Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
USB: serial: io_ti: fix heap overflow in get_manuf_info()

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]

Affected products

Linux
  • ==2.6.12
  • =<5.10.*
  • =<6.18.*
  • =<6.1.*
  • =<*
  • <e168db91442b94e64fa82a7dd297983d48ea5cc0
  • <b849f30d1a9e66aae6b715aaef66e427390cb081
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <561edb021486e6723d841926aa4b48097da06190
  • <f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
  • <183c1076eca43bbb3e7bdf597456f91d81c73e74
  • <cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
  • <2.6.12
  • <d214d2341d4f9f447e36a7d012cdf6a6631a55f1
  • <d92f17af7097d10bdeddf26f66f34b354104b277
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
tee: shm: fix shm leak in register_shm_helper()

In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in register_shm_helper() register_shm_helper() allocates shm before calling iov_iter_npages(). If iov_iter_npages() returns 0, the function jumps to err_ctx_put and leaks shm. This can be triggered by TEE_IOC_SHM_REGISTER with struct tee_ioctl_shm_register_data where length is 0. Jump to err_free_shm instead.

Affected products

Linux
  • <26682f5efc276e3ad96d102019472bfbf03833b2
  • =<6.18.*
  • ==6.8
  • =<7.0.*
  • <6.8
  • =<6.12.*
  • <dbf779db927414f5b37c1f666013e9b48a88cfde
  • <c10c9c48b2903f41ed4c532043b0576e86228236
  • <4277759906b44d923a38c8f59f5576501b187b0d
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops. Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.

Affected products

Linux
  • =<6.18.*
  • ==6.9
  • <1ff58dcfcab434ebb51649da33774fbb8e1f7b67
  • <6.9
  • <e735dbd489e3ea02be78dba991056fe1138be51e
  • <75e33deda658c1ab3a9336cbdb1436536f9b3660
  • =<6.6.*
  • =<6.12.*
  • <6.6.143
  • =<7.0.*
  • <b003086d76968298f22e7cf62239833b5a3a06b1
  • <945a86b21b40fb17183f5b27461baa6f03e2467f
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect buffer and the workgroup buffer and is expected to release them before returning. When any of the workgroup counts read from the buffer is zero, the function bailed out early and skipped the cleanup, leaking the vaddr mappings of both BOs. Jump to the cleanup path instead of returning directly, so the mappings are always dropped.

Affected products

Linux
  • =<6.18.*
  • <0b59d0946913a0df7d1a033013e259e9b6a76546
  • ==6.8
  • =<7.0.*
  • <6.8
  • =<6.12.*
  • <90b629269088a9fe24a02c032be9f08357f47873
  • <60ebeb23eaf3d7fd2e0551fe304309305e31d424
  • <ae7676952790f421c40918e2586a2c9f12a682b6
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-57455
4.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Unreported (U)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Vim: Stack out-of-bounds write in `spell_soundfold_sofo()` via an over-length `soundfold()` argument

Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.

Affected products

vim
  • ==< 9.2.0698
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/vc4: fix krealloc() memory leak

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: fix krealloc() memory leak Don't just overwrite the original pointer passed to krealloc() with its return value without checking latter: MEM = krealloc(MEM, SZ, GFP); If krealloc() returns NULL, that erases the pointer to the still allocated memory, hence leaks this memory. Instead, use a temporary variable, check it's not NULL and only then assign it to the original pointer: TMP = krealloc(MEM, SZ, GFP); if (!TMP) return; MEM = TMP; While on it, use krealloc_array().

Affected products

Linux
  • <e0ce103e89d61eef70edc1d1ae3bfd4c0aacbc2e
  • =<6.18.*
  • =<6.1.*
  • <c034aa0b1ba5f49cbdf8ef193d6ec714d74aac27
  • <4fc692dc6df5bc777cc1bcebf95179e28594875f
  • =<6.6.*
  • <4.8
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <fd87d6966041e33ef7d2e5dc59f9a52b71c6ae5f
  • ==4.8
  • <5d563a5da8717629ae72f9eadf1e0e340bd1658b
  • <02f5e4db57c0cdd7bac89d503b301a093a0fa95c
  • <30165a09f76eaf34951c818eb5d9d6e4771d76f6
  • =<*
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-8330
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Insertion of Sensitive Information into Log File in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.

Affected products

GitLab
  • <18.11.6
  • <19.1.1
  • <19.0.3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nft_tunnel: fix use-after-free on object destroy

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free on object destroy nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set.

Affected products

Linux
  • =<6.18.*
  • =<*
  • =<6.1.*
  • <8767fe4079affa74314d7eb3220e700150289842
  • =<6.6.*
  • <5e9ee18b27fde88cb6148202b33916c66693fe82
  • =<7.0.*
  • =<6.12.*
  • <941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3
  • <349df61526d2e39decc685d246202e3e284cfe05
  • <f9a0e4b61054cde89a2a77845293c726cc07cc43
  • <4.19
  • ==4.19
  • =<5.15.*
  • <55b79b1ae42372012413ce0413181d26679b17ef
  • <c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a
  • =<5.10.*
  • <fda6573a46ad24f35348e024905ee5bdf729797e
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/xe/display: fix oops in suspend/shutdown without display

In the Linux kernel, the following vulnerability has been resolved: drm/xe/display: fix oops in suspend/shutdown without display The xe driver keeps track of whether to probe display, and whether display hardware is there, using xe->info.probe_display. It gets set to false if there's no display after intel_display_device_probe(). However, the display may also be disabled via fuses, detected at a later time in intel_display_device_info_runtime_init(). In this case, the xe driver does for_each_intel_crtc() on uninitialized mode config in xe_display_flush_cleanup_work(), leading to a NULL pointer dereference, and generally calls display code with display info cleared. Check for intel_display_device_present() after intel_display_device_info_runtime_init(), and reset xe->info.probe_display as necessary. Also do unset_display_features() for completeness, although display runtime init has already done that. This will need to be unified across all cases later. Move intel_display_device_info_runtime_init() call slightly earlier, similar to i915, to avoid a bunch of unnecessary setup for no display cases. Note #1: The xe driver has no business doing low level display plumbing like for_each_intel_crtc() to begin with. It all needs to happen in display code. Note #2: The actual bug is present already in commit 44e694958b95 ("drm/xe/display: Implement display support"), but the oops was likely introduced later at commit ddf6492e0e50 ("drm/xe/display: Make display suspend/resume work on discrete"). (cherry picked from commit 7c3eb9f47533220888a67266448185fd0775d4da)

Affected products

Linux
  • =<6.18.*
  • ==6.8
  • =<7.0.*
  • <6.8
  • <68938cc08e23a94fd881e845837ff918de005ce7
  • <0f68ddfaaebfbb5581ee931779757d31f4dc9e24
  • <238bcdaae8f2abc65e182de7d1f69cf8f611a610
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: mvpp2: refill RX buffers before XDP or skb use

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.

Affected products

Linux
  • =<6.6.*
  • <5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6
  • <5.8
  • =<6.18.*
  • ==5.9
  • <8a2126c5afe89f8ceeb60a3afb9f075b736194cd
  • =<*
  • =<6.1.*
  • <02e1b5c4d3b4c658b72c145427cded1bba613fc1
  • ==95a936364f2685e9e040c6b179b553604d96de22
  • <5.9
  • <580f92f27cb8724bcc4be98ee89890eab524a2ae
  • <d0c8c4fbd22d260fe28530260656c5fb3c20ce84
  • =<5.15.*
  • =<6.12.*
  • <a88b3293b556f4d8fba11db9a8061a6b0d3b69e6
  • <5.9
  • =<7.0.*
  • ==fba2cf348d9eb50b2049a73cc09313dab6d293f1
  • <a03cdcedb2cbcc42551dc3e4746929e93c5352d5