Search criteria
12859 vulnerabilities
CVE-2026-53358 (GCVE-0-2026-53358)
Vulnerability from cvelistv5 – Published: 2026-07-02 13:43 – Updated: 2026-07-02 13:43
VLAI?
Title
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3df91ea20e744344100b10ae69a17211fcf5b207 , < 3634cbdc2eb414b69ffa752ddbe5e0458518e321
(git)
Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < e1c100e2d61bd8c718b7d91fe3e050780a9bf72d (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 89dec92041717b027216e110599e4f6d6c921b79 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 50dfec218808b148ab4247b1858031b7a32015c5 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 859d3ace791ed878ae9ba5522c7844d960da8f88 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 7555fd885a0603f50e49a655850a1f2bd8a25398 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 8c8e620467a7b51562dbcefbd1f09f288d7d710d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3634cbdc2eb414b69ffa752ddbe5e0458518e321",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "e1c100e2d61bd8c718b7d91fe3e050780a9bf72d",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "89dec92041717b027216e110599e4f6d6c921b79",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "50dfec218808b148ab4247b1858031b7a32015c5",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "859d3ace791ed878ae9ba5522c7844d960da8f88",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "7555fd885a0603f50e49a655850a1f2bd8a25398",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "8c8e620467a7b51562dbcefbd1f09f288d7d710d",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n\nl2cap_chan_close() removes the channel from conn-\u003echan_l, which\nmust be done under conn-\u003elock. cleanup_listen() runs under the\nparent sk_lock, so acquiring conn-\u003elock would invert the\nestablished conn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock order.\n\nInstead of calling l2cap_chan_close() directly, schedule\nl2cap_chan_timeout with delay 0 to close the channel\nasynchronously. The timeout handler already acquires conn-\u003elock\nand chan-\u003elock in the correct order.\n\nThe timer is only armed when chan-\u003econn is still set: if it is\nalready NULL, l2cap_conn_del() has already processed this channel\n(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),\nso there is nothing left to do. If l2cap_conn_del() races in\nafter the timer is armed, __clear_chan_timer() inside\nl2cap_chan_del() cancels it; if the timer has already fired, the\nhandler returns harmlessly because chan-\u003econn was cleared."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:43:17.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3634cbdc2eb414b69ffa752ddbe5e0458518e321"
},
{
"url": "https://git.kernel.org/stable/c/e1c100e2d61bd8c718b7d91fe3e050780a9bf72d"
},
{
"url": "https://git.kernel.org/stable/c/deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9"
},
{
"url": "https://git.kernel.org/stable/c/89dec92041717b027216e110599e4f6d6c921b79"
},
{
"url": "https://git.kernel.org/stable/c/50dfec218808b148ab4247b1858031b7a32015c5"
},
{
"url": "https://git.kernel.org/stable/c/859d3ace791ed878ae9ba5522c7844d960da8f88"
},
{
"url": "https://git.kernel.org/stable/c/7555fd885a0603f50e49a655850a1f2bd8a25398"
},
{
"url": "https://git.kernel.org/stable/c/8c8e620467a7b51562dbcefbd1f09f288d7d710d"
}
],
"title": "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53358",
"datePublished": "2026-07-02T13:43:17.630Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-02T13:43:17.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53357 (GCVE-0-2026-53357)
Vulnerability from cvelistv5 – Published: 2026-07-02 13:43 – Updated: 2026-07-02 13:43
VLAI?
Title
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
15f02b91056253e8cdc592888f431da0731337b8 , < 751de6ec671fe75ad9cf65a0638d2a06b6a5984d
(git)
Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 407217734835d21d4e0105ebf347860dc1806f88 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 7eebd4c2c86f573af87ff165d08a83432eb0b919 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 5d86d2f1b4d9a508c441d3e45277ae1a73cfed57 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 87c543e2f78d0871f271df92dab98901bbd5b6f5 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < added1213395071470a900cc845a042fb51882a6 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < a5ca86a6097a8b030ca3226cd300b17ed330f966 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < ab1513597c6cf17cd1ad2a21e3b045421b48e022 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_sock.c",
"net/bluetooth/rfcomm/sock.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "751de6ec671fe75ad9cf65a0638d2a06b6a5984d",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "407217734835d21d4e0105ebf347860dc1806f88",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "7eebd4c2c86f573af87ff165d08a83432eb0b919",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "5d86d2f1b4d9a508c441d3e45277ae1a73cfed57",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "87c543e2f78d0871f271df92dab98901bbd5b6f5",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "added1213395071470a900cc845a042fb51882a6",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "a5ca86a6097a8b030ca3226cd300b17ed330f966",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "ab1513597c6cf17cd1ad2a21e3b045421b48e022",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/iso.c",
"net/bluetooth/l2cap_sock.c",
"net/bluetooth/rfcomm/sock.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\n\nbt_accept_dequeue() unlinks a not-yet-accepted child from the parent\naccept queue and release_sock()s it before returning, so the returned\nsk has no caller reference and is unlocked.\n\nl2cap_sock_cleanup_listen() walks these children on listening-socket\nclose. A concurrent HCI disconnect drives hci_rx_work -\u003e\nl2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and\nfrees the child sk and its l2cap_chan; cleanup_listen() then uses both:\n\n BUG: KASAN: slab-use-after-free in l2cap_sock_kill\n l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close\n Freed by: l2cap_conn_del -\u003e l2cap_sock_close_cb -\u003e l2cap_sock_kill\n\nThis is distinct from the two fixes already in this area: commit\ne83f5e24da741 (\"Bluetooth: serialize accept_q access\") serialises the\naccept_q list/poll and takes temporary refs inside bt_accept_dequeue(),\nand CVE-2025-39860 serialises the userspace close()/accept() race by\ncalling cleanup_listen() under lock_sock() in l2cap_sock_release().\nNeither covers l2cap_conn_del() running from hci_rx_work, so this UAF\nstill reproduces on current bluetooth/master.\n\nTake the reference at the source: bt_accept_dequeue() does sock_hold()\nwhile sk is still locked, before release_sock(); callers sock_put().\ncleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under\na brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops\nit before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on\nSOCK_DEAD. conn-\u003elock is not taken here: cleanup_listen() runs under\nthe parent sk lock and that would invert\nconn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock (lockdep).\n\nKASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced\n12 use-after-free reports per run before this change; 0, and no lockdep\nreport, over 1600+ raced iterations after it on bluetooth/master."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T13:43:17.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/751de6ec671fe75ad9cf65a0638d2a06b6a5984d"
},
{
"url": "https://git.kernel.org/stable/c/407217734835d21d4e0105ebf347860dc1806f88"
},
{
"url": "https://git.kernel.org/stable/c/7eebd4c2c86f573af87ff165d08a83432eb0b919"
},
{
"url": "https://git.kernel.org/stable/c/5d86d2f1b4d9a508c441d3e45277ae1a73cfed57"
},
{
"url": "https://git.kernel.org/stable/c/87c543e2f78d0871f271df92dab98901bbd5b6f5"
},
{
"url": "https://git.kernel.org/stable/c/added1213395071470a900cc845a042fb51882a6"
},
{
"url": "https://git.kernel.org/stable/c/a5ca86a6097a8b030ca3226cd300b17ed330f966"
},
{
"url": "https://git.kernel.org/stable/c/ab1513597c6cf17cd1ad2a21e3b045421b48e022"
}
],
"title": "Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53357",
"datePublished": "2026-07-02T13:43:17.077Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-02T13:43:17.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53356 (GCVE-0-2026-53356)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
drm/i915/gem: Fix phys BO pread/pwrite with offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: Fix phys BO pread/pwrite with offset
sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.
Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6790dc22312f592c1434577258b31c48c72d52a , < 40f738991058eb3e3530c3006a5bd6fd5e29f035
(git)
Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 1ec8fc63e9cdb22da54e48e536c9204020416fc6 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 14469860e2e39b7095dcd658d2bad38a11110a68 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 07c33be968d9e0cab6cba38c81850a09942fcb2e (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 3bd168dd835b93a3862cd05b0d13c432b115f9d6 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < 32d4c5d328a3ff995420f4f85163e1e403f43628 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < dd51a2eeb93bc6faa892ff9083911dd23f82c187 (git) Affected: c6790dc22312f592c1434577258b31c48c72d52a , < d21ad938398bca695a511307de38a65889e3b354 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_phys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40f738991058eb3e3530c3006a5bd6fd5e29f035",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "1ec8fc63e9cdb22da54e48e536c9204020416fc6",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "14469860e2e39b7095dcd658d2bad38a11110a68",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "07c33be968d9e0cab6cba38c81850a09942fcb2e",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "3bd168dd835b93a3862cd05b0d13c432b115f9d6",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "32d4c5d328a3ff995420f4f85163e1e403f43628",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "dd51a2eeb93bc6faa892ff9083911dd23f82c187",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
},
{
"lessThan": "d21ad938398bca695a511307de38a65889e3b354",
"status": "affected",
"version": "c6790dc22312f592c1434577258b31c48c72d52a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_phys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix phys BO pread/pwrite with offset\n\nsg_page() returns struct page pointer not (void *) so the scaling\nof pread/pwrite is wrong for phys BO and wrong parts of BO would be\naccessed if non-zero offset is used.\n\nLast impacted platform with overlay or cursor planes using phys\nmapping was Gen3/945G/Lakeport.\n\n(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:31.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40f738991058eb3e3530c3006a5bd6fd5e29f035"
},
{
"url": "https://git.kernel.org/stable/c/1ec8fc63e9cdb22da54e48e536c9204020416fc6"
},
{
"url": "https://git.kernel.org/stable/c/14469860e2e39b7095dcd658d2bad38a11110a68"
},
{
"url": "https://git.kernel.org/stable/c/07c33be968d9e0cab6cba38c81850a09942fcb2e"
},
{
"url": "https://git.kernel.org/stable/c/3bd168dd835b93a3862cd05b0d13c432b115f9d6"
},
{
"url": "https://git.kernel.org/stable/c/32d4c5d328a3ff995420f4f85163e1e403f43628"
},
{
"url": "https://git.kernel.org/stable/c/dd51a2eeb93bc6faa892ff9083911dd23f82c187"
},
{
"url": "https://git.kernel.org/stable/c/d21ad938398bca695a511307de38a65889e3b354"
}
],
"title": "drm/i915/gem: Fix phys BO pread/pwrite with offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53356",
"datePublished": "2026-07-01T13:32:31.428Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:31.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53355 (GCVE-0-2026-53355)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
net: rds: clear i_sends on setup unwind
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rds: clear i_sends on setup unwind
The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.
When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.
Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b12f73a5c2977153f28a224392fd4729b50d1dc , < 66cccec111421a10efdc2c74499d15b93e7acae5
(git)
Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 29d940026dce39e3018dab6f67c9427249321270 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < e7cf30aa5f1fc6c2a86df65df8b731df20e44d79 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 1d4ec754ee3871f7e3670c67bb0298c9c5760926 (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 27040bbca289a704eafcacca167d310c6ce2b1bc (git) Affected: 3b12f73a5c2977153f28a224392fd4729b50d1dc , < 20cf0fb715c41111469577e85e35d15f099473e0 (git) Affected: 75a12b2fa80c2e4cc40a9f9305f95899850b7426 (git) Affected: c9459693fae9a1bf3f51f3db98617f694112e897 (git) Affected: 13099ee9c7d54b0a25f6c8397675aed99e9cfa45 (git) Affected: 5c6712ab4efb6cf60e16719ab6bcaface9cc268c (git) Affected: 3.18.74 , < 3.19 (semver) Affected: 4.1.46 , < 4.2 (semver) Affected: 4.4.91 , < 4.5 (semver) Affected: 4.9.54 , < 4.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/ib_cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66cccec111421a10efdc2c74499d15b93e7acae5",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "29d940026dce39e3018dab6f67c9427249321270",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "e7cf30aa5f1fc6c2a86df65df8b731df20e44d79",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "1d4ec754ee3871f7e3670c67bb0298c9c5760926",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "27040bbca289a704eafcacca167d310c6ce2b1bc",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"lessThan": "20cf0fb715c41111469577e85e35d15f099473e0",
"status": "affected",
"version": "3b12f73a5c2977153f28a224392fd4729b50d1dc",
"versionType": "git"
},
{
"status": "affected",
"version": "75a12b2fa80c2e4cc40a9f9305f95899850b7426",
"versionType": "git"
},
{
"status": "affected",
"version": "c9459693fae9a1bf3f51f3db98617f694112e897",
"versionType": "git"
},
{
"status": "affected",
"version": "13099ee9c7d54b0a25f6c8397675aed99e9cfa45",
"versionType": "git"
},
{
"status": "affected",
"version": "5c6712ab4efb6cf60e16719ab6bcaface9cc268c",
"versionType": "git"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.74",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.46",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.91",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.54",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/ib_cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: clear i_sends on setup unwind\n\nThe RDS IB connection teardown path is written so it can run during\npartial startup and on repeated shutdown attempts. It uses NULL\npointers to distinguish resources that are still owned from resources\nthat have already been released.\n\nWhen rds_ib_setup_qp() fails after allocating i_sends but before\nallocating i_recvs, the sends_out path frees i_sends without clearing\nthe pointer. A later shutdown pass can still treat that stale pointer\nas a live send ring allocation.\n\nClear i_sends after vfree() in the error unwind path so the existing\nshutdown logic continues to use the correct ownership state."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:30.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66cccec111421a10efdc2c74499d15b93e7acae5"
},
{
"url": "https://git.kernel.org/stable/c/2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b"
},
{
"url": "https://git.kernel.org/stable/c/29d940026dce39e3018dab6f67c9427249321270"
},
{
"url": "https://git.kernel.org/stable/c/e7cf30aa5f1fc6c2a86df65df8b731df20e44d79"
},
{
"url": "https://git.kernel.org/stable/c/f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a"
},
{
"url": "https://git.kernel.org/stable/c/1d4ec754ee3871f7e3670c67bb0298c9c5760926"
},
{
"url": "https://git.kernel.org/stable/c/27040bbca289a704eafcacca167d310c6ce2b1bc"
},
{
"url": "https://git.kernel.org/stable/c/20cf0fb715c41111469577e85e35d15f099473e0"
}
],
"title": "net: rds: clear i_sends on setup unwind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53355",
"datePublished": "2026-07-01T13:32:30.831Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:30.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53354 (GCVE-0-2026-53354)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
arm64: errata: Mitigate TLBI errata on various Arm CPUs
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: errata: Mitigate TLBI errata on various Arm CPUs
A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.
These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.
This issue has been assigned CVE ID CVE-2025-10263.
To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 925058203229403008d77a52b1e63e2ae5f4a3cf
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8364384ae82fbffdf8968abaac3455ed854da18d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c3ad9365079e716b57d2363d3081ee7680cc18e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e717a4d08779f1a28d6e0275e75040b12c33c753 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d4fd4282204044fdedd1e42abbe70a9206f74ec0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1268c64e2bcb6e968152990e87bd10c440fcc9c0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cfd391e74134db664feb499d43af286380b10ba8 (git) Affected: 0 , < 5.10.259 (semver) Affected: 0 , < 5.15.210 (semver) Affected: 0 , < 6.1.176 (semver) Affected: 0 , < 6.6.143 (semver) Affected: 0 , < 6.12.94 (semver) Affected: 0 , < 6.18.36 (semver) Affected: 0 , < 7.0.13 (semver) Affected: 0 , < 7.1.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/arch/arm64/silicon-errata.rst",
"arch/arm64/Kconfig",
"arch/arm64/kernel/cpu_errata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "925058203229403008d77a52b1e63e2ae5f4a3cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8364384ae82fbffdf8968abaac3455ed854da18d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c3ad9365079e716b57d2363d3081ee7680cc18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e717a4d08779f1a28d6e0275e75040b12c33c753",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d4fd4282204044fdedd1e42abbe70a9206f74ec0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1268c64e2bcb6e968152990e87bd10c440fcc9c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfd391e74134db664feb499d43af286380b10ba8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5.10.259",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/arch/arm64/silicon-errata.rst",
"arch/arm64/Kconfig",
"arch/arm64/kernel/cpu_errata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.2-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.2-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Mitigate TLBI errata on various Arm CPUs\n\nA number of CPUs developed by Arm suffer from errata whereby a broadcast\nTLBI;DSB sequence may complete before the global observation of writes\nwhich are translated by an affected TLB entry.\n\nThese errata ONLY affect the completion of memory accesses which have\nbeen translated by an invalidated TLB entry, and these errata DO NOT\naffect the actual invalidation of TLB entries. TLB entries are removed\ncorrectly.\n\nThis issue has been assigned CVE ID CVE-2025-10263.\n\nTo mitigate this issue, Arm recommends that software follows any\naffected TLBI;DSB sequence with an additional TLBI;DSB, which will\nensure that all memory write effects affected by the first TLBI have\nbeen globally observed. The additional TLBI can use any operation that\nis broadcast to affected CPUs, and the additional DSB can use any option\nthat is sufficient to complete the additional TLBI.\n\nThe ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate\nthe issue. Enable this workaround for affected CPUs, and update the\nsilicon errata documentation accordingly.\n\nNote that due to the manner in which Arm develops IP and tracks errata,\nsome CPUs share a common erratum number."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:30.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/925058203229403008d77a52b1e63e2ae5f4a3cf"
},
{
"url": "https://git.kernel.org/stable/c/8364384ae82fbffdf8968abaac3455ed854da18d"
},
{
"url": "https://git.kernel.org/stable/c/7c3ad9365079e716b57d2363d3081ee7680cc18e"
},
{
"url": "https://git.kernel.org/stable/c/e717a4d08779f1a28d6e0275e75040b12c33c753"
},
{
"url": "https://git.kernel.org/stable/c/4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8"
},
{
"url": "https://git.kernel.org/stable/c/d4fd4282204044fdedd1e42abbe70a9206f74ec0"
},
{
"url": "https://git.kernel.org/stable/c/1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd"
},
{
"url": "https://git.kernel.org/stable/c/1268c64e2bcb6e968152990e87bd10c440fcc9c0"
},
{
"url": "https://git.kernel.org/stable/c/cfd391e74134db664feb499d43af286380b10ba8"
}
],
"title": "arm64: errata: Mitigate TLBI errata on various Arm CPUs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53354",
"datePublished": "2026-07-01T13:32:30.246Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:30.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53353 (GCVE-0-2026-53353)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
hsr: Remove WARN_ONCE() in hsr_addr_is_self().
Summary
In the Linux kernel, the following vulnerability has been resolved:
hsr: Remove WARN_ONCE() in hsr_addr_is_self().
syzbot reported the warning [0] in hsr_addr_is_self(),
whose assumption is simply wrong.
hsr->self_node is cleared in hsr_del_self_node(), which
is called from hsr_dellink().
Since dev->rtnl_link_ops->dellink() is called before
unregister_netdevice_many(), there is a window when
user can find the device but without hsr->self_node.
Let's remove WARN_ONCE() in hsr_addr_is_self().
[0]:
HSR: No self node
WARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220
Modules linked in:
CPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39
Code: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 <67> 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96
RSP: 0018:ffffc900041c70e0 EFLAGS: 00010283
RAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000
RDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000
R13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000
FS: 00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
check_local_dest net/hsr/hsr_forward.c:592 [inline]
fill_frame_info net/hsr/hsr_forward.c:728 [inline]
hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739
hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236
__netdev_start_xmit include/linux/netdevice.h:5368 [inline]
netdev_start_xmit include/linux/netdevice.h:5377 [inline]
xmit_one net/core/dev.c:3888 [inline]
dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904
__dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237
ip_send_skb net/ipv4/ip_output.c:1510 [inline]
ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530
raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698
___sys_sendmsg+0x2a5/0x360 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6feb62ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f266a683a4804dc499efc6c2206ef68efed029d0 , < 271355c2ef6171dbc815e7ae653eed63444bbd58
(git)
Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 0232b6fcb7615fb7fecfe0727a23065a53e228b8 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 66a46e22396fd5d09606f37f73643eb20e99aa42 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < d71bb171661ec0225bf4babdd4d296d744982fb3 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < afd0f17ca46258cec3a5cc48b8df9327fe772490 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_framereg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "271355c2ef6171dbc815e7ae653eed63444bbd58",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "0232b6fcb7615fb7fecfe0727a23065a53e228b8",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "66a46e22396fd5d09606f37f73643eb20e99aa42",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "d71bb171661ec0225bf4babdd4d296d744982fb3",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "afd0f17ca46258cec3a5cc48b8df9327fe772490",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_framereg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Remove WARN_ONCE() in hsr_addr_is_self().\n\nsyzbot reported the warning [0] in hsr_addr_is_self(),\nwhose assumption is simply wrong.\n\nhsr-\u003eself_node is cleared in hsr_del_self_node(), which\nis called from hsr_dellink().\n\nSince dev-\u003ertnl_link_ops-\u003edellink() is called before\nunregister_netdevice_many(), there is a window when\nuser can find the device but without hsr-\u003eself_node.\n\nLet\u0027s remove WARN_ONCE() in hsr_addr_is_self().\n\n[0]:\nHSR: No self node\nWARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220\nModules linked in:\nCPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026\nRIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39\nCode: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 \u003c67\u003e 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96\nRSP: 0018:ffffc900041c70e0 EFLAGS: 00010283\nRAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000\nRDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000\nR13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000\nFS: 00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0\nDR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002\nDR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n check_local_dest net/hsr/hsr_forward.c:592 [inline]\n fill_frame_info net/hsr/hsr_forward.c:728 [inline]\n hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739\n hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236\n __netdev_start_xmit include/linux/netdevice.h:5368 [inline]\n netdev_start_xmit include/linux/netdevice.h:5377 [inline]\n xmit_one net/core/dev.c:3888 [inline]\n dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904\n __dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237\n ip_send_skb net/ipv4/ip_output.c:1510 [inline]\n ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530\n raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659\n sock_sendmsg_nosec net/socket.c:787 [inline]\n __sock_sendmsg net/socket.c:802 [inline]\n ____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2752\n __sys_sendmsg net/socket.c:2784 [inline]\n __do_sys_sendmsg net/socket.c:2789 [inline]\n __se_sys_sendmsg net/socket.c:2787 [inline]\n __x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f6feb62ce59\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59\nRDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004\nRBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:29.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/271355c2ef6171dbc815e7ae653eed63444bbd58"
},
{
"url": "https://git.kernel.org/stable/c/0232b6fcb7615fb7fecfe0727a23065a53e228b8"
},
{
"url": "https://git.kernel.org/stable/c/66a46e22396fd5d09606f37f73643eb20e99aa42"
},
{
"url": "https://git.kernel.org/stable/c/d71bb171661ec0225bf4babdd4d296d744982fb3"
},
{
"url": "https://git.kernel.org/stable/c/afd0f17ca46258cec3a5cc48b8df9327fe772490"
}
],
"title": "hsr: Remove WARN_ONCE() in hsr_addr_is_self().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53353",
"datePublished": "2026-07-01T13:32:29.699Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:29.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53352 (GCVE-0-2026-53352)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Summary
In the Linux kernel, the following vulnerability has been resolved:
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.
When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:
sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
39efa3ef3a376a4e53de2f82fc91182459d34200 , < 2b32b2fb241435145ea199efac024540759d2495
(git)
Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < f8d720bc2e35d568c18be0644e92a468de428370 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < f4aae11abb449dc536269705d0419ec69480faa9 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 76aebd9ef20078719dfd6282d3b06c27e900a65a (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 8c046f36222c6ce1e0daef2c45c891c72602f8a1 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29 (git) Affected: 39efa3ef3a376a4e53de2f82fc91182459d34200 , < 90918794a4e2c3b440f8fcf3847765a8b1d81b25 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b32b2fb241435145ea199efac024540759d2495",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "f8d720bc2e35d568c18be0644e92a468de428370",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "f4aae11abb449dc536269705d0419ec69480faa9",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "76aebd9ef20078719dfd6282d3b06c27e900a65a",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "8c046f36222c6ce1e0daef2c45c891c72602f8a1",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
},
{
"lessThan": "90918794a4e2c3b440f8fcf3847765a8b1d81b25",
"status": "affected",
"version": "39efa3ef3a376a4e53de2f82fc91182459d34200",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsignal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()\n\nWhen a multi-threaded process receives a stop signal (e.g., SIGSTOP),\ndo_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all\nthreads and sets signal-\u003egroup_stop_count to the number of threads. If\none of the threads concurrently calls execve(), de_thread() invokes\nzap_other_threads() to kill all other threads. zap_other_threads()\naborts the pending group stop by resetting signal-\u003egroup_stop_count to 0\nand clears the JOBCTL_PENDING_MASK for all other threads. However, it\nfails to clear the job control flags for the calling thread.\n\nWhen execve() completes, the calling thread returns to user mode and\nchecks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,\nit calls do_signal_stop(), which invokes task_participate_group_stop().\nSince JOBCTL_STOP_CONSUME is still set, it attempts to decrement the\nalready-zero signal-\u003egroup_stop_count, triggering a warning:\n\nsig-\u003egroup_stop_count == 0\nWARNING: CPU: 1 PID: 6475 at kernel/signal.c:373\ntask_participate_group_stop+0x215/0x2d0\nCall Trace:\n \u003cTASK\u003e\n do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619\n get_signal+0xa8c/0x1330 kernel/signal.c:2884\n arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98\n do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nFix this race condition by clearing the JOBCTL_PENDING_MASK for the\ncalling thread in zap_other_threads(), ensuring it does not retain any\nstale job control state after the thread group is destroyed. This aligns\nwith other functions that tear down a thread group and abort group\nstops, such as zap_process() and complete_signal(), which correctly\nclear these flags for all threads including the current one."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:29.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b32b2fb241435145ea199efac024540759d2495"
},
{
"url": "https://git.kernel.org/stable/c/391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe"
},
{
"url": "https://git.kernel.org/stable/c/f8d720bc2e35d568c18be0644e92a468de428370"
},
{
"url": "https://git.kernel.org/stable/c/f4aae11abb449dc536269705d0419ec69480faa9"
},
{
"url": "https://git.kernel.org/stable/c/76aebd9ef20078719dfd6282d3b06c27e900a65a"
},
{
"url": "https://git.kernel.org/stable/c/8c046f36222c6ce1e0daef2c45c891c72602f8a1"
},
{
"url": "https://git.kernel.org/stable/c/dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29"
},
{
"url": "https://git.kernel.org/stable/c/90918794a4e2c3b440f8fcf3847765a8b1d81b25"
}
],
"title": "signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53352",
"datePublished": "2026-07-01T13:32:29.105Z",
"dateReserved": "2026-06-09T07:44:35.400Z",
"dateUpdated": "2026-07-01T13:32:29.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53351 (GCVE-0-2026-53351)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
Fixes a warning while dumping core:
[54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08200bef0983ffed039ab399df0cba8d900ce5fc",
"status": "affected",
"version": "2af7c9cf021c5dabe880b68e5cc22c618060d954",
"versionType": "git"
},
{
"lessThan": "e3573f739e3dadab57ec80488d07e05c8f6e82d3",
"status": "affected",
"version": "2af7c9cf021c5dabe880b68e5cc22c618060d954",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"lessThan": "7.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI\n\nFixes a warning while dumping core:\n\n[54983.546369][ C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:28.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08200bef0983ffed039ab399df0cba8d900ce5fc"
},
{
"url": "https://git.kernel.org/stable/c/e3573f739e3dadab57ec80488d07e05c8f6e82d3"
}
],
"title": "riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53351",
"datePublished": "2026-07-01T13:32:28.548Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:28.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53350 (GCVE-0-2026-53350)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
In wm_adsp_control_remove() check that the priv pointer is not NULL
before attempting to cleanup what it points to.
When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that
wm_adsp can create its own private control data. There are two cases
where private data is not created:
1. The control is a SYSTEM control, so an ALSA control is not created.
2. The codec driver has registered a control_add() callback that
hides the control, so wm_adsp_control_add() is not called.
When cs_dsp_remove destroys its control list it calls
wm_adsp_control_remove() for each control. But wm_adsp_control_remove()
was attempting to cleanup the private data pointed to by cs_ctl->priv
without checking the pointer for NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3
(git)
Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 10def23b67b42679d5b1a356e1a6f3498bd188c3 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 2f1be283aa777d655525d000d16474b7e7d015ea (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 12e579b889624ec54a201d98fdff975de556c731 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7 (git) Affected: 0700bc2fb94c28459f57a10d2ee2c7ef4cb70862 , < 7d3fb78b550301e43fdc60312aed733069694426 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wm_adsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "10def23b67b42679d5b1a356e1a6f3498bd188c3",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "2f1be283aa777d655525d000d16474b7e7d015ea",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "12e579b889624ec54a201d98fdff975de556c731",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
},
{
"lessThan": "7d3fb78b550301e43fdc60312aed733069694426",
"status": "affected",
"version": "0700bc2fb94c28459f57a10d2ee2c7ef4cb70862",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wm_adsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: wm_adsp: Fix NULL dereference when removing firmware controls\n\nIn wm_adsp_control_remove() check that the priv pointer is not NULL\nbefore attempting to cleanup what it points to.\n\nWhen cs_dsp creates a control it calls wm_adsp_control_add_cb() so that\nwm_adsp can create its own private control data. There are two cases\nwhere private data is not created:\n\n1. The control is a SYSTEM control, so an ALSA control is not created.\n\n2. The codec driver has registered a control_add() callback that\n hides the control, so wm_adsp_control_add() is not called.\n\nWhen cs_dsp_remove destroys its control list it calls\nwm_adsp_control_remove() for each control. But wm_adsp_control_remove()\nwas attempting to cleanup the private data pointed to by cs_ctl-\u003epriv\nwithout checking the pointer for NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:27.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3"
},
{
"url": "https://git.kernel.org/stable/c/10def23b67b42679d5b1a356e1a6f3498bd188c3"
},
{
"url": "https://git.kernel.org/stable/c/2f1be283aa777d655525d000d16474b7e7d015ea"
},
{
"url": "https://git.kernel.org/stable/c/12e579b889624ec54a201d98fdff975de556c731"
},
{
"url": "https://git.kernel.org/stable/c/6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7"
},
{
"url": "https://git.kernel.org/stable/c/7d3fb78b550301e43fdc60312aed733069694426"
}
],
"title": "ASoC: wm_adsp: Fix NULL dereference when removing firmware controls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53350",
"datePublished": "2026-07-01T13:32:27.975Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:27.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53349 (GCVE-0-2026-53349)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
NAT helpers such as nf_nat_h323 store a raw pointer to module text in
exp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()
only unlinks the callback descriptor and never walks the expectation table,
so an expectation pending at module removal survives with a dangling
exp->expectfn into freed module text.
When the expected connection arrives, init_conntrack() invokes
exp->expectfn(), now a stale pointer into the unloaded module. Reproduced
on a KASAN build by loading the H.323 helpers, creating a Q.931
expectation, unloading nf_nat_h323, then connecting to the expected port:
Oops: int3: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:0xffffffffa06102d1
init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)
nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)
ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)
nf_hook_slow (net/netfilter/core.c:619)
__ip_local_out (net/ipv4/ip_output.c:120)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1715)
tcp_connect (net/ipv4/tcp_output.c:4374)
tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)
__sys_connect (net/socket.c:2167)
Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]
Reaching the dangling state requires CAP_SYS_MODULE in the initial user
namespace to remove a NAT helper that still has live expectations, so this
is a robustness fix; leaving an expectation pointing at freed text is wrong
regardless.
Add nf_ct_helper_expectfn_destroy(), which walks the expectation table and
drops every expectation whose ->expectfn matches the descriptor being torn
down. Call it from each NAT helper's exit path after the existing RCU grace
period, so no expectation outlives the code it points at and no extra
synchronize_rcu() is introduced. With the fix, the same reproducer runs to
completion without the Oops.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < fbfde85308b99938a6092c48753214d190ece48d
(git)
Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < 29d8cc44bbdf7b83a1929912214afe6643c1b4f1 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < 9d017671dcfcec23321fb7962dea624f9e71ddb1 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < bf8c0b5dd203be94c2ad50e264cec19267c6bd39 (git) Affected: f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 , < c3009418f9fa1dcb3eb86f4d8c92583537b5faa3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_helper.h",
"net/ipv4/netfilter/nf_nat_h323.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_nat_core.c",
"net/netfilter/nf_nat_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbfde85308b99938a6092c48753214d190ece48d",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "29d8cc44bbdf7b83a1929912214afe6643c1b4f1",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "9d017671dcfcec23321fb7962dea624f9e71ddb1",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "bf8c0b5dd203be94c2ad50e264cec19267c6bd39",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
},
{
"lessThan": "c3009418f9fa1dcb3eb86f4d8c92583537b5faa3",
"status": "affected",
"version": "f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_helper.h",
"net/ipv4/netfilter/nf_nat_h323.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_nat_core.c",
"net/netfilter/nf_nat_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n\nNAT helpers such as nf_nat_h323 store a raw pointer to module text in\nexp-\u003eexpectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()\nonly unlinks the callback descriptor and never walks the expectation table,\nso an expectation pending at module removal survives with a dangling\nexp-\u003eexpectfn into freed module text.\n\nWhen the expected connection arrives, init_conntrack() invokes\nexp-\u003eexpectfn(), now a stale pointer into the unloaded module. Reproduced\non a KASAN build by loading the H.323 helpers, creating a Q.931\nexpectation, unloading nf_nat_h323, then connecting to the expected port:\n\n Oops: int3: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:0xffffffffa06102d1\n init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)\n nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)\n ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)\n nf_hook_slow (net/netfilter/core.c:619)\n __ip_local_out (net/ipv4/ip_output.c:120)\n __tcp_transmit_skb (net/ipv4/tcp_output.c:1715)\n tcp_connect (net/ipv4/tcp_output.c:4374)\n tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)\n __sys_connect (net/socket.c:2167)\n Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]\n\nReaching the dangling state requires CAP_SYS_MODULE in the initial user\nnamespace to remove a NAT helper that still has live expectations, so this\nis a robustness fix; leaving an expectation pointing at freed text is wrong\nregardless.\n\nAdd nf_ct_helper_expectfn_destroy(), which walks the expectation table and\ndrops every expectation whose -\u003eexpectfn matches the descriptor being torn\ndown. Call it from each NAT helper\u0027s exit path after the existing RCU grace\nperiod, so no expectation outlives the code it points at and no extra\nsynchronize_rcu() is introduced. With the fix, the same reproducer runs to\ncompletion without the Oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:27.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbfde85308b99938a6092c48753214d190ece48d"
},
{
"url": "https://git.kernel.org/stable/c/29d8cc44bbdf7b83a1929912214afe6643c1b4f1"
},
{
"url": "https://git.kernel.org/stable/c/f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d"
},
{
"url": "https://git.kernel.org/stable/c/9d017671dcfcec23321fb7962dea624f9e71ddb1"
},
{
"url": "https://git.kernel.org/stable/c/bf8c0b5dd203be94c2ad50e264cec19267c6bd39"
},
{
"url": "https://git.kernel.org/stable/c/c3009418f9fa1dcb3eb86f4d8c92583537b5faa3"
}
],
"title": "netfilter: nf_conntrack: destroy stale expectfn expectations on unregister",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53349",
"datePublished": "2026-07-01T13:32:27.412Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:27.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53348 (GCVE-0-2026-53348)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions
sdca_dev_unregister_functions() iterates over all SDCA function
descriptors and calls sdca_dev_unregister() on each func_dev without
checking for NULL. When a function registration has failed partway
through, or the device cleanup races with probe deferral, func_dev
entries may be NULL, leading to a kernel oops:
BUG: kernel NULL pointer dereference, address: 0000000000000040
RIP: 0010:device_del+0x1e/0x3e0
Call Trace:
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
release_nodes+0x35/0xb0
devres_release_all+0x90/0x100
device_unbind_cleanup+0xe/0x80
device_release_driver_internal+0x1c1/0x200
bus_remove_device+0xc6/0x130
device_del+0x161/0x3e0
device_unregister+0x17/0x60
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
...
sof_probe_work+0x19/0x30 [snd_sof]
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
with the SOF audio driver probe failing due to missing Panther Lake
firmware, causing the subsequent cleanup of SoundWire devices to
trigger the crash.
Fix this with three changes:
1) Add a NULL guard in sdca_dev_unregister() so that callers do not
need to pre-validate the pointer (defense in depth).
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
and clear func_dev to NULL after unregistration, making the
function idempotent and safe against double-invocation.
3) In sdca_dev_register_functions(), roll back all previously
registered functions when a later one fails, so the function
array is never left in a partially-populated state.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_function_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a4895059bb6a8505098a9f75de187fd15631fc8",
"status": "affected",
"version": "4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc",
"versionType": "git"
},
{
"lessThan": "e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd",
"status": "affected",
"version": "4496d1c65bad7a3a32d2e09aaf3c54bc562c3fcc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sdca/sdca_function_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions\n\nsdca_dev_unregister_functions() iterates over all SDCA function\ndescriptors and calls sdca_dev_unregister() on each func_dev without\nchecking for NULL. When a function registration has failed partway\nthrough, or the device cleanup races with probe deferral, func_dev\nentries may be NULL, leading to a kernel oops:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n RIP: 0010:device_del+0x1e/0x3e0\n Call Trace:\n sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]\n release_nodes+0x35/0xb0\n devres_release_all+0x90/0x100\n device_unbind_cleanup+0xe/0x80\n device_release_driver_internal+0x1c1/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x161/0x3e0\n device_unregister+0x17/0x60\n sdw_delete_slave+0xb6/0xd0 [soundwire_bus]\n sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]\n ...\n sof_probe_work+0x19/0x30 [snd_sof]\n\nThis was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)\nwith the SOF audio driver probe failing due to missing Panther Lake\nfirmware, causing the subsequent cleanup of SoundWire devices to\ntrigger the crash.\n\nFix this with three changes:\n\n1) Add a NULL guard in sdca_dev_unregister() so that callers do not\n need to pre-validate the pointer (defense in depth).\n\n2) In sdca_dev_unregister_functions(), skip NULL func_dev entries\n and clear func_dev to NULL after unregistration, making the\n function idempotent and safe against double-invocation.\n\n3) In sdca_dev_register_functions(), roll back all previously\n registered functions when a later one fails, so the function\n array is never left in a partially-populated state."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:26.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a4895059bb6a8505098a9f75de187fd15631fc8"
},
{
"url": "https://git.kernel.org/stable/c/e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd"
}
],
"title": "ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53348",
"datePublished": "2026-07-01T13:32:26.850Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:26.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53347 (GCVE-0-2026-53347)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
drm/virtio: Fix driver removal with disabled KMS
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: Fix driver removal with disabled KMS
DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
72122c69d71784e390527819754ea456421c4501 , < ed3e134700a2e07caa99b9bc0683ebbe0327c562
(git)
Affected: 72122c69d71784e390527819754ea456421c4501 , < 38a5f891cda6d121c149c94cda89c31ec7024ee3 (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < 19a6a00ff50c284f3a9818882ad2be58b33b790a (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < 15e561869a8b4e4db69733be1d6f33770664f989 (git) Affected: 72122c69d71784e390527819754ea456421c4501 , < f329e8325e054bd6d84d10904f8dd51137281b92 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed3e134700a2e07caa99b9bc0683ebbe0327c562",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "38a5f891cda6d121c149c94cda89c31ec7024ee3",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "19a6a00ff50c284f3a9818882ad2be58b33b790a",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "15e561869a8b4e4db69733be1d6f33770664f989",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
},
{
"lessThan": "f329e8325e054bd6d84d10904f8dd51137281b92",
"status": "affected",
"version": "72122c69d71784e390527819754ea456421c4501",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix driver removal with disabled KMS\n\nDRM atomic and modesetting aren\u0027t initialized if virtio-gpu driver built\nwith disabled KMS, leading to access of uninitialized data on driver\nremoval/unbinding and crashing kernel. Fix it by skipping shutting down\natomic core with unavailable KMS."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:26.262Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed3e134700a2e07caa99b9bc0683ebbe0327c562"
},
{
"url": "https://git.kernel.org/stable/c/38a5f891cda6d121c149c94cda89c31ec7024ee3"
},
{
"url": "https://git.kernel.org/stable/c/19a6a00ff50c284f3a9818882ad2be58b33b790a"
},
{
"url": "https://git.kernel.org/stable/c/15e561869a8b4e4db69733be1d6f33770664f989"
},
{
"url": "https://git.kernel.org/stable/c/f329e8325e054bd6d84d10904f8dd51137281b92"
}
],
"title": "drm/virtio: Fix driver removal with disabled KMS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53347",
"datePublished": "2026-07-01T13:32:26.262Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:26.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53346 (GCVE-0-2026-53346)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
Summary
In the Linux kernel, the following vulnerability has been resolved:
rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
uwtable annotation for functions, but not for the module. This means
that compiler-generated functions such as 'asan.module_ctor' do not
receive the uwtable annotation.
When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
failures because the dwarf information emitted for the kasan
constructors is wrong, which causes the SCS boot patching code to
patch the constructor in an illegal manner. Specifically, the paciasp
instruction is patched, but the autiasp instruction is not. This
mismatch leads to a crash when the constructor is called during boot.
==================================================================
BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
Specifically the faulting instruction is the (*fn)() to invoke the
constructor in do_ctors() of the init/main.c file.
Once the fix lands in rustc, this flag can be made conditional on the
rustc version. Note that passing the flag on a rustc with the fix
present has no effect.
[ The fix [1] has landed for Rust 1.98.0 (expected release on
2026-08-20).
Thus add a version check as discussed.
- Miguel ]
[ Adjusted link and comment. - Miguel ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d077242d68a31075ef5f5da041bf8f6fc19aa231 , < bde772ee239720af216fb0b14753971059e132dc
(git)
Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < d0f25a1755f2c15b1746379c8d9d7dfde85f58f5 (git) Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < 7de13410f59e59b21d3c268a6e22d40f5d9d8a54 (git) Affected: d077242d68a31075ef5f5da041bf8f6fc19aa231 , < ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bde772ee239720af216fb0b14753971059e132dc",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "d0f25a1755f2c15b1746379c8d9d7dfde85f58f5",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "7de13410f59e59b21d3c268a6e22d40f5d9d8a54",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
},
{
"lessThan": "ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c",
"status": "affected",
"version": "d077242d68a31075ef5f5da041bf8f6fc19aa231",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/Makefile"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES\n\nDue to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the\nuwtable annotation for functions, but not for the module. This means\nthat compiler-generated functions such as \u0027asan.module_ctor\u0027 do not\nreceive the uwtable annotation.\n\nWhen CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot\nfailures because the dwarf information emitted for the kasan\nconstructors is wrong, which causes the SCS boot patching code to\npatch the constructor in an illegal manner. Specifically, the paciasp\ninstruction is patched, but the autiasp instruction is not. This\nmismatch leads to a crash when the constructor is called during boot.\n\n\t==================================================================\n\tBUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90\n\tRead of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1\n\nSpecifically the faulting instruction is the (*fn)() to invoke the\nconstructor in do_ctors() of the init/main.c file.\n\nOnce the fix lands in rustc, this flag can be made conditional on the\nrustc version. Note that passing the flag on a rustc with the fix\npresent has no effect.\n\n[ The fix [1] has landed for Rust 1.98.0 (expected release on\n 2026-08-20).\n\n Thus add a version check as discussed.\n\n - Miguel ]\n\n[ Adjusted link and comment. - Miguel ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:25.668Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bde772ee239720af216fb0b14753971059e132dc"
},
{
"url": "https://git.kernel.org/stable/c/d0f25a1755f2c15b1746379c8d9d7dfde85f58f5"
},
{
"url": "https://git.kernel.org/stable/c/7de13410f59e59b21d3c268a6e22d40f5d9d8a54"
},
{
"url": "https://git.kernel.org/stable/c/ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c"
}
],
"title": "rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53346",
"datePublished": "2026-07-01T13:32:25.668Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:25.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53345 (GCVE-0-2026-53345)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero. This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.
For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.
Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.
The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page. But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive. And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 033d39e41fc30f484f4e4f37fb4cd76b12cbb18e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 66a8e7ddd901023c89a2733494d827eca3f9c1b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 343e95c8ecc40e0738975ef4ee24c0c35e800e6b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 99d7d43784ae3235026581e9bf892c036e04c8e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8618004d3e897c0f1b71d9a9ab860461289bb89a (git) Affected: 0 , < 6.6.143 (semver) Affected: 0 , < 6.12.94 (semver) Affected: 0 , < 6.18.36 (semver) Affected: 0 , < 7.0.13 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "033d39e41fc30f484f4e4f37fb4cd76b12cbb18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "66a8e7ddd901023c89a2733494d827eca3f9c1b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "343e95c8ecc40e0738975ef4ee24c0c35e800e6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99d7d43784ae3235026581e9bf892c036e04c8e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8618004d3e897c0f1b71d9a9ab860461289bb89a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero. This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn\u0027t already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU\u0027s dirty ring, e.g.\nto ensure userspace doesn\u0027t miss a dirty page. But for the VM\u0027s refcount\nto reach zero, there can\u0027t be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive. And so since userspace can\u0027t\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:25.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e"
},
{
"url": "https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0"
},
{
"url": "https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b"
},
{
"url": "https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6"
},
{
"url": "https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a"
}
],
"title": "KVM: Don\u0027t WARN if memory is dirtied without a vCPU when the VM is dying",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53345",
"datePublished": "2026-07-01T13:32:25.098Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:25.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53344 (GCVE-0-2026-53344)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
Regmap initialization triggers regcache_maple_populate() which attempts
SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to
be set, without them, NULL pointer dereference occurs during probe.
Move initialization before mcp23s08_spi_regmap_init() call.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-mcp23s08_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a13bb9540dfd7014c5601608afcbbadbbcfd673",
"status": "affected",
"version": "f9f4fda15e720686f1b2b436591ab11255e4e85e",
"versionType": "git"
},
{
"lessThan": "8473c3a197b57ff01396f7a2ec6ddf65383820d4",
"status": "affected",
"version": "f9f4fda15e720686f1b2b436591ab11255e4e85e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-mcp23s08_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Initialize mcp-\u003edev and mcp-\u003eaddr before regmap init\n\nRegmap initialization triggers regcache_maple_populate() which attempts\nSPI read to populate cache. SPI read requires mcp-\u003edev and mcp-\u003eaddr to\nbe set, without them, NULL pointer dereference occurs during probe.\n\nMove initialization before mcp23s08_spi_regmap_init() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:24.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a13bb9540dfd7014c5601608afcbbadbbcfd673"
},
{
"url": "https://git.kernel.org/stable/c/8473c3a197b57ff01396f7a2ec6ddf65383820d4"
}
],
"title": "pinctrl: mcp23s08: Initialize mcp-\u003edev and mcp-\u003eaddr before regmap init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53344",
"datePublished": "2026-07-01T13:32:24.546Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:24.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53343 (GCVE-0-2026-53343)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from
VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
__switch_to(). The read uses ldr, but the KASAN shadow address is
byte-granular and is not guaranteed to be word aligned.
ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
with an alignment exception before reaching init.
Use ldrb for the dummy shadow access. The code only needs to fault in the
shadow mapping if the stack shadow is missing, so a byte load is sufficient
and matches the granularity of KASAN shadow memory.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8fe148d39c127de3fb78dfa6da95a3608dfda454 , < c0b8c148a7754826156993ed6442d31536ec86b4
(git)
Affected: ef21187c0672a2b2cbec44f33bab9ec47d5c277c , < c2e3aadc8fef7da068490597fc5582f8f362aeb2 (git) Affected: c86d26b4b089ca294b3b7d915a7da61edb77935f , < c74990828d3c486ee44aaa68240eb3abff289d1c (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 517720913bd3c17a52cd55a740064f68455ab88e (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 2a4dc9a0ac3326e79fb58fdaae724b92127709a9 (git) Affected: 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 , < 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 (git) Affected: 6.1.120 , < 6.1.176 (semver) Affected: 6.6.64 , < 6.6.143 (semver) Affected: 6.12.4 , < 6.12.94 (semver) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/kernel/entry-armv.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0b8c148a7754826156993ed6442d31536ec86b4",
"status": "affected",
"version": "8fe148d39c127de3fb78dfa6da95a3608dfda454",
"versionType": "git"
},
{
"lessThan": "c2e3aadc8fef7da068490597fc5582f8f362aeb2",
"status": "affected",
"version": "ef21187c0672a2b2cbec44f33bab9ec47d5c277c",
"versionType": "git"
},
{
"lessThan": "c74990828d3c486ee44aaa68240eb3abff289d1c",
"status": "affected",
"version": "c86d26b4b089ca294b3b7d915a7da61edb77935f",
"versionType": "git"
},
{
"lessThan": "517720913bd3c17a52cd55a740064f68455ab88e",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "2a4dc9a0ac3326e79fb58fdaae724b92127709a9",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6",
"status": "affected",
"version": "44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2",
"versionType": "git"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThan": "6.12.94",
"status": "affected",
"version": "6.12.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/kernel/entry-armv.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow\n\nCommit 44e9a3bb76e5 (\"ARM: 9430/1: entry: Do a dummy read from\nVMAP shadow\") added a dummy read from the KASAN VMAP stack shadow in\n__switch_to(). The read uses ldr, but the KASAN shadow address is\nbyte-granular and is not guaranteed to be word aligned.\n\nARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and\nCONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()\nwith an alignment exception before reaching init.\n\nUse ldrb for the dummy shadow access. The code only needs to fault in the\nshadow mapping if the stack shadow is missing, so a byte load is sufficient\nand matches the granularity of KASAN shadow memory."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:23.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0b8c148a7754826156993ed6442d31536ec86b4"
},
{
"url": "https://git.kernel.org/stable/c/c2e3aadc8fef7da068490597fc5582f8f362aeb2"
},
{
"url": "https://git.kernel.org/stable/c/c74990828d3c486ee44aaa68240eb3abff289d1c"
},
{
"url": "https://git.kernel.org/stable/c/517720913bd3c17a52cd55a740064f68455ab88e"
},
{
"url": "https://git.kernel.org/stable/c/2a4dc9a0ac3326e79fb58fdaae724b92127709a9"
},
{
"url": "https://git.kernel.org/stable/c/77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6"
}
],
"title": "ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53343",
"datePublished": "2026-07-01T13:32:23.979Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:23.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53342 (GCVE-0-2026-53342)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mm: call pagetable dtor when freeing hot-removed page tables
Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in
__create_pgd_mapping()") page-table allocation on ARM64 always calls
pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to
PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However
the matching pagetable_dtor() calls were never added.
With DEBUG_VM enabled on kernel versions prior to v6.17 without
2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type")
this leads to the following warning when freeing these pages due to
page->page_type sharing page->_mapcount:
BUG: Bad page state in process ... pfn:284fbb
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb
flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)
page_type: f2(table)
page dumped because: nonzero mapcount
Call trace:
bad_page+0x13c/0x160
__free_frozen_pages+0x6cc/0x860
___free_pages+0xf4/0x180
free_pages+0x54/0x80
free_hotplug_page_range.part.0+0x58/0x90
free_empty_tables+0x438/0x500
__remove_pgd_mapping.constprop.0+0x60/0xa8
arch_remove_memory+0x48/0x80
try_remove_memory+0x158/0x1d8
offline_and_remove_memory+0x138/0x180
It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is
defined and incorrect NR_PAGETABLE stats. Fix this by calling
pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page
to undo the effects of calling pagetable_*_ctor().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < 95f27fcda681021ed3906d3cae7e68b6a57a1d8e
(git)
Affected: 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < aaa688ac9f18207f7452c6472e647c1febaea6a3 (git) Affected: 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f , < c594b83457ccdee76d458416fb3bc9348a37592f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95f27fcda681021ed3906d3cae7e68b6a57a1d8e",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
},
{
"lessThan": "aaa688ac9f18207f7452c6472e647c1febaea6a3",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
},
{
"lessThan": "c594b83457ccdee76d458416fb3bc9348a37592f",
"status": "affected",
"version": "5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: call pagetable dtor when freeing hot-removed page tables\n\nSince 5e8eb9aeeda3 (\"arm64: mm: always call PTE/PMD ctor in\n__create_pgd_mapping()\") page-table allocation on ARM64 always calls\npagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to\nPGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However\nthe matching pagetable_dtor() calls were never added.\n\nWith DEBUG_VM enabled on kernel versions prior to v6.17 without\n2dfcd1608f3a9 (\"mm/page_alloc: let page freeing clear any set page type\")\nthis leads to the following warning when freeing these pages due to\npage-\u003epage_type sharing page-\u003e_mapcount:\n\n BUG: Bad page state in process ... pfn:284fbb\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb\n flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)\n page_type: f2(table)\n page dumped because: nonzero mapcount\n Call trace:\n bad_page+0x13c/0x160\n __free_frozen_pages+0x6cc/0x860\n ___free_pages+0xf4/0x180\n free_pages+0x54/0x80\n free_hotplug_page_range.part.0+0x58/0x90\n free_empty_tables+0x438/0x500\n __remove_pgd_mapping.constprop.0+0x60/0xa8\n arch_remove_memory+0x48/0x80\n try_remove_memory+0x158/0x1d8\n offline_and_remove_memory+0x138/0x180\n\nIt can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is\ndefined and incorrect NR_PAGETABLE stats. Fix this by calling\npagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page\nto undo the effects of calling pagetable_*_ctor()."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:23.449Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95f27fcda681021ed3906d3cae7e68b6a57a1d8e"
},
{
"url": "https://git.kernel.org/stable/c/aaa688ac9f18207f7452c6472e647c1febaea6a3"
},
{
"url": "https://git.kernel.org/stable/c/c594b83457ccdee76d458416fb3bc9348a37592f"
}
],
"title": "arm64: mm: call pagetable dtor when freeing hot-removed page tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53342",
"datePublished": "2026-07-01T13:32:23.449Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:23.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53341 (GCVE-0-2026-53341)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
may_decode_fh() accesses mount::mnt_ns without holding any locks; that
means the mount can concurrently be unmounted, and the mnt_namespace can
concurrently be freed after an RCU grace period.
This race can happens as follows, assuming that the mount point was
created by open_tree(..., OPEN_TREE_CLONE):
thread 1 thread 2 RCU
__do_sys_open_by_handle_at
do_handle_open
handle_to_path
may_decode_fh
is_mounted
[mount::mnt_ns access]
[mount::mnt_ns access]
__do_sys_close
fput_close_sync
__fput
dissolve_on_fput
umount_tree
class_namespace_excl_destructor
namespace_unlock
free_mnt_ns
mnt_ns_tree_remove
call_rcu(mnt_ns_release_rcu)
mnt_ns_release_rcu
mnt_ns_release
kfree
[mnt_namespace::user_ns access] **UAF**
Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
in __prepend_path().
Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
for writers that can race with lockless readers.
This bug is unreachable unless one of the following is set:
- CONFIG_PREEMPTION
- CONFIG_RCU_STRICT_GRACE_PERIOD
because it requires an RCU grace period to happen during a syscall without
an explicit preemption.
This doesn't seem to have interesting security impact; worst-case, it could
leak the result of an integer comparison to userspace (from the level
check in cap_capable()), cause an endless loop, or crash the kernel by
dereferencing an invalid address.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
620c266f394932e5decc4b34683a75dfc59dc2f4 , < 32138633e51e6db59e474765cf93268c92b42888
(git)
Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < a8ed2c29fcfdac78db96c9da4e659c8a513f2a94 (git) Affected: 620c266f394932e5decc4b34683a75dfc59dc2f4 , < 40ab6644b99685755f740b872c00ef40d9aa870e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fhandle.c",
"fs/mount.h",
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32138633e51e6db59e474765cf93268c92b42888",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
},
{
"lessThan": "a8ed2c29fcfdac78db96c9da4e659c8a513f2a94",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
},
{
"lessThan": "40ab6644b99685755f740b872c00ef40d9aa870e",
"status": "affected",
"version": "620c266f394932e5decc4b34683a75dfc59dc2f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fhandle.c",
"fs/mount.h",
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfhandle: fix UAF due to unlocked -\u003emnt_ns read in may_decode_fh()\n\nmay_decode_fh() accesses mount::mnt_ns without holding any locks; that\nmeans the mount can concurrently be unmounted, and the mnt_namespace can\nconcurrently be freed after an RCU grace period.\n\nThis race can happens as follows, assuming that the mount point was\ncreated by open_tree(..., OPEN_TREE_CLONE):\n\nthread 1 thread 2 RCU\n __do_sys_open_by_handle_at\n do_handle_open\n handle_to_path\n may_decode_fh\n is_mounted\n [mount::mnt_ns access]\n [mount::mnt_ns access]\n__do_sys_close\n fput_close_sync\n __fput\n dissolve_on_fput\n umount_tree\n class_namespace_excl_destructor\n namespace_unlock\n free_mnt_ns\n mnt_ns_tree_remove\n call_rcu(mnt_ns_release_rcu)\n mnt_ns_release_rcu\n mnt_ns_release\n kfree\n [mnt_namespace::user_ns access] **UAF**\n\nFix it by taking rcu_read_lock() around the mount::mnt_ns access, like\nin __prepend_path().\nAdditionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()\nfor writers that can race with lockless readers.\n\nThis bug is unreachable unless one of the following is set:\n\n - CONFIG_PREEMPTION\n - CONFIG_RCU_STRICT_GRACE_PERIOD\n\nbecause it requires an RCU grace period to happen during a syscall without\nan explicit preemption.\n\nThis doesn\u0027t seem to have interesting security impact; worst-case, it could\nleak the result of an integer comparison to userspace (from the level\ncheck in cap_capable()), cause an endless loop, or crash the kernel by\ndereferencing an invalid address."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:22.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32138633e51e6db59e474765cf93268c92b42888"
},
{
"url": "https://git.kernel.org/stable/c/a8ed2c29fcfdac78db96c9da4e659c8a513f2a94"
},
{
"url": "https://git.kernel.org/stable/c/40ab6644b99685755f740b872c00ef40d9aa870e"
}
],
"title": "fhandle: fix UAF due to unlocked -\u003emnt_ns read in may_decode_fh()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53341",
"datePublished": "2026-07-01T13:32:22.873Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:22.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53340 (GCVE-0-2026-53340)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
In i2c_imx_runtime_suspend(), the clock is disabled before switching
the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,
the runtime suspend is aborted but the clock remains disabled, causing
a system crash when the hardware is subsequently accessed.
Fix this by switching the pinctrl state before disabling the clock so
that a pinctrl failure leaves the clock enabled and the hardware
accessible.
In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep
if clk_enable() fails to keep the consistent.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
576eba03c99435380d155e5f71d5d7603b9178f6 , < 9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d
(git)
Affected: 576eba03c99435380d155e5f71d5d7603b9178f6 , < c8f5269c1bf505847bc7dbb92054594790114de6 (git) Affected: 576eba03c99435380d155e5f71d5d7603b9178f6 , < 8783fb8031799f1230997c16df8c8dce9fcd1841 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
},
{
"lessThan": "c8f5269c1bf505847bc7dbb92054594790114de6",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
},
{
"lessThan": "8783fb8031799f1230997c16df8c8dce9fcd1841",
"status": "affected",
"version": "576eba03c99435380d155e5f71d5d7603b9178f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: fix clock and pinctrl state inconsistency in runtime PM\n\nIn i2c_imx_runtime_suspend(), the clock is disabled before switching\nthe pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,\nthe runtime suspend is aborted but the clock remains disabled, causing\na system crash when the hardware is subsequently accessed.\n\nFix this by switching the pinctrl state before disabling the clock so\nthat a pinctrl failure leaves the clock enabled and the hardware\naccessible.\n\nIn i2c_imx_runtime_resume(), restore the pinctrl state back to sleep\nif clk_enable() fails to keep the consistent."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:22.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d"
},
{
"url": "https://git.kernel.org/stable/c/c8f5269c1bf505847bc7dbb92054594790114de6"
},
{
"url": "https://git.kernel.org/stable/c/8783fb8031799f1230997c16df8c8dce9fcd1841"
}
],
"title": "i2c: imx: fix clock and pinctrl state inconsistency in runtime PM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53340",
"datePublished": "2026-07-01T13:32:22.276Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:22.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53339 (GCVE-0-2026-53339)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e517526195de400158e05a08764d1fb61d579105 , < e8669d12da0ade52adfe0abe96cd99e708abc9bd
(git)
Affected: e517526195de400158e05a08764d1fb61d579105 , < 4d2b4a9cda6837e5ee1de1290f2e773a713b71e9 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < a50b8adb9cdb9a495b0b45583956897b7411ed7a (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 7107627b8b35015027201e7a095a3f6e30b4a46f (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 4cd206c1d57a9370d5219f7b1fc45169d7bdf951 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < a162a260c8c4db7501c65220e76913e8e351f823 (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff (git) Affected: e517526195de400158e05a08764d1fb61d579105 , < 729ac5a4b966aac42e08a94dea966f4429008548 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qcom-cci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8669d12da0ade52adfe0abe96cd99e708abc9bd",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "4d2b4a9cda6837e5ee1de1290f2e773a713b71e9",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "a50b8adb9cdb9a495b0b45583956897b7411ed7a",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "7107627b8b35015027201e7a095a3f6e30b4a46f",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "4cd206c1d57a9370d5219f7b1fc45169d7bdf951",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "a162a260c8c4db7501c65220e76913e8e351f823",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
},
{
"lessThan": "729ac5a4b966aac42e08a94dea966f4429008548",
"status": "affected",
"version": "e517526195de400158e05a08764d1fb61d579105",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-qcom-cci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qcom-cci: Fix NULL pointer dereference in cci_remove()\n\nOn all modern platforms Qualcomm CCI controller provides two I2C masters,\nand on particular boards only one I2C master may be initialized, and in\nsuch cases the device unbinding or driver removal causes a NULL pointer\ndereference, because cci_halt() is called for all two I2C masters, but\na completion is initialized only for the single enabled master:\n\n % rmmod i2c-qcom-cci\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n \u003csnip\u003e\n Call trace:\n __wait_for_common+0x194/0x1a8 (P)\n wait_for_completion_timeout+0x20/0x2c\n cci_remove+0xc4/0x138 [i2c_qcom_cci]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n driver_detach+0x50/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]\n ...."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:21.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8669d12da0ade52adfe0abe96cd99e708abc9bd"
},
{
"url": "https://git.kernel.org/stable/c/4d2b4a9cda6837e5ee1de1290f2e773a713b71e9"
},
{
"url": "https://git.kernel.org/stable/c/a50b8adb9cdb9a495b0b45583956897b7411ed7a"
},
{
"url": "https://git.kernel.org/stable/c/7107627b8b35015027201e7a095a3f6e30b4a46f"
},
{
"url": "https://git.kernel.org/stable/c/4cd206c1d57a9370d5219f7b1fc45169d7bdf951"
},
{
"url": "https://git.kernel.org/stable/c/a162a260c8c4db7501c65220e76913e8e351f823"
},
{
"url": "https://git.kernel.org/stable/c/8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff"
},
{
"url": "https://git.kernel.org/stable/c/729ac5a4b966aac42e08a94dea966f4429008548"
}
],
"title": "i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53339",
"datePublished": "2026-07-01T13:32:21.709Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:21.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53338 (GCVE-0-2026-53338)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
of_reserved_mem_lookup() may return NULL if the reserved memory region
referenced by the "memory-region" phandle is not found in the reserved
memory table (e.g. due to a misconfigured DTS or a removed
memory-region node). The current code dereferences the returned
pointer without checking for NULL, leading to a kernel NULL pointer
dereference at the following lines:
dma_addr = rmem->base; // line 1156
num_desc = div_u64(rmem->size, buf_size); // line 1160
Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if
the lookup fails, which is consistent with the existing error handling
for of_parse_phandle() failure in the same code block.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < 01f7d4b504580664d36faea5671cde5e3f0d8a5b
(git)
Affected: 3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < cdb96c42db7b256348f9b57718debfaa4bca6b39 (git) Affected: 3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b , < f9f25118faa4dd2b6e3d14a03d123bbdbd59925d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/airoha/airoha_eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01f7d4b504580664d36faea5671cde5e3f0d8a5b",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
},
{
"lessThan": "cdb96c42db7b256348f9b57718debfaa4bca6b39",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
},
{
"lessThan": "f9f25118faa4dd2b6e3d14a03d123bbdbd59925d",
"status": "affected",
"version": "3a1ce9e3d01bbf3912c3e3f81cb554d558eb715b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/airoha/airoha_eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()\n\nof_reserved_mem_lookup() may return NULL if the reserved memory region\nreferenced by the \"memory-region\" phandle is not found in the reserved\nmemory table (e.g. due to a misconfigured DTS or a removed\nmemory-region node). The current code dereferences the returned\npointer without checking for NULL, leading to a kernel NULL pointer\ndereference at the following lines:\n\n dma_addr = rmem-\u003ebase; // line 1156\n num_desc = div_u64(rmem-\u003esize, buf_size); // line 1160\n\nAdd a NULL check after of_reserved_mem_lookup() and return -ENODEV if\nthe lookup fails, which is consistent with the existing error handling\nfor of_parse_phandle() failure in the same code block."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:21.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01f7d4b504580664d36faea5671cde5e3f0d8a5b"
},
{
"url": "https://git.kernel.org/stable/c/cdb96c42db7b256348f9b57718debfaa4bca6b39"
},
{
"url": "https://git.kernel.org/stable/c/f9f25118faa4dd2b6e3d14a03d123bbdbd59925d"
}
],
"title": "net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53338",
"datePublished": "2026-07-01T13:32:21.147Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:21.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53337 (GCVE-0-2026-53337)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;
The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.
This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.
Fix by moving the slave_dbg() call after the NULL check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < 1b7558c85493467b2ea20738866b822db6442034
(git)
Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < b02b2e3e876c18733b868a29064abd11cdbf8feb (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < 66693957bacd1c9dae6188a7312d6be69a221f2d (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < a629418d463fb50d132a1aa063b0105857311e5f (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < bcb8fad90f27300add583a8371db504b766d95c7 (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < b0878106ddc486375084145848ff255dedfff46a (git) Affected: e2a7420df2e01370b40e4cf7b85ab9a885c6d755 , < a764b0e8317a863006e05732e1aefe821b9d8c2d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b7558c85493467b2ea20738866b822db6442034",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "b02b2e3e876c18733b868a29064abd11cdbf8feb",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "66693957bacd1c9dae6188a7312d6be69a221f2d",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "a629418d463fb50d132a1aa063b0105857311e5f",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "bcb8fad90f27300add583a8371db504b766d95c7",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "b0878106ddc486375084145848ff255dedfff46a",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
},
{
"lessThan": "a764b0e8317a863006e05732e1aefe821b9d8c2d",
"status": "affected",
"version": "e2a7420df2e01370b40e4cf7b85ab9a885c6d755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL pointer dereference in bond_do_ioctl()\n\nIn bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which\ncan return NULL if the requested interface name does not exist. However,\nthe subsequent slave_dbg() call is placed before the NULL check:\n\n slave_dev = __dev_get_by_name(net, ifr-\u003eifr_slave);\n slave_dbg(bond_dev, slave_dev, \"slave_dev=%p:\\n\", slave_dev); //here\n if (!slave_dev)\n return -ENODEV;\n\nThe slave_dbg() macro expands to netdev_dbg(bond_dev, \"(slave %s): \" fmt,\n(slave_dev)-\u003ename, ...) which unconditionally dereferences slave_dev-\u003ename\nbefore the NULL check is performed. This results in a NULL pointer\ndereference kernel oops when a user calls bonding ioctl (e.g.\nSIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave\ninterface name.\n\nThis is reachable from userspace via the bonding ioctl interface with\nCAP_NET_ADMIN capability, making it a potential local denial-of-service\nvector.\n\nFix by moving the slave_dbg() call after the NULL check."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:19.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b7558c85493467b2ea20738866b822db6442034"
},
{
"url": "https://git.kernel.org/stable/c/b02b2e3e876c18733b868a29064abd11cdbf8feb"
},
{
"url": "https://git.kernel.org/stable/c/66693957bacd1c9dae6188a7312d6be69a221f2d"
},
{
"url": "https://git.kernel.org/stable/c/a629418d463fb50d132a1aa063b0105857311e5f"
},
{
"url": "https://git.kernel.org/stable/c/c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba"
},
{
"url": "https://git.kernel.org/stable/c/bcb8fad90f27300add583a8371db504b766d95c7"
},
{
"url": "https://git.kernel.org/stable/c/b0878106ddc486375084145848ff255dedfff46a"
},
{
"url": "https://git.kernel.org/stable/c/a764b0e8317a863006e05732e1aefe821b9d8c2d"
}
],
"title": "net: bonding: fix NULL pointer dereference in bond_do_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53337",
"datePublished": "2026-07-01T13:32:19.046Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:19.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53336 (GCVE-0-2026-53336)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
nvmem: layouts: onie-tlv: fix hang on unknown types
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmem: layouts: onie-tlv: fix hang on unknown types
The EEPROM on my board has a vendor specific entry of type 0x41. When
stumbling upon that, this driver hangs in an endless loop.
Fix it by keep incrementing the offset on unknown entries, so the loop
will eventually stop.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 033d498b0f473c6456be5f885be172024ad84972
(git)
Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < fd47edeabadfaa75422009dc5894e92c4c697517 (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 4a4d21f531ccf5bb333d99b620e0d66551f3652c (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < 4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6 (git) Affected: d3c0d12f6474216bf386101e2449cc73e5c5b61d , < ea41020b9018e31c2ea7e9d89021e3e6d7470883 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/layouts/onie-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "033d498b0f473c6456be5f885be172024ad84972",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "fd47edeabadfaa75422009dc5894e92c4c697517",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "4a4d21f531ccf5bb333d99b620e0d66551f3652c",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
},
{
"lessThan": "ea41020b9018e31c2ea7e9d89021e3e6d7470883",
"status": "affected",
"version": "d3c0d12f6474216bf386101e2449cc73e5c5b61d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/layouts/onie-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: layouts: onie-tlv: fix hang on unknown types\n\nThe EEPROM on my board has a vendor specific entry of type 0x41. When\nstumbling upon that, this driver hangs in an endless loop.\n\nFix it by keep incrementing the offset on unknown entries, so the loop\nwill eventually stop."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:18.489Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/033d498b0f473c6456be5f885be172024ad84972"
},
{
"url": "https://git.kernel.org/stable/c/fd47edeabadfaa75422009dc5894e92c4c697517"
},
{
"url": "https://git.kernel.org/stable/c/4a4d21f531ccf5bb333d99b620e0d66551f3652c"
},
{
"url": "https://git.kernel.org/stable/c/4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6"
},
{
"url": "https://git.kernel.org/stable/c/ea41020b9018e31c2ea7e9d89021e3e6d7470883"
}
],
"title": "nvmem: layouts: onie-tlv: fix hang on unknown types",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53336",
"datePublished": "2026-07-01T13:32:18.489Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:18.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53335 (GCVE-0-2026-53335)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
mm/damon/lru_sort: handle ctx allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/lru_sort: handle ctx allocation failure
DAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init
function. damon_lru_sort_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < 6d48f15659395bf1381114f01be91bc68e0be46a
(git)
Affected: c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < daab1996431a71f43219dcac48ecc9ad2aad3f1c (git) Affected: c4a8e662c839ac0003e4781aa324cb2d68ed9cb1 , < ab04340b5ae5d52c1d46b750538febcde9d889e7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d48f15659395bf1381114f01be91bc68e0be46a",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
},
{
"lessThan": "daab1996431a71f43219dcac48ecc9ad2aad3f1c",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
},
{
"lessThan": "ab04340b5ae5d52c1d46b750538febcde9d889e7",
"status": "affected",
"version": "c4a8e662c839ac0003e4781aa324cb2d68ed9cb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: handle ctx allocation failure\n\nDAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init\nfunction. damon_lru_sort_enabled_store() wrongly assumes the allocation\nwill always succeed once tried. If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while \u0027ctx\u0027 is\nNULL. As a result, it dereferences the NULL \u0027ctx\u0027 pointer. Avoid the\nNULL dereference by returning -ENOMEM if \u0027ctx\u0027 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:17.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d48f15659395bf1381114f01be91bc68e0be46a"
},
{
"url": "https://git.kernel.org/stable/c/daab1996431a71f43219dcac48ecc9ad2aad3f1c"
},
{
"url": "https://git.kernel.org/stable/c/ab04340b5ae5d52c1d46b750538febcde9d889e7"
}
],
"title": "mm/damon/lru_sort: handle ctx allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53335",
"datePublished": "2026-07-01T13:32:17.953Z",
"dateReserved": "2026-06-09T07:44:35.399Z",
"dateUpdated": "2026-07-01T13:32:17.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53334 (GCVE-0-2026-53334)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
mm/damon/reclaim: handle ctx allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/reclaim: handle ctx allocation failure
Patch series "mm/damon/{reclaim,lru_sort}: handle ctx allocation failures".
DAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their
damon_ctx object allocations fail. The bugs are expected to happen
infrequently because the allocations are arguably too small to fail on
common setups. But theoretically they are possible and the consequences
are bad. Fix those.
The issues were discovered [1] by Sashiko.
This patch (of 2):
DAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init
function. damon_reclaim_enabled_store() wrongly assumes the allocation
will always succeed once tried. If the damon_ctx allocation was failed,
therefore, code execution reaches to damon_commit_ctx() while 'ctx' is
NULL. As a result, it dereferences the NULL 'ctx' pointer. Avoid the
NULL dereference by returning -ENOMEM if 'ctx' is NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 66bc00ea37fa8ec14be5a3909d067a5967ef234b
(git)
Affected: 3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 635b45ce61de53a9357e28ac97461428cdb650f0 (git) Affected: 3f7a914ab9a5e46cf8aac7de270f02aa3f63de04 , < 7e2ed8a29427af534bf2cb9b8bc51762b8b6e654 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66bc00ea37fa8ec14be5a3909d067a5967ef234b",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
},
{
"lessThan": "635b45ce61de53a9357e28ac97461428cdb650f0",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
},
{
"lessThan": "7e2ed8a29427af534bf2cb9b8bc51762b8b6e654",
"status": "affected",
"version": "3f7a914ab9a5e46cf8aac7de270f02aa3f63de04",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: handle ctx allocation failure\n\nPatch series \"mm/damon/{reclaim,lru_sort}: handle ctx allocation failures\".\n\nDAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their\ndamon_ctx object allocations fail. The bugs are expected to happen\ninfrequently because the allocations are arguably too small to fail on\ncommon setups. But theoretically they are possible and the consequences\nare bad. Fix those.\n\nThe issues were discovered [1] by Sashiko.\n\n\nThis patch (of 2):\n\nDAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init\nfunction. damon_reclaim_enabled_store() wrongly assumes the allocation\nwill always succeed once tried. If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while \u0027ctx\u0027 is\nNULL. As a result, it dereferences the NULL \u0027ctx\u0027 pointer. Avoid the\nNULL dereference by returning -ENOMEM if \u0027ctx\u0027 is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:17.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66bc00ea37fa8ec14be5a3909d067a5967ef234b"
},
{
"url": "https://git.kernel.org/stable/c/635b45ce61de53a9357e28ac97461428cdb650f0"
},
{
"url": "https://git.kernel.org/stable/c/7e2ed8a29427af534bf2cb9b8bc51762b8b6e654"
}
],
"title": "mm/damon/reclaim: handle ctx allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53334",
"datePublished": "2026-07-01T13:32:17.419Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:17.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53333 (GCVE-0-2026-53333)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
mincore_swap() also fields migration/hwpoison entries (and shmem
swapin-error entries), which can exist on !CONFIG_SWAP builds when
CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The
!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,
so mincore_pte_range() can spuriously WARN and report these pages
nonresident on !CONFIG_SWAP kernels.
Move the guard below the non-swap-entry check so only true swap entries
trip the WARN, and migration/hwpoison entries take the existing "uptodate
/ non-shmem" path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1f2052755c152940c336918bd73d13d5468f548b , < a8f91ddf67f669f547bb9fb559738da6f8ee2cf3
(git)
Affected: 1f2052755c152940c336918bd73d13d5468f548b , < 3481d4372ae34243f7025925314385b852c50f7e (git) Affected: 1f2052755c152940c336918bd73d13d5468f548b , < 0c25b8734367574e21aeb8468c2e522713134da7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mincore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f91ddf67f669f547bb9fb559738da6f8ee2cf3",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
},
{
"lessThan": "3481d4372ae34243f7025925314385b852c50f7e",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
},
{
"lessThan": "0c25b8734367574e21aeb8468c2e522713134da7",
"status": "affected",
"version": "1f2052755c152940c336918bd73d13d5468f548b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mincore.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mincore: handle non-swap entries before !CONFIG_SWAP guard\n\nmincore_swap() also fields migration/hwpoison entries (and shmem\nswapin-error entries), which can exist on !CONFIG_SWAP builds when\nCONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The\n!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,\nso mincore_pte_range() can spuriously WARN and report these pages\nnonresident on !CONFIG_SWAP kernels.\n\nMove the guard below the non-swap-entry check so only true swap entries\ntrip the WARN, and migration/hwpoison entries take the existing \"uptodate\n/ non-shmem\" path."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:16.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f91ddf67f669f547bb9fb559738da6f8ee2cf3"
},
{
"url": "https://git.kernel.org/stable/c/3481d4372ae34243f7025925314385b852c50f7e"
},
{
"url": "https://git.kernel.org/stable/c/0c25b8734367574e21aeb8468c2e522713134da7"
}
],
"title": "mm/mincore: handle non-swap entries before !CONFIG_SWAP guard",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53333",
"datePublished": "2026-07-01T13:32:16.852Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:16.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53332 (GCVE-0-2026-53332)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
Summary
In the Linux kernel, the following vulnerability has been resolved:
slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
When the remoteproc starts in parallel with the NGD driver being probed,
or the remoteproc is already up when the PDR lookup is being registered,
or in the theoretical event that we get an interrupt from the hardware,
these callbacks will operate on uninitialized data. This result in
issues to boot the affected boards.
One such example can be seen in the following fault, where
qcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.
[ 21.858578] ------------[ cut here ]------------
[ 21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116
...
[ 21.859251] Call trace:
[ 21.859255] __queue_work+0x5e0/0x790 (P)
[ 21.859265] queue_work_on+0x6c/0xf0
[ 21.859273] qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]
[ 21.859304] qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]
[ 21.859318] notifier_call_chain+0xa4/0x230
[ 21.859329] srcu_notifier_call_chain+0x64/0xb8
[ 21.859338] ssr_notify_start+0x40/0x78 [qcom_common]
[ 21.859355] rproc_start+0x130/0x230
[ 21.859367] rproc_boot+0x3d4/0x518
...
Move the enablement of interrupts, and the registration of SSR and PDR
until after the NGD device has been registered.
This could be further refined by moving initialization to the control
driver probe and by removing the platform driver model from the picture.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
917809e2280bb83994be8b642373fd941d40c407 , < fa3790c7ea98328ddc3f7d8bf40247556245a6fc
(git)
Affected: 917809e2280bb83994be8b642373fd941d40c407 , < 24ec89123fc9d0d24ce719dcf7fd6c57e5b0d753 (git) Affected: 917809e2280bb83994be8b642373fd941d40c407 , < 08564e15c47a5fb0af6643a43ee15521d49bcdea (git) Affected: 917809e2280bb83994be8b642373fd941d40c407 , < 2a9d50e9ea406e0c8735938484adc20515ef1b47 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/qcom-ngd-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa3790c7ea98328ddc3f7d8bf40247556245a6fc",
"status": "affected",
"version": "917809e2280bb83994be8b642373fd941d40c407",
"versionType": "git"
},
{
"lessThan": "24ec89123fc9d0d24ce719dcf7fd6c57e5b0d753",
"status": "affected",
"version": "917809e2280bb83994be8b642373fd941d40c407",
"versionType": "git"
},
{
"lessThan": "08564e15c47a5fb0af6643a43ee15521d49bcdea",
"status": "affected",
"version": "917809e2280bb83994be8b642373fd941d40c407",
"versionType": "git"
},
{
"lessThan": "2a9d50e9ea406e0c8735938484adc20515ef1b47",
"status": "affected",
"version": "917809e2280bb83994be8b642373fd941d40c407",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/qcom-ngd-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd\n\nWhen the remoteproc starts in parallel with the NGD driver being probed,\nor the remoteproc is already up when the PDR lookup is being registered,\nor in the theoretical event that we get an interrupt from the hardware,\nthese callbacks will operate on uninitialized data. This result in\nissues to boot the affected boards.\n\nOne such example can be seen in the following fault, where\nqcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.\n\n[ 21.858578] ------------[ cut here ]------------\n[ 21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116\n...\n[ 21.859251] Call trace:\n[ 21.859255] __queue_work+0x5e0/0x790 (P)\n[ 21.859265] queue_work_on+0x6c/0xf0\n[ 21.859273] qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]\n[ 21.859304] qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]\n[ 21.859318] notifier_call_chain+0xa4/0x230\n[ 21.859329] srcu_notifier_call_chain+0x64/0xb8\n[ 21.859338] ssr_notify_start+0x40/0x78 [qcom_common]\n[ 21.859355] rproc_start+0x130/0x230\n[ 21.859367] rproc_boot+0x3d4/0x518\n...\n\nMove the enablement of interrupts, and the registration of SSR and PDR\nuntil after the NGD device has been registered.\n\nThis could be further refined by moving initialization to the control\ndriver probe and by removing the platform driver model from the picture."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:16.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa3790c7ea98328ddc3f7d8bf40247556245a6fc"
},
{
"url": "https://git.kernel.org/stable/c/24ec89123fc9d0d24ce719dcf7fd6c57e5b0d753"
},
{
"url": "https://git.kernel.org/stable/c/08564e15c47a5fb0af6643a43ee15521d49bcdea"
},
{
"url": "https://git.kernel.org/stable/c/2a9d50e9ea406e0c8735938484adc20515ef1b47"
}
],
"title": "slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53332",
"datePublished": "2026-07-01T13:32:16.289Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:16.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53331 (GCVE-0-2026-53331)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
During the SSR/PDR down notification the tx_lock is taken with the
intent to provide synchronization with active DMA transfers.
But during this period qcom_slim_ngd_down() is invoked, which ends up in
slim_report_absent(), which takes the slim_controller lock. In multiple
other codepaths these two locks are taken in the opposite order (i.e.
slim_controller then tx_lock).
The result is a lockdep splat, and a possible deadlock:
rprocctl/449 is trying to acquire lock:
ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
but task is already holding lock:
ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
which lock already depends on the new lock.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
The assumption is that the comment refers to the desire to not call
qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
But any such transaction is initiated and completed within a single
qcom_slim_ngd_xfer_msg().
Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
down, all child devices are notified that the slimbus is gone and the
child devices are removed.
Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
deadlock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a899d324863a3d15ce0eea513884e1b73a758c58 , < 3d1561537237c6cc1db76155183d8bbdac2339f0
(git)
Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < dc4d5c57e012c2c669793deb1515a57bbc6bf5dd (git) Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < d54a221b0f3cd9e1f03f18104be34e02a8258fae (git) Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8 (git) Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < 9f0d45d509b434c54da10e01f4ef8086e4583401 (git) Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < 9708eb50fd7343145b422be852f890212155d845 (git) Affected: a899d324863a3d15ce0eea513884e1b73a758c58 , < 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/qcom-ngd-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d1561537237c6cc1db76155183d8bbdac2339f0",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "dc4d5c57e012c2c669793deb1515a57bbc6bf5dd",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "d54a221b0f3cd9e1f03f18104be34e02a8258fae",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "9f0d45d509b434c54da10e01f4ef8086e4583401",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "9708eb50fd7343145b422be852f890212155d845",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
},
{
"lessThan": "55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec",
"status": "affected",
"version": "a899d324863a3d15ce0eea513884e1b73a758c58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/qcom-ngd-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl-\u003elock\n\nDuring the SSR/PDR down notification the tx_lock is taken with the\nintent to provide synchronization with active DMA transfers.\n\nBut during this period qcom_slim_ngd_down() is invoked, which ends up in\nslim_report_absent(), which takes the slim_controller lock. In multiple\nother codepaths these two locks are taken in the opposite order (i.e.\nslim_controller then tx_lock).\n\nThe result is a lockdep splat, and a possible deadlock:\n\n rprocctl/449 is trying to acquire lock:\n ffff00009793e620 (\u0026ctrl-\u003elock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus\n\n but task is already holding lock:\n ffff00009793fb50 (\u0026ctrl-\u003etx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl\n\n which lock already depends on the new lock.\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(\u0026ctrl-\u003etx_lock);\n lock(\u0026ctrl-\u003elock);\n lock(\u0026ctrl-\u003etx_lock);\n lock(\u0026ctrl-\u003elock);\n\nThe assumption is that the comment refers to the desire to not call\nqcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.\nBut any such transaction is initiated and completed within a single\nqcom_slim_ngd_xfer_msg().\n\nPrior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn\ndown, all child devices are notified that the slimbus is gone and the\nchild devices are removed.\n\nStop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the\ndeadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:15.733Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d1561537237c6cc1db76155183d8bbdac2339f0"
},
{
"url": "https://git.kernel.org/stable/c/dc4d5c57e012c2c669793deb1515a57bbc6bf5dd"
},
{
"url": "https://git.kernel.org/stable/c/d54a221b0f3cd9e1f03f18104be34e02a8258fae"
},
{
"url": "https://git.kernel.org/stable/c/aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8"
},
{
"url": "https://git.kernel.org/stable/c/9f0d45d509b434c54da10e01f4ef8086e4583401"
},
{
"url": "https://git.kernel.org/stable/c/9708eb50fd7343145b422be852f890212155d845"
},
{
"url": "https://git.kernel.org/stable/c/55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec"
}
],
"title": "slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl-\u003elock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53331",
"datePublished": "2026-07-01T13:32:15.733Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:15.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53330 (GCVE-0-2026-53330)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
[Why & How]
The aux_rd_interval array in struct dc_lttpr_caps is declared with
MAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset
parameter passed to dp_get_eq_aux_rd_interval() can be as large as
MAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD.
This leads to an out-of-bounds read of aux_rd_interval[7] when offset
is 8.
Fix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to
accommodate the full range of valid repeater counts defined by the DP
spec.
(cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 454d3b3d499c18373f8960d31aea48338a3ca9e0
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dc1490927d79fe9621e29f4a4f5d7b5ccb6aea3e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e8b4d37eba05141ee01794fc6b7f2da808cee83b (git) Affected: 0 , < 6.18.36 (semver) Affected: 0 , < 7.0.13 (semver) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dp_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "454d3b3d499c18373f8960d31aea48338a3ca9e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dc1490927d79fe9621e29f4a4f5d7b5ccb6aea3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8b4d37eba05141ee01794fc6b7f2da808cee83b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6.18.36",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dp_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()\n\n[Why \u0026 How]\nThe aux_rd_interval array in struct dc_lttpr_caps is declared with\nMAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset\nparameter passed to dp_get_eq_aux_rd_interval() can be as large as\nMAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD.\nThis leads to an out-of-bounds read of aux_rd_interval[7] when offset\nis 8.\n\nFix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to\naccommodate the full range of valid repeater counts defined by the DP\nspec.\n\n(cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:15.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/454d3b3d499c18373f8960d31aea48338a3ca9e0"
},
{
"url": "https://git.kernel.org/stable/c/dc1490927d79fe9621e29f4a4f5d7b5ccb6aea3e"
},
{
"url": "https://git.kernel.org/stable/c/e8b4d37eba05141ee01794fc6b7f2da808cee83b"
}
],
"title": "drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53330",
"datePublished": "2026-07-01T13:32:15.160Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:15.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53329 (GCVE-0-2026-53329)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:32 – Updated: 2026-07-01 13:32
VLAI?
Title
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.
Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.
(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2004f45ef83f07f43f5da6ede780b08068c7583d , < 31180638a33acad12c863132704a76536fb66211
(git)
Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < b15825deac1acff72638bbc8f05b89ceef8dfb13 (git) Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < 201151e120f0062bcda21cad5d007b82725ad23b (git) Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < a914aa802669e073f014dae2e5708633b5cecd34 (git) Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < e09689286385a66311ac6922af95339d7a3cef8d (git) Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < de988c7a31f0774f07894cfe4802996f318e2870 (git) Affected: 2004f45ef83f07f43f5da6ede780b08068c7583d , < da48bc4461b8a5ebfb9264c9b191a701d8e99009 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/basics/vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31180638a33acad12c863132704a76536fb66211",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "b15825deac1acff72638bbc8f05b89ceef8dfb13",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "201151e120f0062bcda21cad5d007b82725ad23b",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "a914aa802669e073f014dae2e5708633b5cecd34",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "e09689286385a66311ac6922af95339d7a3cef8d",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "de988c7a31f0774f07894cfe4802996f318e2870",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
},
{
"lessThan": "da48bc4461b8a5ebfb9264c9b191a701d8e99009",
"status": "affected",
"version": "2004f45ef83f07f43f5da6ede780b08068c7583d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/basics/vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Use krealloc_array() in dal_vector_reserve()\n\n[Why \u0026 How]\ndal_vector_reserve() computes the allocation size as\n\"capacity * vector-\u003estruct_size\" using uint32_t arithmetic, which can\nsilently wrap to a small value on overflow. This would cause krealloc to\nreturn a smaller buffer than expected, leading to heap overflows on\nsubsequent vector appends.\n\nReplace krealloc() with krealloc_array() which performs an internal\noverflow check and returns NULL on wrap, preventing the issue.\n\n(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)"
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:32:14.598Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31180638a33acad12c863132704a76536fb66211"
},
{
"url": "https://git.kernel.org/stable/c/b15825deac1acff72638bbc8f05b89ceef8dfb13"
},
{
"url": "https://git.kernel.org/stable/c/201151e120f0062bcda21cad5d007b82725ad23b"
},
{
"url": "https://git.kernel.org/stable/c/a914aa802669e073f014dae2e5708633b5cecd34"
},
{
"url": "https://git.kernel.org/stable/c/e09689286385a66311ac6922af95339d7a3cef8d"
},
{
"url": "https://git.kernel.org/stable/c/de988c7a31f0774f07894cfe4802996f318e2870"
},
{
"url": "https://git.kernel.org/stable/c/da48bc4461b8a5ebfb9264c9b191a701d8e99009"
}
],
"title": "drm/amd/display: Use krealloc_array() in dal_vector_reserve()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-53329",
"datePublished": "2026-07-01T13:32:14.598Z",
"dateReserved": "2026-06-09T07:44:35.398Z",
"dateUpdated": "2026-07-01T13:32:14.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}