{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "lxd" ] }, "deb": { "added": [ "linux-headers-6.8.0-90-generic", "linux-image-6.8.0-90-generic", "linux-modules-6.8.0-90-generic", "linux-riscv-6.8-headers-6.8.0-90" ], "removed": [ "linux-headers-6.8.0-88-generic", "linux-image-6.8.0-88-generic", "linux-modules-6.8.0-88-generic", "linux-riscv-6.8-headers-6.8.0-88" ], "diff": [ "apparmor", "binutils", "binutils-common:riscv64", "binutils-riscv64-linux-gnu", "landscape-common", "libapparmor1:riscv64", "libbinutils:riscv64", "libctf-nobfd0:riscv64", "libctf0:riscv64", "libpng16-16:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "python-apt-common", "python3-apt", "python3-attr", "python3-urllib3" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.4", "version": "3.0.4-2ubuntu2.4" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.5", "version": "3.0.4-2ubuntu2.5" }, "cves": [], "launchpad_bugs_fixed": [ 2115234 ], "changes": [ { "cves": [], "log": [ "", " * profiles: make /sys/devices PCI paths hex-aware (LP: #2115234)", "" ], "package": "apparmor", "version": "3.0.4-2ubuntu2.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2115234 ], "author": "Keifer Snedeker ", "date": "Fri, 15 Aug 2025 13:17:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "binutils", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "binutils-common:riscv64", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "binutils-riscv64-linux-gnu", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "landscape-common", "from_version": { "source_package_name": "landscape-client", "source_package_version": "23.02-0ubuntu1~22.04.6", "version": "23.02-0ubuntu1~22.04.6" }, "to_version": { "source_package_name": "landscape-client", "source_package_version": "23.02-0ubuntu1~22.04.7", "version": "23.02-0ubuntu1~22.04.7" }, "cves": [], "launchpad_bugs_fixed": [ 2087852 ], "changes": [ { "cves": [], "log": [ "", " * d/p/fix-apt-source-file-management.patch: restore .list and .sources files", " when a repo profile is disassociated (LP: #2087852)", "" ], "package": "landscape-client", "version": "23.02-0ubuntu1~22.04.7", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2087852 ], "author": "Mitch Burton ", "date": "Fri, 13 Jun 2025 09:13:16 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1:riscv64", "from_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.4", "version": "3.0.4-2ubuntu2.4" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.5", "version": "3.0.4-2ubuntu2.5" }, "cves": [], "launchpad_bugs_fixed": [ 2115234 ], "changes": [ { "cves": [], "log": [ "", " * profiles: make /sys/devices PCI paths hex-aware (LP: #2115234)", "" ], "package": "apparmor", "version": "3.0.4-2ubuntu2.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2115234 ], "author": "Keifer Snedeker ", "date": "Fri, 15 Aug 2025 13:17:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbinutils:riscv64", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libctf-nobfd0:riscv64", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libctf0:riscv64", "from_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.11", "version": "2.38-4ubuntu2.11" }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.38-4ubuntu2.12", "version": "2.38-4ubuntu2.12" }, "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11412", "url": "https://ubuntu.com/security/CVE-2025-11412", "cve_description": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11413", "url": "https://ubuntu.com/security/CVE-2025-11413", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.", "cve_priority": "medium", "cve_public_date": "2025-10-07 22:15:00 UTC" }, { "cve": "CVE-2025-11414", "url": "https://ubuntu.com/security/CVE-2025-11414", "cve_description": "A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.", "cve_priority": "medium", "cve_public_date": "2025-10-07 23:15:00 UTC" }, { "cve": "CVE-2025-11494", "url": "https://ubuntu.com/security/CVE-2025-11494", "cve_description": "A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2025-10-08 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11412.patch: PR 33452 SEGV in", " bfd_elf_gc_record_vtentry", " - CVE-2025-11412", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11413.patch: Re: elf: Disallow the empty", " global symbol name", " - CVE-2025-11413", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11414.patch: elf: Return error on unsorted", " symbol table if not allowed", " - CVE-2025-11414", " * SECURITY UPDATE: Out-of-Bounds Read", " - debian/patches/CVE-2025-11494.patch: x86: Keep", " _GLOBAL_OFFSET_TABLE_ for .eh_frame", " - CVE-2025-11494", "" ], "package": "binutils", "version": "2.38-4ubuntu2.12", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "John Breton ", "date": "Wed, 03 Dec 2025 10:08:01 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16:riscv64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3build5", "version": "1.6.37-3build5" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.1", "version": "1.6.37-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow issue", " - debian/patches/CVE-2025-64505.patch: Fix a buffer overflow in", " png_do_quantize", " - debian/patches/CVE-2025-64506.patch: Fix a heap buffer overflow in", " png_write_image_8bit", " - debian/patches/CVE-2025-64720.patch: Fix a buffer overflow in", " png_init_read_transformations", " - debian/patches/CVE-2025-65018.patch: Fix a heap buffer overflow in", " png_image_finish_read", " - CVE-2025-64505", " - CVE-2025-64506", " - CVE-2025-64720", " - CVE-2025-65018", "" ], "package": "libpng1.6", "version": "1.6.37-3ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Tue, 09 Dec 2025 17:35:45 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.88.89~22.04.1", "version": "6.8.0.88.89~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.90.91~22.04.1", "version": "6.8.0.90.91~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-90.91~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 18:04:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.88.89~22.04.1", "version": "6.8.0.88.89~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.90.91~22.04.1", "version": "6.8.0.90.91~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-90.91~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 18:04:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.88.89~22.04.1", "version": "6.8.0.88.89~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.90.91~22.04.1", "version": "6.8.0.90.91~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-90.91~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 18:04:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.88.89~22.04.1", "version": "6.8.0.88.89~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.90.91~22.04.1", "version": "6.8.0.90.91~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-90.91~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 18:04:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.4.0ubuntu4", "version": "2.4.0ubuntu4" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.4.0ubuntu4.1", "version": "2.4.0ubuntu4.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "2.4.0ubuntu4.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:48:12 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.4.0ubuntu4", "version": "2.4.0ubuntu4" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.4.0ubuntu4.1", "version": "2.4.0ubuntu4.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "2.4.0ubuntu4.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:48:12 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-attr", "from_version": { "source_package_name": "python-attrs", "source_package_version": "21.2.0-1", "version": "21.2.0-1" }, "to_version": { "source_package_name": "python-attrs", "source_package_version": "21.2.0-1ubuntu1", "version": "21.2.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2121607 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0005-Rework-linecache-handling-828.patch: Cherry-pick upstream PR 826 ", " - Fix memory leak when creating many identical classes (Fixes LP: #2121607)", "" ], "package": "python-attrs", "version": "21.2.0-1ubuntu1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2121607 ], "author": "Zachary Raines ", "date": "Mon, 06 Oct 2025 15:28:54 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.3", "version": "1.26.5-1~exp1ubuntu0.3" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.4", "version": "1.26.5-1~exp1ubuntu0.4" }, "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service due to unbounded decompression chain.", " - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and", " checks in src/urllib3/response.py. Add test in test/test_response.py.", " - CVE-2025-66418", "" ], "package": "python-urllib3", "version": "1.26.5-1~exp1ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 10 Dec 2025 17:29:42 -0330" } ], "notes": null, "is_version_downgrade": false } ], "snap": [ { "name": "lxd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "36566" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "36947" } } ] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-90-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-90.91~22.04.1", "version": "6.8.0-90.91~22.04.1" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-90.91~22.04.1 -proposed tracker (LP: #2131784)", "", " [ Ubuntu: 6.8.0-90.91 ]", "", " * noble/linux: 6.8.0-90.91 -proposed tracker (LP: #2131785)", " * cifs: Fix memory leak of a folio every call to cifs_writepages_begin()", " (LP: #2131213)", " - cifs: fix pagecache leak when do writepages", "", " [ Ubuntu: 6.8.0-89.90 ]", "", " * noble/linux: 6.8.0-89.90 -proposed tracker (LP: #2131481)", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", " * Audio output fails on internal speakers when using kernel 6.8.0-84 and", " newer. (LP: #2130212)", " - Revert \"ASoC: cs35l56: Prevent races when soft-resetting using SPI", " control\"", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", " * CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " * CVE-2025-38666", " - net: appletalk: Fix use-after-free in AARP proxy probe", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 17:56:48 +0100" } ], "notes": "linux-headers-6.8.0-90-generic version '6.8.0-90.91~22.04.1' (source package linux-riscv-6.8 version '6.8.0-90.91~22.04.1') was added. linux-headers-6.8.0-90-generic version '6.8.0-90.91~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-88-generic. As such we can use the source package version of the removed package, '6.8.0-88.89~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-6.8.0-90-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-90.91~22.04.1", "version": "6.8.0-90.91~22.04.1" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-90.91~22.04.1 -proposed tracker (LP: #2131784)", "", " [ Ubuntu: 6.8.0-90.91 ]", "", " * noble/linux: 6.8.0-90.91 -proposed tracker (LP: #2131785)", " * cifs: Fix memory leak of a folio every call to cifs_writepages_begin()", " (LP: #2131213)", " - cifs: fix pagecache leak when do writepages", "", " [ Ubuntu: 6.8.0-89.90 ]", "", " * noble/linux: 6.8.0-89.90 -proposed tracker (LP: #2131481)", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", " * Audio output fails on internal speakers when using kernel 6.8.0-84 and", " newer. (LP: #2130212)", " - Revert \"ASoC: cs35l56: Prevent races when soft-resetting using SPI", " control\"", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", " * CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " * CVE-2025-38666", " - net: appletalk: Fix use-after-free in AARP proxy probe", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 17:56:48 +0100" } ], "notes": "linux-image-6.8.0-90-generic version '6.8.0-90.91~22.04.1' (source package linux-riscv-6.8 version '6.8.0-90.91~22.04.1') was added. linux-image-6.8.0-90-generic version '6.8.0-90.91~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-88-generic. As such we can use the source package version of the removed package, '6.8.0-88.89~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-90-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-90.91~22.04.1", "version": "6.8.0-90.91~22.04.1" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-90.91~22.04.1 -proposed tracker (LP: #2131784)", "", " [ Ubuntu: 6.8.0-90.91 ]", "", " * noble/linux: 6.8.0-90.91 -proposed tracker (LP: #2131785)", " * cifs: Fix memory leak of a folio every call to cifs_writepages_begin()", " (LP: #2131213)", " - cifs: fix pagecache leak when do writepages", "", " [ Ubuntu: 6.8.0-89.90 ]", "", " * noble/linux: 6.8.0-89.90 -proposed tracker (LP: #2131481)", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", " * Audio output fails on internal speakers when using kernel 6.8.0-84 and", " newer. (LP: #2130212)", " - Revert \"ASoC: cs35l56: Prevent races when soft-resetting using SPI", " control\"", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", " * CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " * CVE-2025-38666", " - net: appletalk: Fix use-after-free in AARP proxy probe", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 17:56:48 +0100" } ], "notes": "linux-modules-6.8.0-90-generic version '6.8.0-90.91~22.04.1' (source package linux-riscv-6.8 version '6.8.0-90.91~22.04.1') was added. linux-modules-6.8.0-90-generic version '6.8.0-90.91~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-88-generic. As such we can use the source package version of the removed package, '6.8.0-88.89~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-6.8-headers-6.8.0-90", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-90.91~22.04.1", "version": "6.8.0-90.91~22.04.1" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-38666", "url": "https://ubuntu.com/security/CVE-2025-38666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================", "cve_priority": "high", "cve_public_date": "2025-08-22 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-90.91~22.04.1 -proposed tracker (LP: #2131784)", "", " [ Ubuntu: 6.8.0-90.91 ]", "", " * noble/linux: 6.8.0-90.91 -proposed tracker (LP: #2131785)", " * cifs: Fix memory leak of a folio every call to cifs_writepages_begin()", " (LP: #2131213)", " - cifs: fix pagecache leak when do writepages", "", " [ Ubuntu: 6.8.0-89.90 ]", "", " * noble/linux: 6.8.0-89.90 -proposed tracker (LP: #2131481)", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", " * Audio output fails on internal speakers when using kernel 6.8.0-84 and", " newer. (LP: #2130212)", " - Revert \"ASoC: cs35l56: Prevent races when soft-resetting using SPI", " control\"", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", " * CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " * CVE-2025-38666", " - net: appletalk: Fix use-after-free in AARP proxy probe", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-90.91~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2131784, 2131785, 2131213, 2131481, 2130212, 2130552 ], "author": "Sarah Emery ", "date": "Fri, 21 Nov 2025 17:56:48 +0100" } ], "notes": "linux-riscv-6.8-headers-6.8.0-90 version '6.8.0-90.91~22.04.1' (source package linux-riscv-6.8 version '6.8.0-90.91~22.04.1') was added. linux-riscv-6.8-headers-6.8.0-90 version '6.8.0-90.91~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-88-generic. As such we can use the source package version of the removed package, '6.8.0-88.89~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-88-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": "6.8.0-88.89~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.8.0-88-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": "6.8.0-88.89~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-88-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": "6.8.0-88.89~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-6.8-headers-6.8.0-88", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-88.89~22.04.1", "version": "6.8.0-88.89~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20251203 to 20251216", "from_series": "jammy", "to_series": "jammy", "from_serial": "20251203", "to_serial": "20251216", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }