> I just noticed that the commit that introduced the CVE hasn't even landed in > the mentioned kernel. > > We introduced it to the tree 5 days ago
I see backports of commit 80cd22c35c9001fe72bf614d29439de41933deca in all tags between Ubuntu-bluefield-5.15.0-1019.21 and Ubuntu- bluefield-5.15.0-1068.70. They all have the vulnerable code, but not the CVE fix. Example: https://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-bluefield/+git/jammy/commit/?h=Ubuntu-bluefield-5.15.0-1050.52&id=13c5ebefe55d83dc0ddc6f2cbcba7c3ee33aea0b -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2109993 Title: linux-bluefield is vulnerable to CVE-2025-21857 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2109993/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
