{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1085-kvm", "linux-image-5.15.0-1085-kvm", "linux-kvm-headers-5.15.0-1085", "linux-modules-5.15.0-1085-kvm" ], "removed": [ "linux-headers-5.15.0-1084-kvm", "linux-image-5.15.0-1084-kvm", "linux-kvm-headers-5.15.0-1084", "linux-modules-5.15.0-1084-kvm" ], "diff": [ "cloud-init", "libperl5.34", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "perl", "perl-base", "perl-modules-5.34" ] } }, "diff": { "deb": [ { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~22.04.2", "version": "25.1.2-0ubuntu0~22.04.2" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~22.04.1", "version": "25.1.4-0ubuntu0~22.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * refresh patches:", " - d/p/revert-usr-lib-systemd-units.patch", " * Upstream snapshot based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~22.04.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:15:25 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~22.04.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 20:28:18 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libperl5.34", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.5", "version": "5.34.0-3ubuntu1.5" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated", " files and checksums in uconfig.sh, uconfig64.sh, uconfig.h,", " NetWare/config.wc.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1084.80", "version": "5.15.0.1084.80" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1085.81", "version": "5.15.0.1085.81" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1085", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1085.81", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 14:00:53 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1084.80", "version": "5.15.0.1084.80" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1085.81", "version": "5.15.0.1085.81" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1085", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1085.81", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 14:00:53 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1084.80", "version": "5.15.0.1084.80" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1085.81", "version": "5.15.0.1085.81" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1085", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1085.81", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 14:00:53 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.5", "version": "5.34.0-3ubuntu1.5" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated", " files and checksums in uconfig.sh, uconfig64.sh, uconfig.h,", " NetWare/config.wc.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.5", "version": "5.34.0-3ubuntu1.5" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated", " files and checksums in uconfig.sh, uconfig64.sh, uconfig.h,", " NetWare/config.wc.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-modules-5.34", "from_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.4", "version": "5.34.0-3ubuntu1.4" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.34.0-3ubuntu1.5", "version": "5.34.0-3ubuntu1.5" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated", " files and checksums in uconfig.sh, uconfig64.sh, uconfig.h,", " NetWare/config.wc.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.34.0-3ubuntu1.5", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1085-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1085.90", "version": "5.15.0-1085.90" }, "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2116444, 2116458 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1085.90 -proposed tracker (LP: #2116444)", "", " [ Ubuntu: 5.15.0-145.158 ]", "", " * jammy/linux: 5.15.0-145.158 -proposed tracker (LP: #2116458)", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", " * CVE-2024-50073", " - tty: n_gsm: Fix use-after-free in gsm_cleanup_mux", "" ], "package": "linux-kvm", "version": "5.15.0-1085.90", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2116444, 2116458 ], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 11:28:41 +0800" } ], "notes": "linux-headers-5.15.0-1085-kvm version '5.15.0-1085.90' (source package linux-kvm version '5.15.0-1085.90') was added. linux-headers-5.15.0-1085-kvm version '5.15.0-1085.90' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1084-kvm. As such we can use the source package version of the removed package, '5.15.0-1084.89', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1085-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1084.89", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1085.90", "version": "5.15.0-1085.90" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1085.90", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1085.90", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 14:02:35 +0800" } ], "notes": "linux-image-5.15.0-1085-kvm version '5.15.0-1085.90' (source package linux-signed-kvm version '5.15.0-1085.90') was added. linux-image-5.15.0-1085-kvm version '5.15.0-1085.90' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1084-kvm. As such we can use the source package version of the removed package, '5.15.0-1084.89', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1085", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1085.90", "version": "5.15.0-1085.90" }, "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2116444, 2116458 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1085.90 -proposed tracker (LP: #2116444)", "", " [ Ubuntu: 5.15.0-145.158 ]", "", " * jammy/linux: 5.15.0-145.158 -proposed tracker (LP: #2116458)", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", " * CVE-2024-50073", " - tty: n_gsm: Fix use-after-free in gsm_cleanup_mux", "" ], "package": "linux-kvm", "version": "5.15.0-1085.90", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2116444, 2116458 ], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 11:28:41 +0800" } ], "notes": "linux-kvm-headers-5.15.0-1085 version '5.15.0-1085.90' (source package linux-kvm version '5.15.0-1085.90') was added. linux-kvm-headers-5.15.0-1085 version '5.15.0-1085.90' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1084-kvm. As such we can use the source package version of the removed package, '5.15.0-1084.89', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1085-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1085.90", "version": "5.15.0-1085.90" }, "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2116444, 2116458 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2024-50073", "url": "https://ubuntu.com/security/CVE-2024-50073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.", "cve_priority": "medium", "cve_public_date": "2024-10-29 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1085.90 -proposed tracker (LP: #2116444)", "", " [ Ubuntu: 5.15.0-145.158 ]", "", " * jammy/linux: 5.15.0-145.158 -proposed tracker (LP: #2116458)", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", " * CVE-2024-50073", " - tty: n_gsm: Fix use-after-free in gsm_cleanup_mux", "" ], "package": "linux-kvm", "version": "5.15.0-1085.90", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2116444, 2116458 ], "author": "Guoqing Jiang ", "date": "Mon, 21 Jul 2025 11:28:41 +0800" } ], "notes": "linux-modules-5.15.0-1085-kvm version '5.15.0-1085.90' (source package linux-kvm version '5.15.0-1085.90') was added. linux-modules-5.15.0-1085-kvm version '5.15.0-1085.90' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1084-kvm. As such we can use the source package version of the removed package, '5.15.0-1084.89', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1084-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": "5.15.0-1084.89" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1084-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1084.89", "version": "5.15.0-1084.89" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1084", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": "5.15.0-1084.89" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1084-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1084.89", "version": "5.15.0-1084.89" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20250728 to 20250729", "from_series": "jammy", "to_series": "jammy", "from_serial": "20250728", "to_serial": "20250729", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }