[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-38129":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":21,"related":22,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":34,"epss":9,"epss_history":35,"metrics":36,"affected":43},"DEBIAN-CVE-2025-38129","In the Linux kernel, the following vulnerability has been resolved:  page_pool: Fix use-after-free in page_pool_recycle_in_ring  syzbot reported a uaf in page_pool_recycle_in_ring:  BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943  CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace:  \u003CTASK>  __dump_stack lib/dump_stack.c:94 [inline]  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120  print_address_description mm/kasan/report.c:378 [inline]  print_report+0x169/0x550 mm/kasan/report.c:489  kasan_report+0x143/0x180 mm/kasan/report.c:602  lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862  __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]  _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210  spin_unlock_bh include/linux/spinlock.h:396 [inline]  ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]  page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]  page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826  page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]  page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]  napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036  skb_pp_recycle net/core/skbuff.c:1047 [inline]  skb_free_head net/core/skbuff.c:1094 [inline]  skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125  skb_release_all net/core/skbuff.c:1190 [inline]  __kfree_skb net/core/skbuff.c:1204 [inline]  sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242  kfree_skb_reason include/linux/skbuff.h:1263 [inline]  __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]  root cause is:  page_pool_recycle_in_ring   ptr_ring_produce     spin_lock(&r->producer_lock);     WRITE_ONCE(r->queue[r->producer++], ptr)       //recycle last page to pool \t\t\t\tpage_pool_release \t\t\t\t  page_pool_scrub \t\t\t\t    page_pool_empty_ring \t\t\t\t      ptr_ring_consume \t\t\t\t      page_pool_return_page  //release all page \t\t\t\t  __page_pool_destroy \t\t\t\t     free_percpu(pool->recycle_stats); \t\t\t\t     free(pool) //free       spin_unlock(&r->producer_lock); //pool->ring uaf read   recycle_stat_inc(pool, ring);  page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled.  recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.",null,[],[],[],[14],{"_key":15},"CVE-2025-38129",[17,19],{"_key":18},"DLA-4476-1",{"_key":20},"DSA-6127-1",[],[],"2025-07-03T09:15:27.170Z","2026-04-28T20:29:52.611745Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28],{"url":29,"sources":30,"tags":32},"https://security-tracker.debian.org/tracker/CVE-2025-38129",[31],"osv_debian",[33],"Advisory",[],[],[37],{"source":31,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":38,"cvss_v4_0":9},{"baseScore":39,"baseSeverity":9,"vectorString":40,"impactScore":41,"exploitabilityScore":42},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[44,63],{"ecosystem":45,"name":46,"vendor":47,"product":46,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":46,"source":9,"versions":49},"Debian","linux","debian","deb",[50,54,55,59,62],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":56,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":57,"version_end_type":58,"fixed_in":9},"lt6_1_162_1","6.1.162-1","excluding",{"version":60,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":61,"version_end_type":58,"fixed_in":9},"lt6_12_35_1","6.12.35-1",{"version":60,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":61,"version_end_type":58,"fixed_in":9},{"ecosystem":45,"name":64,"vendor":47,"product":64,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":64,"source":9,"versions":65},"linux-6.1",[66,67],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":68,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":69,"version_end_type":58,"fixed_in":9},"lt6_1_162_1~deb11u1","6.1.162-1~deb11u1"]