpu: Add bounds checks for firmware log indices

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add bounds checks for firmware log indices Add validation that read and write indices in the firmware log buffer are within valid bounds (< data_size) before using them. If out-of-bounds indices are encountered (from firmware), clamp them to safe values instead of proceeding with invalid offsets. This prevents potential out-of-bounds buffer access when firmware supplies invalid log indices.

Affected products

Linux
  • =<6.18.*
  • <6.12.94
  • =<*
  • <dd1311bcf0e62f0c515115f46a3813370f4a4bb1
  • =<7.0.*
  • =<6.12.*
  • ==6.13
  • <5961c703414048f46818be8bbb11075a9a63fb4e
  • <6.13
  • <8ec70c0dbdf04392a26e03e38798a373934177be
  • <535da9ad8420c3b686a642403d4147ff220255fd
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs. Bail out if userspace requests too much data when F_PRESENT is set.

Affected products

Linux
  • ==4.11
  • <772cecf198da732faebb5dcfc46d66a505be8495
  • <46fc15a044e9938e7ea77786fb37edd2cd74f031
  • =<6.1.*
  • <78069a6d8bc86c9e036eb82c2af4a19cc1871a53
  • <19748967d59c31d24d21d40b728570788310b237
  • <cd513e43b4b2bd1de39e2367bc4261c699a8652f
  • =<6.6.*
  • =<6.18.*
  • <8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6
  • <4.11
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265
  • =<*
  • =<5.10.*
  • <67b27434c43b68a97becda98c9f0c8cf6cba2134
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ALSA: timer: Fix UAF at snd_timer_user_params()

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <5.10.259
  • <306427adf9b97e29e5958cb9cf3096c6151fc9ff
  • <5.15.210
  • =<6.18.*
  • <e2331730175f74169046d2af8db1b47243df7c7a
  • <b2214914e461d0466548a52dfe4f4ee8ce362276
  • =<5.10.*
  • =<*
  • <6.12.94
  • =<6.1.*
  • <38034d04d4a75bbca01df2b313ced0bcd0fa3242
  • <6.6.143
  • <117743d62e1225e208568a3ffc2c07214f1347cb
  • <92ad2d7f80cad43b046f093e808e11fe919d304a
  • <3d39da65b5c422c5e5afb7d5651b0698d060a827
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <053a401b592be424fea9d57c789f66cd5d8cec11
  • <7.0.13
  • <6.18.36
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: fix memory leak in error path of hci_alloc_dev()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.

Affected products

Linux
  • <5.11
  • <6.1.176
  • =<6.6.*
  • <6.16
  • <bc2efe73c194a74839d7cf57b63880d97e21d309
  • <5.15.210
  • =<6.18.*
  • ==0e5c144c557df910ab64d9c25d06399a9a735e65
  • ==6.16
  • <c016118b9e51eeaf5bc93850d4c455a3b583c0aa
  • <0622e527a31d4b44737fed5c1a2ac1fc2cfb5184
  • =<*
  • <6.12.94
  • =<6.1.*
  • ==dd4becd3fd4102696e1c15e6d260a1712a2d8685
  • <ce4b4cac3c5749b6aa75e62e2991ae2263f2f889
  • <6.6.143
  • <5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f
  • <f82799407a50af7bcacacf09cc9b279af8fe9b81
  • <6.16