CVE-2021-47128
Published: 15 March 2024
In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. This is indirectly also getting audit subsystem involved to report events. The latter is problematic, as reported by Ondrej and Serhei, since it can bring down the whole system via audit: 1) The audit events that are triggered due to calls to security_locked_down() can OOM kill a machine, see below details [0]. 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() when trying to wake up kauditd, for example, when using trace_sched_switch() tracepoint, see details in [1]. Triggering this was not via some hypothetical corner case, but with existing tools like runqlat & runqslower from bcc, for example, which make use of this tracepoint. Rough call sequence goes like: rq_lock(rq) -> -------------------------+ trace_sched_switch() -> | bpf_prog_xyz() -> +-> deadlock selinux_lockdown() -> | audit_log_end() -> | wake_up_interruptible() -> | try_to_wake_up() -> | rq_lock(rq) --------------+ What's worse is that the intention of 59438b46471a to further restrict lockdown settings for specific applications in respect to the global lockdown policy is completely broken for BPF. The SELinux policy rule for the current lockdown check looks something like this: allow <who> <who> : lockdown { <reason> }; However, this doesn't match with the 'current' task where the security_locked_down() is executed, example: httpd does a syscall. There is a tracing program attached to the syscall which triggers a BPF program to run, which ends up doing a bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does the permission check against 'current', that is, httpd in this example. httpd has literally zero relation to this tracing program, and it would be nonsensical having to write an SELinux policy rule against httpd to let the tracing helper pass. The policy in this case needs to be against the entity that is installing the BPF program. For example, if bpftrace would generate a histogram of syscall counts by user space application: bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' bpftrace would then go and generate a BPF program from this internally. One way of doing it [for the sake of the example] could be to call bpf_get_current_task() helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the program itself has nothing to do with httpd or any other random app doing a syscall here. The BPF program _explicitly initiated_ the lockdown check. The allow/deny policy belongs in the context of bpftrace: meaning, you want to grant bpftrace access to use these helpers, but other tracers on the system like my_random_tracer _not_. Therefore fix all three issues at the same time by taking a completely different approach for the security_locked_down() hook, that is, move the check into the program verification phase where we actually retrieve the BPF func proto. This also reliably gets the task (current) that is trying to install the BPF tracing program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since we're moving this out of the BPF helper's fast-path which can be called several millions of times per second. The check is then also in line with other security_locked_down() hooks in the system where the enforcement is performed at open/load time, for example, open_kcore() for /proc/kcore access or module_sig_check() for module signatures just to pick f ---truncated---
Priority
Status
Package | Release | Status |
---|---|---|
linux Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.13.0-16.19)
|
focal |
Not vulnerable
(5.4.0-9.12)
|
|
jammy |
Not vulnerable
(5.13.0-19.19)
|
|
mantic |
Not vulnerable
(6.2.0-20.20)
|
|
noble |
Not vulnerable
(6.5.0-9.9)
|
|
trusty |
Not vulnerable
(3.11.0-12.19)
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.4.0-2.16)
|
|
Patches: Introduced by 59438b46471ae6cdfb761afc8c9beaf1e428a331 |
||
linux-allwinner-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(end of kernel support)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-aws Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1001.1)
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
jammy |
Not vulnerable
(5.13.0-1005.6)
|
|
mantic |
Not vulnerable
(6.2.0-1003.3)
|
|
noble |
Not vulnerable
(6.5.0-1008.8)
|
|
trusty |
Not vulnerable
(4.4.0-1002.2)
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.4.0-1001.10)
|
|
linux-aws-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-aws-5.3)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-5.3)
|
|
linux-aws-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-aws-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-5.13)
|
|
linux-aws-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-aws-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-5.15)
|
|
linux-aws-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1014.18~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-aws-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-aws-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-6.2)
|
|
linux-aws-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-aws-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-5.4)
|
|
linux-aws-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1018.18~18.04.1)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-aws-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-aws-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-5.11)
|
|
linux-aws-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-aws-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-aws-6.5)
|
|
linux-aws-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1008.8~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-aws-fips Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.15.0-1030.31~16.04.1)
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-azure-5.3)
|
focal |
Not vulnerable
(5.4.0-1006.6)
|
|
jammy |
Not vulnerable
(5.13.0-1006.7)
|
|
mantic |
Not vulnerable
(6.2.0-1003.3)
|
|
noble |
Not vulnerable
(6.5.0-1007.7)
|
|
trusty |
Not vulnerable
(4.15.0-1023.24~14.04.1)
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.11.0-1009.9)
|
|
linux-azure-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1082.92)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-azure-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-5.13)
|
|
linux-azure-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-azure-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-5.15)
|
|
linux-azure-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1007.8~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-azure-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-6.2)
|
|
linux-azure-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-azure-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-5.4)
|
|
linux-azure-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1020.20~18.04.1)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-azure-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-5.11)
|
|
linux-azure-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-azure-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-6.5)
|
|
linux-azure-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1007.7~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-azure-5.3)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-5.3)
|
|
linux-azure-fde Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-azure-fde-5.15)
|
jammy |
Not vulnerable
(5.15.0-1019.24.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-fde-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1019.24~20.04.1.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-azure-fde-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-azure-fde-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-azure-fde-6.2)
|
|
linux-azure-fde-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(replaced by linux-azure-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(replaced by linux-azure-6.5)
|
|
linux-azure-fips Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-bluefield Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1007.10)
|
jammy |
Not vulnerable
(5.15.0-1011.13)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-fips Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-gcp-5.3)
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
jammy |
Not vulnerable
(5.13.0-1005.6)
|
|
mantic |
Not vulnerable
(6.2.0-1005.5)
|
|
noble |
Not vulnerable
(6.5.0-1007.7)
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.10.0-1004.4)
|
|
linux-gcp-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1071.81)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gcp-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-gcp-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-5.13)
|
|
linux-gcp-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-gcp-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-5.15)
|
|
linux-gcp-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1006.9~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gcp-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-gcp-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-6.2)
|
|
linux-gcp-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-gcp-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-5.4)
|
|
linux-gcp-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1019.19~18.04.2)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gcp-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-gcp-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-5.11)
|
|
linux-gcp-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-gcp-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gcp-6.5)
|
|
linux-gcp-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1010.10~22.04.3)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gcp-fips Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-gke Launchpad, Ubuntu, Debian |
focal |
Ignored
(end of kernel support)
|
jammy |
Not vulnerable
(5.15.0-1002.2)
|
|
mantic |
Does not exist
|
|
noble |
Not vulnerable
(6.8.0-1003.5)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-gke-5.0)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-gke-5.0)
|
|
linux-gke-5.15 Launchpad, Ubuntu, Debian |
focal |
Ignored
(end of kernel support)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-gke-5.4 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of kernel support)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-gkeop Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1008.9)
|
jammy |
Not vulnerable
(5.15.0-1001.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gkeop-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1003.5~20.04.2)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-gkeop-5.4 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of kernel support)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-hwe Launchpad, Ubuntu, Debian |
bionic |
Ignored
(replaced by linux-hwe-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.8.0-39.42~16.04.1)
|
|
linux-hwe-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-hwe-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-hwe-5.13)
|
|
linux-hwe-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-hwe-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-hwe-5.15)
|
|
linux-hwe-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-33.34~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-hwe-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-hwe-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-hwe-6.2)
|
|
linux-hwe-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-37.41~18.04.1)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-hwe-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-hwe-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-hwe-5.11)
|
|
linux-hwe-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-hwe-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-hwe-6.5)
|
|
linux-hwe-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-14.14~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-hwe-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
xenial |
Ignored
(superseded by linux-hwe)
|
|
linux-ibm Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1003.4)
|
jammy |
Not vulnerable
(5.15.0-1002.2)
|
|
mantic |
Ignored
(end of kernel support)
|
|
noble |
Not vulnerable
(6.5.0-1009.9)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-ibm-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1033.36~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-ibm-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1010.11~18.04.2)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-intel Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Not vulnerable
(6.8.0-1001.6)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-intel-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(end of kernel support)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-intel-iotg Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(5.15.0-1004.6)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-intel-iotg-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1003.5~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-iot Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1001.3)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1002.2)
|
focal |
Not vulnerable
(5.4.0-1004.4)
|
|
jammy |
Not vulnerable
(5.13.0-1004.4)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.4.0-1004.9)
|
|
linux-laptop Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Not vulnerable
(6.5.0-1003.6)
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-lowlatency Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(5.15.0-22.22)
|
|
mantic |
Not vulnerable
(6.2.0-1003.3)
|
|
noble |
Not vulnerable
(6.5.0-9.9.1)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-lowlatency-hwe-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-33.34~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-lowlatency-hwe-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-lowlatency-hwe-6.2)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-lowlatency-hwe-6.2)
|
|
linux-lowlatency-hwe-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-lowlatency-hwe-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-lowlatency-hwe-6.5)
|
|
linux-lowlatency-hwe-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-14.14.1~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Not vulnerable
(4.4.0-13.29~14.04.1)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-nvidia Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(5.15.0-1005.5)
|
|
mantic |
Does not exist
|
|
noble |
Not vulnerable
(6.8.0-1007.7)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-nvidia-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-nvidia-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-nvidia-6.5)
|
|
linux-nvidia-6.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Not vulnerable
(6.5.0-1004.4)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Ignored
(replaced by linux-hwe-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-oem-5.10 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oem-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-5.13)
|
|
linux-oem-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oem-5.14)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-5.14)
|
|
linux-oem-5.14 Launchpad, Ubuntu, Debian |
focal |
Ignored
(replaced by linux-hwe-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(replaced by linux-hwe-5.15)
|
|
linux-oem-5.17 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-oem-6.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-6.1)
|
|
linux-oem-5.6 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oem-5.10)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-5.10)
|
|
linux-oem-6.0 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-oem-6.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-6.1)
|
|
linux-oem-6.1 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-oem-6.5, was needs-triage)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oem-6.5, was needs-triage)
|
|
linux-oem-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1003.3)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-oem-6.8 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Not vulnerable
(6.8.0-1003.3)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Does not exist
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(4.15.0-1007.9)
|
focal |
Not vulnerable
(5.4.0-1005.5)
|
|
jammy |
Not vulnerable
(5.13.0-1008.10)
|
|
mantic |
Not vulnerable
(6.2.0-1003.3)
|
|
noble |
Not vulnerable
(6.5.0-1010.10)
|
|
upstream |
Released
(5.13~rc5)
|
|
xenial |
Not vulnerable
(4.15.0-1007.9~16.04.1)
|
|
linux-oracle-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-oracle-5.3)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oracle-5.3)
|
|
linux-oracle-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oracle-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oracle-5.13)
|
|
linux-oracle-5.13 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oracle-5.15)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oracle-5.15)
|
|
linux-oracle-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1007.9~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-oracle-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-oracle-5.4)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oracle-5.4)
|
|
linux-oracle-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1019.19~18.04.1)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-oracle-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-oracle-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-oracle-5.11)
|
|
linux-oracle-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1013.13~22.04.4)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-raspi Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1007.7)
|
jammy |
Not vulnerable
(5.13.0-1008.9)
|
|
mantic |
Not vulnerable
(6.2.0-1004.5)
|
|
noble |
Not vulnerable
(6.5.0-1005.7)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-raspi-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.4.0-1013.13~18.04.1)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
focal |
Ignored
(replaced by linux-raspi)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(replaced by linux-raspi)
|
|
linux-riscv Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-riscv-5.8)
|
jammy |
Ignored
(end of kernel support)
|
|
mantic |
Not vulnerable
(6.2.0-19.19.1)
|
|
noble |
Not vulnerable
(6.5.0-9.9.1)
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-riscv-5.11 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-riscv-5.13)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-riscv-5.13)
|
|
linux-riscv-5.15 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.15.0-1015.17~20.04.1)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-riscv-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(end of kernel support)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-riscv-5.8 Launchpad, Ubuntu, Debian |
focal |
Ignored
(superseded by linux-riscv-5.11)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-riscv-5.11)
|
|
linux-riscv-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-17.17.1.1~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-starfive Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Not vulnerable
(6.5.0-1002.3)
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-starfive-5.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(end of kernel support)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
linux-starfive-6.2 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Ignored
(superseded by linux-starfive-6.5)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Ignored
(superseded by linux-starfive-6.5)
|
|
linux-starfive-6.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(6.5.0-1007.8~22.04.1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
|
linux-xilinx-zynqmp Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(5.4.0-1020.24)
|
jammy |
Not vulnerable
(5.15.0-1022.26)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Released
(5.13~rc5)
|
References
- https://git.kernel.org/linus/ff40e51043af63715ab413995ff46996ecf9583f (5.13-rc5)
- https://git.kernel.org/stable/c/ff5039ec75c83d2ed5b781dc7733420ee8c985fc
- https://git.kernel.org/stable/c/acc43fc6cf0d50612193813c5906a1ab9d433e1e
- https://git.kernel.org/stable/c/ff40e51043af63715ab413995ff46996ecf9583f
- https://www.cve.org/CVERecord?id=CVE-2021-47128
- NVD
- Launchpad
- Debian