Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
Permalink CVE-2026-13026
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Use after free in Digital Credentials in Google Chrome on …

Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected products

Chrome
  • <149.0.7827.197
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. Clear HCI_UART_PROTO_INIT with a write lock before calling hu->proto->close() and setting hu->hdev to NULL. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails.

Affected products

Linux
  • <f4b69c35813c432973d340d3600c01de106ed474
  • =<6.18.*
  • <5.15.209
  • =<7.0.*
  • <6.14
  • <ebb39b2d81731b83ee71a1ba6dd0291a57b5ac07
  • <5.10.258
  • =<6.1.*
  • <a673cf6c4ac702cb79ac1f4d7fc4de763a6a3e40
  • ==1dcf08fcff5ca529de6dc0395091f28854f4e54a
  • <6.15
  • <ed4033fb85ccaaf6c3983be3c7b037e48253d232
  • <194f029a4d7f739e44ebc1f473120187b4de5104
  • <6.1.175
  • ==8e5aff600539e5faea294d9612cca50220e602b8
  • <3daa5818e473ed60eb69d8b5c71b651909d28c5a
  • <5.5
  • <6.6.141
  • ==db7509fa110dd9b11134b75894677f30353b2c51
  • <68d39ea5e0adc9ecaea1ce8abd842ec972eb8718
  • =<5.15.*
  • ==6.15
  • =<*
  • <6.12.91
  • <6.15
  • <356dee1bcac4d0d9152390561fa63331ebff211b
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler

In the Linux kernel, the following vulnerability has been resolved: perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Calling perf_allow_kernel() from the NMI context is unsafe and could be fatal. Capture the permission at event-initialization time by storing it in event->hw.flags, and have the NMI handler rely on that cached flag instead of making the call directly.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • <0584e74fa2b27e9e722cfb5b579f79263df20040
  • <6.14
  • <b0a09142622a994c4f4088c3f61db5da87cfc711
  • <2783ed2442ce69ae240b787aee6dae801cef7aec
  • =<*
  • ==6.14
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
dm cache policy smq: fix missing locks in invalidating cache blocks

In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: fix missing locks in invalidating cache blocks In passthrough mode, the policy invalidate_mapping operation is called simultaneously from multiple workers, thus it should be protected by a lock. Otherwise, we might end up with data races on the allocated blocks counter, or even use-after-free issues with internal data structures when doing concurrent writes. Note that the existing FIXME in smq_invalidate_mapping() doesn't affect passthrough mode since migration tasks don't exist there, but would need attention if supporting fast device shrinking via suspend/resume without target reloading. Reproduce steps: 1. Create a cache device consisting of 1024 cache entries dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Populate the cache, and record the number of cached blocks fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \ --size=64m --direct=1 nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}') 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the passthrough cache. By setting multiple jobs with I/O size equal to the cache block size, cache blocks are invalidated concurrently from different workers. fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \ --direct=1 --numjobs=2 --randrepeat=0 --size=64m 5. Check if demoted matches cached block count. These numbers should match but may differ due to the data race. nr_demoted=$(dmsetup status cache | awk '{print $12}') echo "$nr_cached, $nr_demoted"

Affected products

Linux
  • ==4.12
  • <c348ae47d8e65f06429fa41adce9ad986b696766
  • =<5.15.*
  • =<6.6.*
  • =<6.18.*
  • =<6.12.*
  • <4991b5a08751e2e82488fb93ae08849b6aea10d9
  • =<7.0.*
  • <9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e
  • <93627a29d4b66d4a2def938dfb8610cc80ae454b
  • <2b62d0611c9af14a16bddf22df2612b4f40eb5a1
  • =<*
  • <4.12
  • <1b2bec4a7dcf5f00b7a1cbeeec8997841d783513
  • =<6.1.*
  • =<5.10.*
  • <ac5ee99443891bdb161f5539606a66a1b5e72542
  • <2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
platform/wmi: use generic driver_override infrastructure

In the Linux kernel, the following vulnerability has been resolved: platform/wmi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Affected products

Linux
  • <6.11
  • =<6.18.*
  • =<6.12.*
  • <13d201bd840d2e2a645ef899f81342cd27ced346
  • =<7.0.*
  • <2c5507010fc3b8e2bd596c63c88f6ad39a69b1c4
  • =<*
  • <8a700b1fc94df4d847a04f14ebc7f8532592b367
  • ==6.11
  • <4dc755d86deed88789540d960e421124bad4c568
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
batman-adv: clear current gateway during teardown

In the Linux kernel, the following vulnerability has been resolved: batman-adv: clear current gateway during teardown batadv_gw_node_free() removes the gateway list entries during mesh teardown, but it does not clear the currently selected gateway. This leaves stale gateway state behind across cleanup and can break a later mesh recreation. Clear bat_priv->gw.curr_gw before walking the gateway list so the selected gateway reference is dropped as part of teardown.

Affected products

Linux
  • =<5.15.*
  • <3.1
  • =<6.18.*
  • =<6.12.*
  • =<7.0.*
  • <a340a51ed801eab7bb454150c226323b865263cc
  • ==3.1
  • <9a1a8ed4facfe843bde6fdfcf7af0e9923eb2e17
  • =<*
  • <a3f3f1ec8aad84c5dd386c430b9c61cddd85b18f
  • <6de089b545db013433cf934bb4e4433dec2dd65f
  • <30bda3ef4b0cac777f1a7c314cd08b8ff6437365
  • <e2ec4c712d19141ca7bf7fbbb1d842f73abaa186
  • <17e3a441111cd1a530cd6ee69a22f3161d80d810
  • =<6.1.*
  • =<5.10.*
  • <ae7aeb0ce3c0ebbe357ed525779acac197a18086
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: airoha: fix BQL imbalance in TX path

In the Linux kernel, the following vulnerability has been resolved: net: airoha: fix BQL imbalance in TX path Fix a possible BQL imbalance in airoha_dev_xmit(), where inflight packets are accounted only for the AIROHA_NUM_TX_RING netdev TX queues. The queue index is computed as: qid = skb_get_queue_mapping(skb) % ARRAY_SIZE(qdma->q_tx) txq = netdev_get_tx_queue(dev, qid); However, airoha_qdma_tx_napi_poll() accounts completions across all netdev TX queues (num_tx_queues), leading to inconsistent BQL accounting. Also reset all netdev TX queues in the ndo_stop callback.

Affected products

Linux
  • <ded2694247a55a16d0ebbe2d6f9139305c21457a
  • <6.13
  • =<6.18.*
  • <6.13
  • <aaad53a55812acd2355c0e5478896381e78b0110
  • =<7.0.*
  • ==6.13
  • =<*
  • <2d9f5a118205da2683ffcec78b9347f1f01a820e
  • ==ca24fcac1daaa5e8a667981d81986a3eb4b9fb04
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent lockup in requeue-PI during signal/ timeout wakeup During wait-requeue-pi (task A) and requeue-PI (task B) the following race can happen: Task A Task B futex_wait_requeue_pi() futex_setup_timer() futex_do_wait() futex_requeue() CLASS(hb, hb1)(&key1); CLASS(hb, hb2)(&key2); *timeout* futex_requeue_pi_wakeup_sync() requeue_state = Q_REQUEUE_PI_IGNORE *blocks on hb->lock* futex_proxy_trylock_atomic() futex_requeue_pi_prepare() Q_REQUEUE_PI_IGNORE => -EAGAIN double_unlock_hb(hb1, hb2) *retry* Task B acquires both hb locks and attempts to acquire the PI-lock of the top most waiter (task B). Task A is leaving early due to a signal/ timeout and started removing itself from the queue. It updates its requeue_state but can not remove it from the list because this requires the hb lock which is owned by task B. Usually task A is able to swoop the lock after task B unlocked it. However if task B is of higher priority then task A may not be able to wake up in time and acquire the lock before task B gets it again. Especially on a UP system where A is never scheduled. As a result task A blocks on the lock and task B busy loops, trying to make progress but live locks the system instead. Tragic. This can be fixed by removing the top most waiter from the list in this case. This allows task B to grab the next top waiter (if any) in the next iteration and make progress. Remove the top most waiter if futex_requeue_pi_prepare() fails. Let the waiter conditionally remove itself from the list in handle_early_requeue_pi_wakeup().

Affected products

Linux
  • <69a7cfc66405aeaa2483147653d031b3592ffc9c
  • <0aacb6d18f76552e3e0ee25d9f40d21b3486f4cf
  • <bc7304f3ae20972d11db6e0b1b541c63feda5f05
  • =<6.18.*
  • =<6.12.*
  • <4e0ed44e51727d56244a822ab941efe507c47966
  • =<7.0.*
  • <e3f95b1ba242e37093305812df7fdbe7288a43ac
  • <5.15
  • =<*
  • ==5.15
  • =<6.1.*
  • <0304d60abb9dcc02bc7fe6d1850f4ca206e8f1a0
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.

Affected products

Linux
  • ==3.17
  • =<6.1.*
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <6b4d226d01ab7da0d2027a2a1e3a6079152e5065
  • =<7.0.*
  • <9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
  • <3.17
  • <385b2d0468a0871fc716c549fa3b0c257c7dbcb3
  • =<*
  • <5c7209a341ff2ac338b2b0375c34a307b37c9ac2
  • <c7777f534a8018ae4bb1c80d8925af4df588a314
  • <60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
  • <c27224daf0b08efbb2b24ed64b6139b294f5473a
  • =<5.10.*
  • <541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

Affected products

Linux
  • <8fc289e809f3eb7e36cadc4684ab6fad747a5a93
  • <7.0
  • =<7.0.*
  • =<*
  • ==7.0
  • <5474e6e17a262db45c60575c73f70210f5c7001f