Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0452
Vulnerability from certfr_avis - Published: 2026-04-17 - Updated: 2026-04-17
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23204",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
},
{
"name": "CVE-2026-23144",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23144"
},
{
"name": "CVE-2026-23171",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23171"
},
{
"name": "CVE-2025-71238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71238"
}
],
"initial_release_date": "2026-04-17T00:00:00",
"last_revision_date": "2026-04-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0452",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2026-04-15",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:8342",
"url": "https://access.redhat.com/errata/RHSA-2026:8342"
}
]
}
CVE-2026-23204 (GCVE-0-2026-23204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:32
VLAI?
EPSS
Title
net/sched: cls_u32: use skb_header_pointer_careful()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 29681ed51e737be14d18ecd1c304c57002e4b72c
(git)
Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cfa745830e45ecb75c061aa34330ee0cac941cc7 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < e41a23e61259f5526af875c3b86b3d42a9bae0e5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 8a672f177ebe19c93d795fbe967846084fbc7943 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cabd1a976375780dabab888784e356f574bbaed8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:32:50.609345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:32:59.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29681ed51e737be14d18ecd1c304c57002e4b72c",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cfa745830e45ecb75c061aa34330ee0cac941cc7",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:10:54.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29681ed51e737be14d18ecd1c304c57002e4b72c"
},
{
"url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"
},
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
],
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23204",
"datePublished": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-06-16T20:32:59.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23144 (GCVE-0-2026-23144)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c951cd3b89010c7a4751b9d4ea074007e44851e6 , < db7dfe78fc81bdd2b532d77f340fe453f2360426
(git)
Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 43964644348f6b1add3055c4a6cae8f77d892a6e (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 5651c0c391c0029541794f9c4c9597faecfd401f (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 78b4eb99751ebd37ceade78810bf94de80f7fb3a (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 9814cc832b88bd040fc2a1817c2b5469d0f7e862 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:15.595572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:21.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db7dfe78fc81bdd2b532d77f340fe453f2360426",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "43964644348f6b1add3055c4a6cae8f77d892a6e",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "5651c0c391c0029541794f9c4c9597faecfd401f",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "78b4eb99751ebd37ceade78810bf94de80f7fb3a",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "9814cc832b88bd040fc2a1817c2b5469d0f7e862",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: cleanup attrs subdirs on context dir setup failure\n\nWhen a context DAMON sysfs directory setup is failed after setup of attrs/\ndirectory, subdirectories of attrs/ directory are not cleaned up. As a\nresult, DAMON sysfs interface is nearly broken until the system reboots,\nand the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:59.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db7dfe78fc81bdd2b532d77f340fe453f2360426"
},
{
"url": "https://git.kernel.org/stable/c/43964644348f6b1add3055c4a6cae8f77d892a6e"
},
{
"url": "https://git.kernel.org/stable/c/5651c0c391c0029541794f9c4c9597faecfd401f"
},
{
"url": "https://git.kernel.org/stable/c/78b4eb99751ebd37ceade78810bf94de80f7fb3a"
},
{
"url": "https://git.kernel.org/stable/c/9814cc832b88bd040fc2a1817c2b5469d0f7e862"
}
],
"title": "mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23144",
"datePublished": "2026-02-14T15:36:09.518Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-06-11T18:44:21.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71238 (GCVE-0-2025-71238)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
scsi: qla2xxx: Fix bsg_done() causing double free
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix bsg_done() causing double free
Kernel panic observed on system,
[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
[5353358.825194] #PF: supervisor write access in kernel mode
[5353358.825195] #PF: error_code(0x0002) - not-present page
[5353358.825196] PGD 100006067 P4D 0
[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
[5353358.825221] PKRU: 55555554
[5353358.825222] Call Trace:
[5353358.825223] <TASK>
[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825232] ? sg_copy_buffer+0xc8/0x110
[5353358.825236] ? __die_body.cold+0x8/0xd
[5353358.825238] ? page_fault_oops+0x134/0x170
[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
[5353358.825244] ? exc_page_fault+0xa8/0x150
[5353358.825247] ? asm_exc_page_fault+0x22/0x30
[5353358.825252] ? memcpy_erms+0x6/0x10
[5353358.825253] sg_copy_buffer+0xc8/0x110
[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
Most routines in qla_bsg.c call bsg_done() only for success cases.
However a few invoke it for failure case as well leading to a double
free. Validate before calling bsg_done().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b81e7f3019d632a707e07927e946ffbbc102910 , < 057a5bdc481e58ab853117254867ffb22caf9f6e
(git)
Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 27ac9679c43a09e54e2d9aae9980ada045b428e0 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 74e7458537cd9349cf019862e51491f670871707 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 871f6236da96c4a9712b8a29d7f555f767a47e95 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 31f33b856d2324d86bcaef295f4d210477a1c018 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 708003e1bc857dd014d4c44278d7d77c26f91b1c (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:22.897127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:38.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "057a5bdc481e58ab853117254867ffb22caf9f6e",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "27ac9679c43a09e54e2d9aae9980ada045b428e0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "74e7458537cd9349cf019862e51491f670871707",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "871f6236da96c4a9712b8a29d7f555f767a47e95",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "31f33b856d2324d86bcaef295f4d210477a1c018",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "708003e1bc857dd014d4c44278d7d77c26f91b1c",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix bsg_done() causing double free\n\nKernel panic observed on system,\n\n[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000\n[5353358.825194] #PF: supervisor write access in kernel mode\n[5353358.825195] #PF: error_code(0x0002) - not-present page\n[5353358.825196] PGD 100006067 P4D 0\n[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1\n[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025\n[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10\n[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246\n[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000\n[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000\n[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000\n[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090\n[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000\n[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000\n[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0\n[5353358.825221] PKRU: 55555554\n[5353358.825222] Call Trace:\n[5353358.825223] \u003cTASK\u003e\n[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825232] ? sg_copy_buffer+0xc8/0x110\n[5353358.825236] ? __die_body.cold+0x8/0xd\n[5353358.825238] ? page_fault_oops+0x134/0x170\n[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110\n[5353358.825244] ? exc_page_fault+0xa8/0x150\n[5353358.825247] ? asm_exc_page_fault+0x22/0x30\n[5353358.825252] ? memcpy_erms+0x6/0x10\n[5353358.825253] sg_copy_buffer+0xc8/0x110\n[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]\n[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]\n\nMost routines in qla_bsg.c call bsg_done() only for success cases.\nHowever a few invoke it for failure case as well leading to a double\nfree. Validate before calling bsg_done()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:00.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e"
},
{
"url": "https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720"
},
{
"url": "https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0"
},
{
"url": "https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707"
},
{
"url": "https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95"
},
{
"url": "https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018"
},
{
"url": "https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c"
},
{
"url": "https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0"
}
],
"title": "scsi: qla2xxx: Fix bsg_done() causing double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71238",
"datePublished": "2026-03-04T14:36:36.579Z",
"dateReserved": "2026-02-18T14:25:13.845Z",
"dateUpdated": "2026-06-11T17:53:38.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23171 (GCVE-0-2026-23171)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-06-16 20:31
VLAI?
EPSS
Title
bonding: fix use-after-free due to enslave fail after slave array update
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix use-after-free due to enslave fail after slave array update
Fix a use-after-free which happens due to enslave failure after the new
slave has been added to the array. Since the new slave can be used for Tx
immediately, we can use it after it has been freed by the enslave error
cleanup path which frees the allocated slave memory. Slave update array is
supposed to be called last when further enslave failures are not expected.
Move it after xdp setup to avoid any problems.
It is very easy to reproduce the problem with a simple xdp_pass prog:
ip l add bond1 type bond mode balance-xor
ip l set bond1 up
ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
ip l add dumdum type dummy
Then run in parallel:
while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
The crash happens almost immediately:
[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 172dcb67dd35b162357df229d7806acc724cd469
(git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 2889d92c5f728351c9930c7996d22fe6e906e785 (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < e9acda52fd2ee0cdca332f996da7a95c5fd25294 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:31:33.690171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:31:44.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "172dcb67dd35b162357df229d7806acc724cd469",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "2889d92c5f728351c9930c7996d22fe6e906e785",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "e9acda52fd2ee0cdca332f996da7a95c5fd25294",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix use-after-free due to enslave fail after slave array update\n\nFix a use-after-free which happens due to enslave failure after the new\nslave has been added to the array. Since the new slave can be used for Tx\nimmediately, we can use it after it has been freed by the enslave error\ncleanup path which frees the allocated slave memory. Slave update array is\nsupposed to be called last when further enslave failures are not expected.\nMove it after xdp setup to avoid any problems.\n\nIt is very easy to reproduce the problem with a simple xdp_pass prog:\n ip l add bond1 type bond mode balance-xor\n ip l set bond1 up\n ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass\n ip l add dumdum type dummy\n\nThen run in parallel:\n while :; do ip l set dumdum master bond1 1\u003e/dev/null 2\u003e\u00261; done;\n mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp \"dp=1-1023, flags=syn\"\n\nThe crash happens almost immediately:\n [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI\n [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]\n [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)\n [ 605.602979] Tainted: [B]=BAD_PAGE\n [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210\n [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89\n [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213\n [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000\n [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be\n [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c\n [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000\n [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84\n [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000\n [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0\n [ 605.603373] Call Trace:\n [ 605.603392] \u003cTASK\u003e\n [ 605.603410] __dev_queue_xmit+0x448/0x32a0\n [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10\n [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603546] ? _printk+0xcb/0x100\n [ 605.603566] ? __pfx__printk+0x10/0x10\n [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603627] ? add_taint+0x5e/0x70\n [ 605.603648] ? add_taint+0x2a/0x70\n [ 605.603670] ? end_report.cold+0x51/0x75\n [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:17.241Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/172dcb67dd35b162357df229d7806acc724cd469"
},
{
"url": "https://git.kernel.org/stable/c/2889d92c5f728351c9930c7996d22fe6e906e785"
},
{
"url": "https://git.kernel.org/stable/c/bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d"
},
{
"url": "https://git.kernel.org/stable/c/e9acda52fd2ee0cdca332f996da7a95c5fd25294"
}
],
"title": "bonding: fix use-after-free due to enslave fail after slave array update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23171",
"datePublished": "2026-02-14T16:01:33.489Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-06-16T20:31:44.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…