Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0781
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.18 for RHEL 9 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.21 for RHEL 9 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.18 for RHEL 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.20 for RHEL 8 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.20 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.20 for RHEL 8 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.20 for RHEL 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.21 for RHEL 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.20 for RHEL 9 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.21 for RHEL 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.19 for RHEL 9 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.20 for RHEL 9 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.21 for RHEL 9 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.21 for RHEL 8 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.19 for RHEL 9 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.18 for RHEL 9 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.19 for RHEL 8 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.20 for RHEL 9 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.20 for RHEL 8 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.18 for RHEL 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.18 for RHEL 8 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.21 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.19 for RHEL 8 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.19 for RHEL 9 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for ARM 64 4.21 for RHEL 9 aarch64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.19 for RHEL 9 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.18 for RHEL 9 s390x | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.21 for RHEL 9 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 10 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.19 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform for Power 4.18 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.18 for RHEL 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 | ||
| Red Hat | N/A | Red Hat OpenShift Container Platform 4.19 for RHEL 8 x86_64 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.18 for RHEL 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.21 for RHEL 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.18 for RHEL 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.20 for RHEL 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.20 for RHEL 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.20 for RHEL 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.20 for RHEL 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.21 for RHEL 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.20 for RHEL 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.21 for RHEL 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.19 for RHEL 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.20 for RHEL 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.21 for RHEL 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.21 for RHEL 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.19 for RHEL 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.18 for RHEL 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.19 for RHEL 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.20 for RHEL 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.20 for RHEL 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.18 for RHEL 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.18 for RHEL 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.21 for RHEL 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.19 for RHEL 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.19 for RHEL 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for ARM 64 4.21 for RHEL 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.19 for RHEL 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.18 for RHEL 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.21 for RHEL 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 10 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.19 for RHEL 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.18 for RHEL 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.18 for RHEL 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.19 for RHEL 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-4878",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4878"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-46227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46227"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2026-43163",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43163"
},
{
"name": "CVE-2026-31786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31786"
},
{
"name": "CVE-2026-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2026-46243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46243"
},
{
"name": "CVE-2026-31669",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
},
{
"name": "CVE-2024-41073",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41073"
},
{
"name": "CVE-2026-23216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
},
{
"name": "CVE-2026-22990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22990"
},
{
"name": "CVE-2026-39979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39979"
},
{
"name": "CVE-2025-71089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71089"
},
{
"name": "CVE-2026-35385",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35385"
},
{
"name": "CVE-2026-43158",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43158"
},
{
"name": "CVE-2026-23243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23243"
},
{
"name": "CVE-2026-41326",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41326"
},
{
"name": "CVE-2026-23001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23001"
},
{
"name": "CVE-2026-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40164"
},
{
"name": "CVE-2025-40158",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40158"
},
{
"name": "CVE-2026-23392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23392"
},
{
"name": "CVE-2026-46125",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46125"
},
{
"name": "CVE-2026-46152",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46152"
},
{
"name": "CVE-2025-40135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40135"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2026-31532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31532"
},
{
"name": "CVE-2026-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43190"
},
{
"name": "CVE-2026-46056",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46056"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2025-40170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40170"
},
{
"name": "CVE-2025-68366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68366"
},
{
"name": "CVE-2026-43110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43110"
},
{
"name": "CVE-2026-41035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41035"
},
{
"name": "CVE-2026-43303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43303"
},
{
"name": "CVE-2026-22984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22984"
},
{
"name": "CVE-2026-43037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43037"
},
{
"name": "CVE-2025-21858",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21858"
},
{
"name": "CVE-2023-53372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53372"
},
{
"name": "CVE-2026-23097",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23097"
},
{
"name": "CVE-2026-43116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43116"
},
{
"name": "CVE-2026-43329",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43329"
},
{
"name": "CVE-2026-43038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43038"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0781",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:26462",
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:26515",
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25181",
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:26570",
"url": "https://access.redhat.com/errata/RHSA-2026:26570"
},
{
"published_at": "2026-06-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25534",
"url": "https://access.redhat.com/errata/RHSA-2026:25534"
},
{
"published_at": "2026-06-12",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25533",
"url": "https://access.redhat.com/errata/RHSA-2026:25533"
},
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:26428",
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:26535",
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25200",
"url": "https://access.redhat.com/errata/RHSA-2026:25200"
},
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25186",
"url": "https://access.redhat.com/errata/RHSA-2026:25186"
},
{
"published_at": "2026-06-16",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:25193",
"url": "https://access.redhat.com/errata/RHSA-2026:25193"
}
]
}
CVE-2025-21858 (GCVE-0-2025-21858)
Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2026-05-12 12:04
VLAI?
EPSS
Title
geneve: Fix use-after-free in geneve_find_dev().
Summary
In the Linux kernel, the following vulnerability has been resolved:
geneve: Fix use-after-free in geneve_find_dev().
syzkaller reported a use-after-free in geneve_find_dev() [0]
without repro.
geneve_configure() links struct geneve_dev.next to
net_generic(net, geneve_net_id)->geneve_list.
The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,
IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.
When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally
calls unregister_netdevice_queue() for each dev in the netns,
and later the dev is freed.
However, its geneve_dev.next is still linked to the backend UDP
socket netns.
Then, use-after-free will occur when another geneve dev is created
in the netns.
Let's call geneve_dellink() instead in geneve_destroy_tunnels().
[0]:
BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]
BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441
CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d
Hardware name: linux,dummy-virt (DT)
Call trace:
show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x16c/0x6f0 mm/kasan/report.c:489
kasan_report+0xc0/0x120 mm/kasan/report.c:602
__asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379
geneve_find_dev drivers/net/geneve.c:1295 [inline]
geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634
rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
____sys_sendmsg+0x410/0x6f8 net/socket.c:2568
___sys_sendmsg+0x178/0x1d8 net/socket.c:2622
__sys_sendmsg net/socket.c:2654 [inline]
__do_sys_sendmsg net/socket.c:2659 [inline]
__se_sys_sendmsg net/socket.c:2657 [inline]
__arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151
el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600
Allocated by task 13247:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x68 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4298 [inline]
__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304
__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645
alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470
rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604
rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
netlink_unicast_kernel net/netlink/af_n
---truncated---
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < d5e86e27de0936f3cb0a299ce519d993e9cf3886
(git)
Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < 5a0538ac6826807d6919f6aecbb8996c2865af2c (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < f74f6560146714241c6e167b03165ee77a86e316 (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < 904e746b2e7fa952ab8801b303ce826a63153d78 (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < 3ce92ca990cfac88a87c61df3cc0b5880e688ecf (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < da9b0ae47f084014b1e4b3f31f70a0defd047ff3 (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < 788dbca056a8783ec063da3c9d49a3a71c76c283 (git) Affected: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b , < 9593172d93b9f91c362baec4643003dc29802929 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T13:19:41.982339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T13:23:48.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:13.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:04:06.094Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/geneve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5e86e27de0936f3cb0a299ce519d993e9cf3886",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "5a0538ac6826807d6919f6aecbb8996c2865af2c",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "f74f6560146714241c6e167b03165ee77a86e316",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "904e746b2e7fa952ab8801b303ce826a63153d78",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "3ce92ca990cfac88a87c61df3cc0b5880e688ecf",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "da9b0ae47f084014b1e4b3f31f70a0defd047ff3",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "788dbca056a8783ec063da3c9d49a3a71c76c283",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "9593172d93b9f91c362baec4643003dc29802929",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/geneve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: Fix use-after-free in geneve_find_dev().\n\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\n\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)-\u003egeneve_list.\n\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\n\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\n\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\n\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\n\nLet\u0027s call geneve_dellink() instead in geneve_destroy_tunnels().\n\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\n\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\n geneve_find_dev drivers/net/geneve.c:1295 [inline]\n geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\n geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\n rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:713 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n __sys_sendmsg net/socket.c:2654 [inline]\n __do_sys_sendmsg net/socket.c:2659 [inline]\n __se_sys_sendmsg net/socket.c:2657 [inline]\n __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\n\nAllocated by task 13247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4298 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\n alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\n rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_n\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:07:52.222Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886"
},
{
"url": "https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c"
},
{
"url": "https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316"
},
{
"url": "https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78"
},
{
"url": "https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf"
},
{
"url": "https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3"
},
{
"url": "https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283"
},
{
"url": "https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929"
}
],
"title": "geneve: Fix use-after-free in geneve_find_dev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21858",
"datePublished": "2025-03-12T09:42:11.343Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2026-05-12T12:04:06.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40135 (GCVE-0-2025-40135)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-06-16 19:59
VLAI?
EPSS
Title
ipv6: use RCU in ip6_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_xmit()
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f0a54d00d2f36de40266f47c27989853e8588656
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f69fec6287565fdeb61f65e700a1184352306943 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < bd0905e2122e3680968cd0741966983490bf2ed3 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f7f9e924f23684b4b23cd9f976cceab24a968e34 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 9085e56501d93af9f2d7bd16f7fcfacdde47b99c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:58:56.548938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:59:06.997Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0a54d00d2f36de40266f47c27989853e8588656",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "f69fec6287565fdeb61f65e700a1184352306943",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "bd0905e2122e3680968cd0741966983490bf2ed3",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "f7f9e924f23684b4b23cd9f976cceab24a968e34",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "9085e56501d93af9f2d7bd16f7fcfacdde47b99c",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:43:25.962Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0a54d00d2f36de40266f47c27989853e8588656"
},
{
"url": "https://git.kernel.org/stable/c/f69fec6287565fdeb61f65e700a1184352306943"
},
{
"url": "https://git.kernel.org/stable/c/bd0905e2122e3680968cd0741966983490bf2ed3"
},
{
"url": "https://git.kernel.org/stable/c/f7f9e924f23684b4b23cd9f976cceab24a968e34"
},
{
"url": "https://git.kernel.org/stable/c/9085e56501d93af9f2d7bd16f7fcfacdde47b99c"
}
],
"title": "ipv6: use RCU in ip6_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40135",
"datePublished": "2025-11-12T10:23:23.051Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2026-06-16T19:59:06.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43037 (GCVE-0-2026-43037)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Oskar Kjos reported the following problem.
ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Severity ?
9.8 (Critical)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < ea9f65b27c8404e164848ebff1443310fd187629
(git)
Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < d6621f60192fe10c047a4487be42a6f4c150707f (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < a0c4ce9900a108eaf55d0f3b399cb55999647d39 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 1063515ce15ff31065c4e7f8265f4c2fd3c54876 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 4a622658f384b03560834cbe8ffcfe69a278f7c8 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 2edfa31769a4add828a7e604b21cb82aaaa05925 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s IPv6 tunnel implementation. A remote attacker could exploit this flaw by sending malicious ICMPv6 error messages to cause a stack-based buffer overflow in the kernel\u0027s IPv4-over-IPv6 tunnel error handling code. This could result in a kernel crash (denial of service) or potentially allow arbitrary code execution with kernel privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:09.034Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43037"
},
{
"name": "RHBZ#2464351",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464351"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43037.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25534"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27719"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27729"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25200"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25193"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25186"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24343"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25191"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22940"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23237"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28742"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28749"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25533"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22964"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28748"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28750"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28738"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28740"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28741"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25534: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:27719: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION), Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:27729: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:26528: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:25200: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:25193: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:25186: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:24343: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:25191: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:22940: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:23237: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25217: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:28742: Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25121: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28749: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:25533: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:22964: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:28748: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:28750: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:28738: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:28740: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:28741: Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25120: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:22900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is to skip loading the affected module `ip6_tunnel` onto the system till we have a fix available, this can be done by a blacklist mechanism, this will ensure the driver is not loaded at the boot time.\n~~~\nHow do I blacklist a kernel module to prevent it from loading automatically? \nhttps://access.redhat.com/solutions/41278 \n~~~\n\nWe may also want to detection and monitoring an affected system as below:\n~~~\nMonitor for exploitation attempts:\n\n# Enable kernel audit for IPv6 tunnel operations\nauditctl -a always,exit -F arch=b64 -S socket -F a0=10 -F a1=3 -k ipv6_tunnel\n\n# Monitor system logs for kernel panics/crashes\njournalctl -k -p err -f | grep -i \"ip6_tunnel\\|icmp\\|stack\"\n~~~"
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea9f65b27c8404e164848ebff1443310fd187629",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "d6621f60192fe10c047a4487be42a6f4c150707f",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "a0c4ce9900a108eaf55d0f3b399cb55999647d39",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "1063515ce15ff31065c4e7f8265f4c2fd3c54876",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "4a622658f384b03560834cbe8ffcfe69a278f7c8",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "2edfa31769a4add828a7e604b21cb82aaaa05925",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt-\u003e__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2-\u003ecb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl \u003e= 5)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:29.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"
},
{
"url": "https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f"
},
{
"url": "https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"
},
{
"url": "https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39"
},
{
"url": "https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876"
},
{
"url": "https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"
},
{
"url": "https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8"
},
{
"url": "https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925"
}
],
"title": "ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43037",
"datePublished": "2026-05-01T14:15:35.314Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-07-02T12:05:09.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23243 (GCVE-0-2026-23243)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-06-17 17:47
VLAI?
EPSS
Title
RDMA/umad: Reject negative data_len in ib_umad_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umad: Reject negative data_len in ib_umad_write
ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().
Add an explicit check to reject negative data_len before creating the
send buffer.
KASAN splat:
[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2be8e3ee8efd6f99ce454115c29d09750915021a , < 1371ef6b1ecf3676b8942f5dfb3634fb0648128e
(git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 362e45fd9069ffa1523f9f1633b606ebf72060d7 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 6eb2919474ca105c5b13d19574e25f0ddcf19ca2 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 9c80d688f402539dfc8f336de1380d6b4ee14316 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 205955f29c26330b1dc7fdeadd5bb97c38e26f56 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T17:47:24.163717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T17:47:33.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/user_mad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1371ef6b1ecf3676b8942f5dfb3634fb0648128e",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "362e45fd9069ffa1523f9f1633b606ebf72060d7",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "6eb2919474ca105c5b13d19574e25f0ddcf19ca2",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "9c80d688f402539dfc8f336de1380d6b4ee14316",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "205955f29c26330b1dc7fdeadd5bb97c38e26f56",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "5551b02fdbfd85a325bb857f3a8f9c9f33397ed2",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/user_mad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:03:05.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"
},
{
"url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"
},
{
"url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"
},
{
"url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"
},
{
"url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"
},
{
"url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"
},
{
"url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"
},
{
"url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"
}
],
"title": "RDMA/umad: Reject negative data_len in ib_umad_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23243",
"datePublished": "2026-03-18T10:05:05.826Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-06-17T17:47:33.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31532 (GCVE-0-2026-31532)
Vulnerability from cvelistv5 – Published: 2026-04-23 11:12 – Updated: 2026-06-14 17:41
VLAI?
EPSS
Title
can: raw: fix ro->uniq use-after-free in raw_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: raw: fix ro->uniq use-after-free in raw_rcv()
raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.
Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.
[mkl: applied manually]
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3
(git)
Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 64c8553decf5a5f2417bd54761ea0a832c56c4ca (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 3f43f12fde34737fba091b7e3ab391e14ddbb0be (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 5e9cfffad898bbeaafd0ea608a6d267362f050fc (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 572f0bf536ebc14f6e7da3d21a85cf076de8358e (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 7201a531b9a5ed892bfda5ded9194ef622de8ffa (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 34c1741254ff972e8375faf176678a248826fe3a (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < a535a9217ca3f2fccedaafb2fddb4c48f27d36dc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "64c8553decf5a5f2417bd54761ea0a832c56c4ca",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "3f43f12fde34737fba091b7e3ab391e14ddbb0be",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "5e9cfffad898bbeaafd0ea608a6d267362f050fc",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "572f0bf536ebc14f6e7da3d21a85cf076de8358e",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "7201a531b9a5ed892bfda5ded9194ef622de8ffa",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "34c1741254ff972e8375faf176678a248826fe3a",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "a535a9217ca3f2fccedaafb2fddb4c48f27d36dc",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro-\u003euniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro-\u003euniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro-\u003euniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:41:55.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3"
},
{
"url": "https://git.kernel.org/stable/c/64c8553decf5a5f2417bd54761ea0a832c56c4ca"
},
{
"url": "https://git.kernel.org/stable/c/3f43f12fde34737fba091b7e3ab391e14ddbb0be"
},
{
"url": "https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc"
},
{
"url": "https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e"
},
{
"url": "https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0"
},
{
"url": "https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa"
},
{
"url": "https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a"
},
{
"url": "https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc"
}
],
"title": "can: raw: fix ro-\u003euniq use-after-free in raw_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31532",
"datePublished": "2026-04-23T11:12:44.829Z",
"dateReserved": "2026-03-09T15:48:24.112Z",
"dateUpdated": "2026-06-14T17:41:55.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46125 (GCVE-0-2026-46125)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
wifi: mac80211: remove station if connection prep fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Severity ?
8.8 (High)
CWE
- CWE-825 - Expired Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
81151ce462e533551f3284bfdb8e0f461c9220e6 , < 18fed0a209500bfea5c4c08609ec93855e4e500b
(git)
Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < fe75fa1ac9a92990f7fc3d34b17808fd933071b2 (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < afcbaed89cdc1a001b43270cbf5394bb4804270a (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 9e28654f79f443bca9b29ff3ae7cf18abfba58a0 (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 1c2b72ea89882aeb948340498391e69c58d466f1 (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s mac80211 Wi-Fi subsystem. When Multi-Link Operation (MLO) connection preparation fails, the system may not correctly remove the associated station. This can lead to a use-after-free or double-free vulnerability in the debugfs component, potentially causing system instability or unexpected behavior."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:11.895Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46125"
},
{
"name": "RHBZ#2482608",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482608"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27288: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26427: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:26428: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: wifi: mac80211: remove station if connection prep fails",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18fed0a209500bfea5c4c08609ec93855e4e500b",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "fe75fa1ac9a92990f7fc3d34b17808fd933071b2",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "afcbaed89cdc1a001b43270cbf5394bb4804270a",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "9e28654f79f443bca9b29ff3ae7cf18abfba58a0",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "1c2b72ea89882aeb948340498391e69c58d466f1",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "283fc9e44ff5b5ac967439b4951b80bd4299f4e4",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:37.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b"
},
{
"url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
},
{
"url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
},
{
"url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
},
{
"url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
},
{
"url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
}
],
"title": "wifi: mac80211: remove station if connection prep fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46125",
"datePublished": "2026-05-28T09:35:39.809Z",
"dateReserved": "2026-05-13T15:03:33.099Z",
"dateUpdated": "2026-06-30T12:10:11.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23001 (GCVE-0-2026-23001)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-06-16 20:17
VLAI?
EPSS
Title
macvlan: fix possible UAF in macvlan_forward_source()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8133e85b8a3ec9f10d861e0002ec6037256e987e
(git)
Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 484919832e2db6ce1e8add92c469e5d459a516b5 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 232afc74a6dde0fe1830988e5827921f5ec9bb3f (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 15f6faf36e162532bec5cc05eb3fc622108bf2ed (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 6dbead9c7677186f22b7981dd085a0feec1f038e (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 7470a7a63dc162f07c26dbf960e41ee1e248d80e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:17:12.456069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:17:28.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8133e85b8a3ec9f10d861e0002ec6037256e987e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "484919832e2db6ce1e8add92c469e5d459a516b5",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "232afc74a6dde0fe1830988e5827921f5ec9bb3f",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "15f6faf36e162532bec5cc05eb3fc622108bf2ed",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "8518712a2ca952d6da2238c6f0a16b4ae5ea3f13",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "6dbead9c7677186f22b7981dd085a0feec1f038e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "7470a7a63dc162f07c26dbf960e41ee1e248d80e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)-\u003evlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry-\u003evlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:58:05.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e"
},
{
"url": "https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5"
},
{
"url": "https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f"
},
{
"url": "https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed"
},
{
"url": "https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13"
},
{
"url": "https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e"
},
{
"url": "https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e"
}
],
"title": "macvlan: fix possible UAF in macvlan_forward_source()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23001",
"datePublished": "2026-01-25T14:36:15.790Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-06-16T20:17:28.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31685 (GCVE-0-2026-31685)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-06-01 16:13
VLAI?
EPSS
Title
netfilter: ip6t_eui64: reject invalid MAC header for all packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_eui64: reject invalid MAC header for all packets
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Severity ?
9.4 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4d75bc2cd093bf5803edf512c099bfb220fd6459
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d6a57411caf54df025860c9b1a82cd42d57a562 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d5603591373441fecf9951833d6d873e09320f08 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 288138418bef956f8b295751a4536c60f0e89f4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 807d6ee15804df6f01a35c910f09612e858739a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 309ae3e9a51a69699ca94eac5fac5688fa562d55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fdce0b3590f724540795b874b4c8850c90e6b0a8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d75bc2cd093bf5803edf512c099bfb220fd6459",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d6a57411caf54df025860c9b1a82cd42d57a562",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5603591373441fecf9951833d6d873e09320f08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "288138418bef956f8b295751a4536c60f0e89f4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9eda5478746ef7dc0e4e537b5a5e4b0ca1027091",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "807d6ee15804df6f01a35c910f09612e858739a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "309ae3e9a51a69699ca94eac5fac5688fa562d55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdce0b3590f724540795b874b4c8850c90e6b0a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:27.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d75bc2cd093bf5803edf512c099bfb220fd6459"
},
{
"url": "https://git.kernel.org/stable/c/7d6a57411caf54df025860c9b1a82cd42d57a562"
},
{
"url": "https://git.kernel.org/stable/c/d5603591373441fecf9951833d6d873e09320f08"
},
{
"url": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a"
},
{
"url": "https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091"
},
{
"url": "https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6"
},
{
"url": "https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55"
},
{
"url": "https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8"
}
],
"title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31685",
"datePublished": "2026-04-25T08:47:02.857Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-01T16:13:27.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22984 (GCVE-0-2026-22984)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:35
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 194cfe2af4d2a1de599d39dad636b47c2f6c2c96
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 79fe3511db416d2f2edcfd93569807cb02736e5e (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < ef208ea331ef688729f64089b895ed1b49e842e3 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2d653bb63d598ae4b096dd678744bdcc34ee89e8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 818156caffbf55cb4d368f9c3cac64e458fb49c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:34:59.073775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:35:08.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "194cfe2af4d2a1de599d39dad636b47c2f6c2c96",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "79fe3511db416d2f2edcfd93569807cb02736e5e",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "ef208ea331ef688729f64089b895ed1b49e842e3",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2802ef3380fa8c4a08cda51ec1f085b1a712e9e2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2d653bb63d598ae4b096dd678744bdcc34ee89e8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "818156caffbf55cb4d368f9c3cac64e458fb49c9",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:45.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96"
},
{
"url": "https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e"
},
{
"url": "https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3"
},
{
"url": "https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2"
},
{
"url": "https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8"
},
{
"url": "https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9"
}
],
"title": "libceph: prevent potential out-of-bounds reads in handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22984",
"datePublished": "2026-01-23T15:24:06.245Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-06-16T20:35:08.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35385 (GCVE-0-2026-35385)
Vulnerability from cvelistv5 – Published: 2026-04-02 16:30 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Summary
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Severity ?
7.5 (High)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T03:55:44.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "unknown",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-02T16:30:59.615Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenSSH. When the `scp` command is used by a root user to download a file with the legacy protocol option (`-O`) and without preserving original file permissions (`-p`), the downloaded file can be installed with elevated privileges (setuid or setgid). This unexpected behavior could allow a malicious file to execute with higher permissions than intended, posing a security risk through potential privilege escalation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:10.617Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-35385"
},
{
"name": "RHBZ#2454469",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454469"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35385.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25063"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20040"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12389"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13380"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19069"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13383"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21398"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22648"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22564"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16059"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13381"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19219"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22329"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21298"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14937"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25063: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:22468: Red Hat Enterprise Linux Server (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:26528: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:20040: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:12389: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13380: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19069: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:13383: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:21398: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:22648: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:22564: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:16059: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13381: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19219: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:22329: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:21298: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:25096: Red Hat AI Inference Server 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:30078: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30087: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:14937: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:21275: Red Hat Update Infrastructure 5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T17:01:07.052Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-02T16:30:59.615Z",
"value": "Made public."
}
],
"title": "OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users\u0027 expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:15:37.128Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openssh.org/releasenotes.html#10.3p1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=177513443901484\u0026w=2"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-35385",
"datePublished": "2026-04-02T16:30:59.615Z",
"dateReserved": "2026-04-02T16:30:59.107Z",
"dateUpdated": "2026-07-02T12:05:10.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53372 (GCVE-0-2023-53372)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-05-11 19:43
VLAI?
EPSS
Title
sctp: fix a potential overflow in sctp_ifwdtsn_skip
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix a potential overflow in sctp_ifwdtsn_skip
Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
checks the pos against the end of the chunk. However, the data left for
the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
it as struct sctp_ifwdtsn_skip may cause coverflow.
This patch fixes it by checking the pos against "the end of the chunk -
sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
sctp_fwdtsn_skip.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0fc2ea922c8ad5520c80f03facbf396c81dce802 , < 4fbd094d4131a10d06a45d64158567052a35b3f4
(git)
Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < ad831a7079c99c01e801764b53bc9997c2e9c0f7 (git) Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < 79b28f42214a3d0d6a8c514db3602260bd5d6cb5 (git) Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < 6109f5b13ce3e3e537db6f18976ec0e9118d1c6f (git) Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < 5c9367ac5a22d71841bcd00130f9146c9b227d57 (git) Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < ad988e9b5ff04607e624a459209e8c2d0c15fc73 (git) Affected: 0fc2ea922c8ad5520c80f03facbf396c81dce802 , < 32832a2caf82663870126c5186cf8f86c8b2a649 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:53:52.812844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:02.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/stream_interleave.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fbd094d4131a10d06a45d64158567052a35b3f4",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "ad831a7079c99c01e801764b53bc9997c2e9c0f7",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "79b28f42214a3d0d6a8c514db3602260bd5d6cb5",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "6109f5b13ce3e3e537db6f18976ec0e9118d1c6f",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "5c9367ac5a22d71841bcd00130f9146c9b227d57",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "ad988e9b5ff04607e624a459209e8c2d0c15fc73",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
},
{
"lessThan": "32832a2caf82663870126c5186cf8f86c8b2a649",
"status": "affected",
"version": "0fc2ea922c8ad5520c80f03facbf396c81dce802",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/stream_interleave.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix a potential overflow in sctp_ifwdtsn_skip\n\nCurrently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only\nchecks the pos against the end of the chunk. However, the data left for\nthe last pos may be \u003c sizeof(struct sctp_ifwdtsn_skip), and dereference\nit as struct sctp_ifwdtsn_skip may cause coverflow.\n\nThis patch fixes it by checking the pos against \"the end of the chunk -\nsizeof(struct sctp_ifwdtsn_skip)\" in sctp_ifwdtsn_skip, similar to\nsctp_fwdtsn_skip."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:43:40.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fbd094d4131a10d06a45d64158567052a35b3f4"
},
{
"url": "https://git.kernel.org/stable/c/ad831a7079c99c01e801764b53bc9997c2e9c0f7"
},
{
"url": "https://git.kernel.org/stable/c/79b28f42214a3d0d6a8c514db3602260bd5d6cb5"
},
{
"url": "https://git.kernel.org/stable/c/6109f5b13ce3e3e537db6f18976ec0e9118d1c6f"
},
{
"url": "https://git.kernel.org/stable/c/5c9367ac5a22d71841bcd00130f9146c9b227d57"
},
{
"url": "https://git.kernel.org/stable/c/ad988e9b5ff04607e624a459209e8c2d0c15fc73"
},
{
"url": "https://git.kernel.org/stable/c/32832a2caf82663870126c5186cf8f86c8b2a649"
}
],
"title": "sctp: fix a potential overflow in sctp_ifwdtsn_skip",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53372",
"datePublished": "2025-09-18T13:33:19.549Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2026-05-11T19:43:40.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31669 (GCVE-0-2026-31669)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-05-11 22:13
VLAI?
EPSS
Title
mptcp: fix slab-use-after-free in __inet_lookup_established
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b19bc2945b40b9fd38e835700907ffe8534ef0de , < f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
(git)
Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < fb1f54b7d16f393b8b65d328410f78b4beea8fcc (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 3fd6547f5b8ac99687be6d937a0321efda760597 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < eb9c6aeb512f877cf397deb1e4526f646c70e4a7 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 15fa9ead4d5e6b6b9c794e84144146c917f2cb62 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < b313e9037d98c13938740e5ebda7852929366dff (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 9b55b253907e7431210483519c5ad711a37dafa1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "fb1f54b7d16f393b8b65d328410f78b4beea8fcc",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "3fd6547f5b8ac99687be6d937a0321efda760597",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "eb9c6aeb512f877cf397deb1e4526f646c70e4a7",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "15fa9ead4d5e6b6b9c794e84144146c917f2cb62",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "b313e9037d98c13938740e5ebda7852929366dff",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "9b55b253907e7431210483519c5ad711a37dafa1",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP\u0027s mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(\u0026tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:21.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"
},
{
"url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"
},
{
"url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"
},
{
"url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"
},
{
"url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"
},
{
"url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"
},
{
"url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"
}
],
"title": "mptcp: fix slab-use-after-free in __inet_lookup_established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31669",
"datePublished": "2026-04-24T14:45:17.295Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-05-11T22:13:21.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68800 (GCVE-0-2025-68800)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-06-16 16:50
VLAI?
EPSS
Title
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f38656d067257cc43b652958dd154e1ab0773701 , < b957366f5611bbaba03dd10ef861283347ddcc88
(git)
Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 6e367c361a523a4b54fe618215c64a0ee189caf0 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 216afc198484fde110ebeafc017992266f4596ce (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 4049a6ace209f4ed150429f86ae796d7d6a4c22b (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 8ac1dacec458f55f871f7153242ed6ab60373b90 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:50:11.101316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:50:24.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b957366f5611bbaba03dd10ef861283347ddcc88",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "6e367c361a523a4b54fe618215c64a0ee189caf0",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "5f2831fc593c2b2efbff7dd0dd7441cec76adcd5",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "216afc198484fde110ebeafc017992266f4596ce",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "4049a6ace209f4ed150429f86ae796d7d6a4c22b",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "8ac1dacec458f55f871f7153242ed6ab60373b90",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:53:35.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88"
},
{
"url": "https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0"
},
{
"url": "https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73"
},
{
"url": "https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5"
},
{
"url": "https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce"
},
{
"url": "https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b"
},
{
"url": "https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90"
}
],
"title": "mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68800",
"datePublished": "2026-01-13T15:29:09.688Z",
"dateReserved": "2025-12-24T10:30:51.044Z",
"dateUpdated": "2026-06-16T16:50:24.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43190 (GCVE-0-2026-43190)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
netfilter: xt_tcpmss: check remaining length before reading optlen
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_tcpmss: check remaining length before reading optlen
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f895191dc32c53eaf443b6443fe40945b2f92287
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd5beda7e0e32865e214f28034bb92c1cecff885 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eaedc0bc18be46fe7f58170e967959a932c4f824 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8b300f726640c48c3edfe9c453334dd801f4b74e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e13d0a37666955b6cfddc0f73cb40ed645b8a05 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6c412dcfd76b0516d51aa847d8f4c7b70381b09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 735ee8582da3d239eb0c7a53adca61b79fb228b3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f895191dc32c53eaf443b6443fe40945b2f92287",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd5beda7e0e32865e214f28034bb92c1cecff885",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eaedc0bc18be46fe7f58170e967959a932c4f824",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07a9b32eaae792ff7d0fcac14d8920c937c0a9c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b300f726640c48c3edfe9c453334dd801f4b74e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e13d0a37666955b6cfddc0f73cb40ed645b8a05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c412dcfd76b0516d51aa847d8f4c7b70381b09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "735ee8582da3d239eb0c7a53adca61b79fb228b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n to index op[i+1]. In the case where i + 1 == optlen, this causes an\n out-of-bounds read, accessing memory past the optlen boundary\n (either reading beyond the stack buffer _opt or the\n following payload)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:35.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287"
},
{
"url": "https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885"
},
{
"url": "https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824"
},
{
"url": "https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3"
},
{
"url": "https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e"
},
{
"url": "https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05"
},
{
"url": "https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09"
},
{
"url": "https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3"
}
],
"title": "netfilter: xt_tcpmss: check remaining length before reading optlen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43190",
"datePublished": "2026-05-06T11:27:59.798Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:35.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI?
EPSS
Title
xen/privcmd: fix double free via VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d71f513985c22f1050295d1a7e4327cf9fb060da , < dbf862ce9f009128ab86b234d91413a3e450beb4
(git)
Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2b985d3a024b9e8c24e21671b34e855569763808 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 1576ff3869cbd3620717195f971c85b7d7fd62b5 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 402d84ad9e89bd4cbfd07ca8598532b7021daf95 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2894a351fe2ea8684919d36df3188b9a35e3926f (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 71bf829800758a6e3889096e4754ef47ba7fc850 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 24daca4fc07f3ff8cd0e3f629cd982187f48436a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:41.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:41.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46056 (GCVE-0-2026-46056)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:57 – Updated: 2026-06-19 11:59
VLAI?
EPSS
Title
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.
Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
92a25256f142d55e25f9959441cea6ddeabae57e , < ea18732d2614557e59f4c0d8cdbe6611aeab33b7
(git)
Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < d28311539ac9f65e29308ea219ecaa48aa5e76e5 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < b6ae482f88654db407c8c17619d4b62959b903ef (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 204028af77a265e31ceb4ba7f643349a3cca72b2 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 01a6431766c35dfedb86e0cb5d3fc80c6d604a47 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < e08d75753db17aa943d7622f09d9c217b5bfd3b8 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 8c6443bb9257b780986fb67ec08565bf48ecb8d7 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 85fa3512048793076eef658f66489112dcc91993 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea18732d2614557e59f4c0d8cdbe6611aeab33b7",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "d28311539ac9f65e29308ea219ecaa48aa5e76e5",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "b6ae482f88654db407c8c17619d4b62959b903ef",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "204028af77a265e31ceb4ba7f643349a3cca72b2",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "01a6431766c35dfedb86e0cb5d3fc80c6d604a47",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "e08d75753db17aa943d7622f09d9c217b5bfd3b8",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "8c6443bb9257b780986fb67ec08565bf48ecb8d7",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "85fa3512048793076eef658f66489112dcc91993",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in SSP passkey handlers\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise\nthe connection can be freed concurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage in both\nhandlers.\n\nKeep the existing keypress notification behavior unchanged by routing\nthe early exits through a common unlock path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:12.139Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea18732d2614557e59f4c0d8cdbe6611aeab33b7"
},
{
"url": "https://git.kernel.org/stable/c/d28311539ac9f65e29308ea219ecaa48aa5e76e5"
},
{
"url": "https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef"
},
{
"url": "https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2"
},
{
"url": "https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47"
},
{
"url": "https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8"
},
{
"url": "https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7"
},
{
"url": "https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993"
}
],
"title": "Bluetooth: hci_event: fix potential UAF in SSP passkey handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46056",
"datePublished": "2026-05-27T12:57:15.150Z",
"dateReserved": "2026-05-13T15:03:33.094Z",
"dateUpdated": "2026-06-19T11:59:12.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43303 (GCVE-0-2026-43303)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
mm/page_alloc: clear page->private in free_pages_prepare()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: clear page->private in free_pages_prepare()
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b8000ae185cb068adbda5f966a3835053c85fd4 , < e7790ab165713b79b1617ce659742ceb3a859d05
(git)
Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < 3edb8ebbf79b9016040e8f3421d723ae3d542b32 (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < 23b82b7a26182ad840ae67d390d7ec9771e8c00f (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < d757c793853ec5483eb41ec2942c300b8fa720fb (git) Affected: 3b8000ae185cb068adbda5f966a3835053c85fd4 , < ac1ea219590c09572ed5992dc233bbf7bb70fef9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7790ab165713b79b1617ce659742ceb3a859d05",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "3edb8ebbf79b9016040e8f3421d723ae3d542b32",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "23b82b7a26182ad840ae67d390d7ec9771e8c00f",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "d757c793853ec5483eb41ec2942c300b8fa720fb",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
},
{
"lessThan": "ac1ea219590c09572ed5992dc233bbf7bb70fef9",
"status": "affected",
"version": "3b8000ae185cb068adbda5f966a3835053c85fd4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/page_alloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page-\u003eprivate in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page-\u003eprivate but don\u0027t\nclear it before freeing pages. When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage-\u003eprivate values.\n\nThis causes a use-after-free in the swap subsystem. The swap code uses\npage-\u003eprivate to track swap count continuations, assuming freshly\nallocated pages have page-\u003eprivate == 0. When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page-\u003elru containing LIST_POISON values,\ncausing a crash:\n\n KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page-\u003eprivate in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:25.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7790ab165713b79b1617ce659742ceb3a859d05"
},
{
"url": "https://git.kernel.org/stable/c/3edb8ebbf79b9016040e8f3421d723ae3d542b32"
},
{
"url": "https://git.kernel.org/stable/c/f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b"
},
{
"url": "https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f"
},
{
"url": "https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb"
},
{
"url": "https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9"
}
],
"title": "mm/page_alloc: clear page-\u003eprivate in free_pages_prepare()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43303",
"datePublished": "2026-05-08T13:11:23.561Z",
"dateReserved": "2026-05-01T14:12:56.000Z",
"dateUpdated": "2026-06-19T11:58:25.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22990 (GCVE-0-2026-22990)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-06-16 20:38
VLAI?
EPSS
Title
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 9aa0b0c14cefece078286d78b97d4c09685e372d
(git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 4b106fbb1c7b841cd402abd83eb2447164c799ea (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6afd2a4213524bc742b709599a3663aeaf77193c (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < d3613770e2677683e65d062da5e31f48c409abe9 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6c6cec3db3b418c4fdf815731bc39e46dff75e1b (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6348d70af847b79805374fe628d3809a63fd7df3 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e00c3f71b5cf75681dbd74ee3f982a99cb690c2b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:38:28.126291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:38:37.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aa0b0c14cefece078286d78b97d4c09685e372d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "4b106fbb1c7b841cd402abd83eb2447164c799ea",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6afd2a4213524bc742b709599a3663aeaf77193c",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "d3613770e2677683e65d062da5e31f48c409abe9",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6c6cec3db3b418c4fdf815731bc39e46dff75e1b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6348d70af847b79805374fe628d3809a63fd7df3",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e00c3f71b5cf75681dbd74ee3f982a99cb690c2b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:52.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d"
},
{
"url": "https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea"
},
{
"url": "https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c"
},
{
"url": "https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9"
},
{
"url": "https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b"
},
{
"url": "https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3"
},
{
"url": "https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b"
}
],
"title": "libceph: replace overzealous BUG_ON in osdmap_apply_incremental()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22990",
"datePublished": "2026-01-23T15:24:11.332Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-06-16T20:38:37.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71089 (GCVE-0-2025-71089)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-06-16 16:20
VLAI?
EPSS
Title
iommu: disable SVA when CONFIG_X86 is set
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < b34289505180a83607fcfdce14b5a290d0528476
(git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 7cad37e358970af1bb49030ff01f06a69fa7d985 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 240cd7f2812cc25496b12063d11c823618f364e9 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c341dee80b5df49a936182341b36395c831c2661 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 72f98ef9a4be30d2a60136dd6faee376f780d06c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:19:59.752068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:20:14.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b34289505180a83607fcfdce14b5a290d0528476",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "7cad37e358970af1bb49030ff01f06a69fa7d985",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c341dee80b5df49a936182341b36395c831c2661",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables. The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:54:31.972Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476"
},
{
"url": "https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985"
},
{
"url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
},
{
"url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
},
{
"url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
},
{
"url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
}
],
"title": "iommu: disable SVA when CONFIG_X86 is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71089",
"datePublished": "2026-01-13T15:34:51.079Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-06-16T16:20:14.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40158 (GCVE-0-2025-40158)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-06-16 20:00
VLAI?
EPSS
Title
ipv6: use RCU in ip6_output()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_output()
Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
possible UAF.
We can remove rcu_read_lock()/rcu_read_unlock() pairs
from ip6_finish_output2().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:00:29.008533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:00:37.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0393f85c3241c19ba8550f04a812e7d19f6b3082",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "11709573cc4e48dc34c80fc7ab9ce5b159e29695",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_output()\n\nUse RCU in ip6_output() in order to use dst_dev_rcu() to prevent\npossible UAF.\n\nWe can remove rcu_read_lock()/rcu_read_unlock() pairs\nfrom ip6_finish_output2()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:43:51.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0393f85c3241c19ba8550f04a812e7d19f6b3082"
},
{
"url": "https://git.kernel.org/stable/c/11709573cc4e48dc34c80fc7ab9ce5b159e29695"
}
],
"title": "ipv6: use RCU in ip6_output()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40158",
"datePublished": "2025-11-12T10:23:29.516Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-06-16T20:00:37.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43329 (GCVE-0-2026-43329)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
netfilter: flowtable: strictly check for maximum number of actions
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable: strictly check for maximum number of actions
The maximum number of flowtable hardware offload actions in IPv6 is:
* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
for QinQ.
* Redirect (1 action)
Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.
Update flow_action_entry_next() calls to check for the maximum number of
supported actions.
While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.
Severity ?
7.8 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c29f74e0df7a02b8303bcdce93a7c0132d62577a , < ead66c77303f760f6c30be96e2e20d5a77cef614
(git)
Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < fe9018d3e94329f1951b00805a8640bc06f56ead (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 5382bb03e9c33b089d60788478b922a2dca284cc (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 57c78bd2e2dd08897acd35b2bf8bcef322e36f5e (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 504c9456699dcf4d15195ef34a0fa94a80bfc877 (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 879959a7a2be814dd57568655eafa3d8f4d0309e (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 76522fcdbc3a02b568f5d957f7e66fc194abb893 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Netfilter flowtable component of the Linux kernel. This vulnerability occurs because the system does not strictly check the maximum number of hardware offload actions for IPv6, allowing it to process more actions than supported. This could potentially lead to system instability or a denial of service (DoS) condition, where the affected system becomes unresponsive."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:29.162Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43329"
},
{
"name": "RHBZ#2468124",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468124"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43329.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23329"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34095"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27713"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33215: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:23329: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34095: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:30848: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26427: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33899: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26428: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: netfilter: flowtable: strictly check for maximum number of actions",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_flow_table_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ead66c77303f760f6c30be96e2e20d5a77cef614",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "fe9018d3e94329f1951b00805a8640bc06f56ead",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "5382bb03e9c33b089d60788478b922a2dca284cc",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "57c78bd2e2dd08897acd35b2bf8bcef322e36f5e",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "504c9456699dcf4d15195ef34a0fa94a80bfc877",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "879959a7a2be814dd57568655eafa3d8f4d0309e",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "76522fcdbc3a02b568f5d957f7e66fc194abb893",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_flow_table_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: strictly check for maximum number of actions\n\nThe maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address takes 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:27.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614"
},
{
"url": "https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead"
},
{
"url": "https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc"
},
{
"url": "https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e"
},
{
"url": "https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877"
},
{
"url": "https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e"
},
{
"url": "https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893"
}
],
"title": "netfilter: flowtable: strictly check for maximum number of actions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43329",
"datePublished": "2026-05-08T13:31:17.479Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-07-02T12:05:29.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41035 (GCVE-0-2026-41035)
Vulnerability from cvelistv5 – Published: 2026-04-16 06:53 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Summary
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
Severity ?
7.4 (High)
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:20:04.768680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:30:58.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-22T03:03:52.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-16T06:53:05.237Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-805",
"description": "Buffer Access with Incorrect Length Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:09.399Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41035"
},
{
"name": "RHBZ#2458898",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458898"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41035.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25173"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25172"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20696"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19152"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20601"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20602"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20604"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20603"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19368"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17481"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25170"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25190"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25149"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25173: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:25172: Red Hat Enterprise Linux Server (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:20696: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19152: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:20601: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20602: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20604: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20603: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19368: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:17481: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:25170: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:25190: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:25149: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:29197: Red Hat Discovery 2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T08:00:54.200Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-16T06:53:05.237Z",
"value": "Made public."
}
],
"title": "rsync: Rsync: Use-after-free vulnerability in extended attribute handling",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, avoid using the -X or --xattrs options with rsync if extended attribute handling is not essential for your operations. Disabling these options prevents the vulnerable code path from being exercised. This may impact functionality that relies on extended attributes."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "rsync",
"vendor": "Samba",
"versions": [
{
"lessThanOrEqual": "3.4.1",
"status": "affected",
"version": "3.0.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*",
"versionEndIncluding": "3.4.1",
"versionStartIncluding": "3.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T18:23:49.396Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"
},
{
"url": "https://github.com/RsyncProject/rsync/releases"
},
{
"url": "https://github.com/RsyncProject/rsync/issues/871"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-41035",
"datePublished": "2026-04-16T06:53:05.237Z",
"dateReserved": "2026-04-16T06:53:04.777Z",
"dateUpdated": "2026-07-02T12:05:09.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39979 (GCVE-0-2026-39979)
Vulnerability from cvelistv5 – Published: 2026-04-13 22:18 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers
Summary
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39979",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:43:11.607182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:43:15.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:4"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-13T22:18:56.252Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the `jv_parse_sized` function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the error message generated by the parser."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:10.015Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-39979"
},
{
"name": "RHBZ#2458077",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458077"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39979.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16252"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18048"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18047"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18046"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18045"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18040"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16692"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19151"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18043"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18042"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16693"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19365"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8579"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:26528: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:16252: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:18048: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18047: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:18046: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:18045: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:18044: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:18040: Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16692: Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19151: Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:18043: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18042: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16693: Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19365: Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25096: Red Hat AI Inference Server 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:30078: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30087: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:8579: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T23:01:01.219Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T22:18:56.252Z",
"value": "Made public."
}
],
"title": "jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, manually ensure that every buffer is NUL-terminated before passing it to the \u0027jv_parse_sized\u0027 function."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "jq",
"vendor": "jqlang",
"versions": [
{
"status": "affected",
"version": "\u003c 2f09060afab23fe9390cce7cb860b10416e1bf5f"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T22:18:56.252Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"
},
{
"name": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f"
}
],
"source": {
"advisory": "GHSA-2hhh-px8h-355p",
"discovery": "UNKNOWN"
},
"title": "jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39979",
"datePublished": "2026-04-13T22:18:56.252Z",
"dateReserved": "2026-04-08T00:01:47.628Z",
"dateUpdated": "2026-07-02T12:05:10.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23392 (GCVE-0-2026-23392)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-05-11 22:05
VLAI?
EPSS
Title
netfilter: nf_tables: release flowtable after rcu grace period on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d2632de96ccb066e0131ad1494241b9c281c60b8
(git)
Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < adee3436ccd29f1e514c028899e400cbc6d84065 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < 7e3955b282eae20d61c75e499c75eade51c20060 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < c8092edb9a11f20f95ccceeb9422b7dd0df337bd (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < e78a2dcc7cfb87b64a631441ca7681492b347ef6 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d73f4b53aaaea4c95f245e491aa5eeb8a21874ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "7e3955b282eae20d61c75e499c75eade51c20060",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:05:59.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"
},
{
"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"
},
{
"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"
},
{
"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"
},
{
"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"
},
{
"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"
}
],
"title": "netfilter: nf_tables: release flowtable after rcu grace period on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23392",
"datePublished": "2026-03-25T10:33:16.647Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-05-11T22:05:59.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43110 (GCVE-0-2026-43110)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-01 16:14
VLAI?
EPSS
Title
wifi: brcmfmac: validate bsscfg indices in IF events
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2880b86859967af710c72f7d34fb421a86a71e22 , < b329fbcf075949a038045d8e9b86ae3d5bbd8a54
(git)
Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9c81bcc2c695e0082012a2a3d36a0eefaa51579c (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 3ec7437e9d11374105c2c4e47ae671537729d7e6 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9fca68c2512a362cad258e4df12a307bb2ee4b8e (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 1ae1e1caa428844e481231f6dbe9b4f475f1d52d (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < b427c2b05222db36d32ee141609de6128e9091bb (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 304950a467d83678bd0b0f46331882e2ac23b12d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b329fbcf075949a038045d8e9b86ae3d5bbd8a54",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9c81bcc2c695e0082012a2a3d36a0eefaa51579c",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "3ec7437e9d11374105c2c4e47ae671537729d7e6",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9fca68c2512a362cad258e4df12a307bb2ee4b8e",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "1ae1e1caa428844e481231f6dbe9b4f475f1d52d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "b427c2b05222db36d32ee141609de6128e9091bb",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "304950a467d83678bd0b0f46331882e2ac23b12d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr-\u003eiflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr-\u003eiflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:14:59.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b329fbcf075949a038045d8e9b86ae3d5bbd8a54"
},
{
"url": "https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734"
},
{
"url": "https://git.kernel.org/stable/c/9c81bcc2c695e0082012a2a3d36a0eefaa51579c"
},
{
"url": "https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6"
},
{
"url": "https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e"
},
{
"url": "https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d"
},
{
"url": "https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb"
},
{
"url": "https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d"
}
],
"title": "wifi: brcmfmac: validate bsscfg indices in IF events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43110",
"datePublished": "2026-05-06T07:40:37.250Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-01T16:14:59.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71116 (GCVE-0-2025-71116)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
libceph: make decode_pool() more resilient against corrupted osdmaps
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < d061be4c8040ffb1110d537654a038b8b6ad39d2
(git)
Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 145d140abda80e33331c5781d6603014fa75d258 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < c82e39ff67353a5a6cbc07b786b8690bd2c45aaa (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < e927ab132b87ba3f076705fc2684d94b24201ed1 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 5d0d8c292531fe356c4e94dcfdf7d7212aca9957 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 2acb8517429ab42146c6c0ac1daed1f03d2fd125 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 8c738512714e8c0aa18f8a10c072d5b01c83db39 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:42:27.725166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:23.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061be4c8040ffb1110d537654a038b8b6ad39d2",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "145d140abda80e33331c5781d6603014fa75d258",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "c82e39ff67353a5a6cbc07b786b8690bd2c45aaa",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "e927ab132b87ba3f076705fc2684d94b24201ed1",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "5d0d8c292531fe356c4e94dcfdf7d7212aca9957",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "2acb8517429ab42146c6c0ac1daed1f03d2fd125",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "8c738512714e8c0aa18f8a10c072d5b01c83db39",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:55:10.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2"
},
{
"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258"
},
{
"url": "https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa"
},
{
"url": "https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1"
},
{
"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957"
},
{
"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125"
},
{
"url": "https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39"
}
],
"title": "libceph: make decode_pool() more resilient against corrupted osdmaps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71116",
"datePublished": "2026-01-14T15:06:04.476Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-06-11T18:44:23.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23191 (GCVE-0-2026-23191)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-06-16 20:20
VLAI?
EPSS
Title
ALSA: aloop: Fix racy access at PCM trigger
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b1c73fc8e697eb73e23603e465e9af2711ed4183 , < bad15420050db1803767e58756114800cce91ea4
(git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 5727ccf9d19ca414cb76d9b647883822e2789c2e (git) Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 826af7fa62e347464b1b4e0ba2fe19a92438084f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T20:20:28.206628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T20:20:36.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bad15420050db1803767e58756114800cce91ea4",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable-\u003elock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:05.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
},
{
"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
},
{
"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
}
],
"title": "ALSA: aloop: Fix racy access at PCM trigger",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23191",
"datePublished": "2026-02-14T16:27:18.882Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-06-16T20:20:36.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41073 (GCVE-0-2024-41073)
Vulnerability from cvelistv5 – Published: 2024-07-29 14:57 – Updated: 2026-05-11 20:25
VLAI?
EPSS
Title
nvme: avoid double free special payload
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: avoid double free special payload
If a discard request needs to be retried, and that retry may fail before
a new special payload is added, a double free will result. Clear the
RQF_SPECIAL_LOAD when the request is cleaned.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < 882574942a9be8b9d70d13462ddacc80c4b385ba
(git)
Affected: f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < c5942a14f795de957ae9d66027aac8ff4fe70057 (git) Affected: f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < f3ab45aacd25d957547fb6d115c1574c20964b3b (git) Affected: f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < ae84383c96d6662c24697ab6b44aae855ab670aa (git) Affected: f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < 1b9fd1265fac85916f90b4648de02adccdb7220b (git) Affected: f9d03f96b988002027d4b28ea1b7a24729a4c9b5 , < e5d574ab37f5f2e7937405613d9b1a724811e5ad (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:26.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:21:30.593926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:00.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "882574942a9be8b9d70d13462ddacc80c4b385ba",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
},
{
"lessThan": "c5942a14f795de957ae9d66027aac8ff4fe70057",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
},
{
"lessThan": "f3ab45aacd25d957547fb6d115c1574c20964b3b",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
},
{
"lessThan": "ae84383c96d6662c24697ab6b44aae855ab670aa",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
},
{
"lessThan": "1b9fd1265fac85916f90b4648de02adccdb7220b",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
},
{
"lessThan": "e5d574ab37f5f2e7937405613d9b1a724811e5ad",
"status": "affected",
"version": "f9d03f96b988002027d4b28ea1b7a24729a4c9b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.164",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.101",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.42",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.11",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:25:39.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/882574942a9be8b9d70d13462ddacc80c4b385ba"
},
{
"url": "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057"
},
{
"url": "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b"
},
{
"url": "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa"
},
{
"url": "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b"
},
{
"url": "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad"
}
],
"title": "nvme: avoid double free special payload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41073",
"datePublished": "2024-07-29T14:57:33.253Z",
"dateReserved": "2024-07-12T12:17:45.631Z",
"dateUpdated": "2026-05-11T20:25:39.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-06-16 19:12
VLAI?
EPSS
Title
nbd: defer config unlock in nbd_genl_connect
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 330d688a5ca53857828081a3cf31b92ad1b0b3ed
(git)
Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < cd93db1b1b4460e6ee77564024ea461e5940f69c (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < ae3e7bc1f4b393ae20e5c85583eb2c6977374716 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 2e5e0665a594f076ef2b9439447bae8be293d09d (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9b99c948b4fb014812afe7b5ccf2db121d22e46 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 9a38306643874566d20f7aba7dff9e6f657b51a9 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < c9e805f6a35d1dd189a9345595a5c20e87611942 (git) Affected: e46c7287b1c27683a8e30ca825fb98e2b97f1099 , < 1649714b930f9ea6233ce0810ba885999da3b5d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:12:23.169488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:12:35.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "330d688a5ca53857828081a3cf31b92ad1b0b3ed",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "cd93db1b1b4460e6ee77564024ea461e5940f69c",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "ae3e7bc1f4b393ae20e5c85583eb2c6977374716",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "2e5e0665a594f076ef2b9439447bae8be293d09d",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n mutex_unlock(\u0026nbd-\u003econfig_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(\u0026nbd-\u003econfig_refs);\n nbd_connect_reply(info, nbd-\u003eindex);\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:51:48.993Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/330d688a5ca53857828081a3cf31b92ad1b0b3ed"
},
{
"url": "https://git.kernel.org/stable/c/cd93db1b1b4460e6ee77564024ea461e5940f69c"
},
{
"url": "https://git.kernel.org/stable/c/ae3e7bc1f4b393ae20e5c85583eb2c6977374716"
},
{
"url": "https://git.kernel.org/stable/c/2e5e0665a594f076ef2b9439447bae8be293d09d"
},
{
"url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
},
{
"url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
},
{
"url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
},
{
"url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
}
],
"title": "nbd: defer config unlock in nbd_genl_connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68366",
"datePublished": "2025-12-24T10:32:53.399Z",
"dateReserved": "2025-12-16T14:48:05.308Z",
"dateUpdated": "2026-06-16T19:12:35.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43158 (GCVE-0-2026-43158)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18
VLAI?
EPSS
Title
xfs: fix freemap adjustments when adding xattrs to leaf blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix freemap adjustments when adding xattrs to leaf blocks
xfs/592 and xfs/794 both trip this assertion in the leaf block freemap
adjustment code after ~20 minutes of running on my test VMs:
ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)
+ xfs_attr3_leaf_hdr_size(leaf));
Upon enabling quite a lot more debugging code, I narrowed this down to
fsstress trying to set a local extended attribute with namelen=3 and
valuelen=71. This results in an entry size of 80 bytes.
At the start of xfs_attr3_leaf_add_work, the freemap looks like this:
i 0 base 448 size 0 rhs 448 count 46
i 1 base 388 size 132 rhs 448 count 46
i 2 base 2120 size 4 rhs 448 count 46
firstused = 520
where "rhs" is the first byte past the end of the leaf entry array.
This is inconsistent -- the entries array ends at byte 448, but
freemap[1] says there's free space starting at byte 388!
By the end of the function, the freemap is in worse shape:
i 0 base 456 size 0 rhs 456 count 47
i 1 base 388 size 52 rhs 456 count 47
i 2 base 2120 size 4 rhs 456 count 47
firstused = 440
Important note: 388 is not aligned with the entries array element size
of 8 bytes.
Based on the incorrect freemap, the name area starts at byte 440, which
is below the end of the entries array! That's why the assertion
triggers and the filesystem shuts down.
How did we end up here? First, recall from the previous patch that the
freemap array in an xattr leaf block is not intended to be a
comprehensive map of all free space in the leaf block. In other words,
it's perfectly legal to have a leaf block with:
* 376 bytes in use by the entries array
* freemap[0] has [base = 376, size = 8]
* freemap[1] has [base = 388, size = 1500]
* the space between 376 and 388 is free, but the freemap stopped
tracking that some time ago
If we add one xattr, the entries array grows to 384 bytes, and
freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we
add a second xattr, the entries array grows to 392 bytes, and freemap[0]
gets pushed up to [base = 392, size = 0]. This is bad, because
freemap[1] hasn't been updated, and now the entries array and the free
space claim the same space.
The fix here is to adjust all freemap entries so that none of them
collide with the entries array. Note that this fix relies on commit
2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and
the previous patch that resets zero length freemap entries to have
base = 0.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d08976725355b9d54d8332fce223fa281cc304a5
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6a8737afbccc340e718e0b22577312826390be8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a396b3d73d51355e50acdb403ba9c4cae4c1174e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38613c01f69e1e77e6b8acab1e8ac665d01c2f15 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef42a8766ff3fdf51cf72fb36d0859c09d134478 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 43f3b18679615a93bd848afde3602ba160637a46 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 24ce71852f2cee6581e2cbebc15489ed52bf63b7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3eefc0c2b78444b64feeb3783c017d6adc3cd3ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d08976725355b9d54d8332fce223fa281cc304a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a8737afbccc340e718e0b22577312826390be8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a396b3d73d51355e50acdb403ba9c4cae4c1174e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38613c01f69e1e77e6b8acab1e8ac665d01c2f15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef42a8766ff3fdf51cf72fb36d0859c09d134478",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43f3b18679615a93bd848afde3602ba160637a46",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24ce71852f2cee6581e2cbebc15489ed52bf63b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3eefc0c2b78444b64feeb3783c017d6adc3cd3ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix freemap adjustments when adding xattrs to leaf blocks\n\nxfs/592 and xfs/794 both trip this assertion in the leaf block freemap\nadjustment code after ~20 minutes of running on my test VMs:\n\n ASSERT(ichdr-\u003efirstused \u003e= ichdr-\u003ecount * sizeof(xfs_attr_leaf_entry_t)\n\t\t\t\t\t+ xfs_attr3_leaf_hdr_size(leaf));\n\nUpon enabling quite a lot more debugging code, I narrowed this down to\nfsstress trying to set a local extended attribute with namelen=3 and\nvaluelen=71. This results in an entry size of 80 bytes.\n\nAt the start of xfs_attr3_leaf_add_work, the freemap looks like this:\n\ni 0 base 448 size 0 rhs 448 count 46\ni 1 base 388 size 132 rhs 448 count 46\ni 2 base 2120 size 4 rhs 448 count 46\nfirstused = 520\n\nwhere \"rhs\" is the first byte past the end of the leaf entry array.\nThis is inconsistent -- the entries array ends at byte 448, but\nfreemap[1] says there\u0027s free space starting at byte 388!\n\nBy the end of the function, the freemap is in worse shape:\n\ni 0 base 456 size 0 rhs 456 count 47\ni 1 base 388 size 52 rhs 456 count 47\ni 2 base 2120 size 4 rhs 456 count 47\nfirstused = 440\n\nImportant note: 388 is not aligned with the entries array element size\nof 8 bytes.\n\nBased on the incorrect freemap, the name area starts at byte 440, which\nis below the end of the entries array! That\u0027s why the assertion\ntriggers and the filesystem shuts down.\n\nHow did we end up here? First, recall from the previous patch that the\nfreemap array in an xattr leaf block is not intended to be a\ncomprehensive map of all free space in the leaf block. In other words,\nit\u0027s perfectly legal to have a leaf block with:\n\n * 376 bytes in use by the entries array\n * freemap[0] has [base = 376, size = 8]\n * freemap[1] has [base = 388, size = 1500]\n * the space between 376 and 388 is free, but the freemap stopped\n tracking that some time ago\n\nIf we add one xattr, the entries array grows to 384 bytes, and\nfreemap[0] becomes [base = 384, size = 0]. So far, so good. But if we\nadd a second xattr, the entries array grows to 392 bytes, and freemap[0]\ngets pushed up to [base = 392, size = 0]. This is bad, because\nfreemap[1] hasn\u0027t been updated, and now the entries array and the free\nspace claim the same space.\n\nThe fix here is to adjust all freemap entries so that none of them\ncollide with the entries array. Note that this fix relies on commit\n2a2b5932db6758 (\"xfs: fix attr leaf header freemap.size underflow\") and\nthe previous patch that resets zero length freemap entries to have\nbase = 0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:18:53.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5"
},
{
"url": "https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b"
},
{
"url": "https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e"
},
{
"url": "https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15"
},
{
"url": "https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478"
},
{
"url": "https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46"
},
{
"url": "https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7"
},
{
"url": "https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce"
}
],
"title": "xfs: fix freemap adjustments when adding xattrs to leaf blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43158",
"datePublished": "2026-05-06T11:27:37.848Z",
"dateReserved": "2026-05-01T14:12:55.990Z",
"dateUpdated": "2026-05-11T22:18:53.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46243 (GCVE-0-2026-46243)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:22 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
smb: client: reject userspace cifs.spnego descriptions
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: reject userspace cifs.spnego descriptions
cifs.spnego key descriptions contain authority-bearing fields such as
pid, uid, creduid, and upcall_target that cifs.upcall treats as
kernel-originating inputs. However, userspace can also create keys of
this type through request_key(2) or add_key(2), allowing those fields to
be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private
spnego_cred to request the key.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 7713bd320ed4fc3d08a227cd8e41242219a16981
(git)
Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 9544559e59438a4b609b2fdfa0763d8360572824 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < cf20038657d6d4974349556a34e08fe0490bebbc (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 2035acfb17221729b1b8ac335e941868a04ca079 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < a3bbda6502a9398b816fa2e71c9a3f955f58013d (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 91f89c1d83e80417629791fcef6af8140d7d01c8 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 0aece6685fc80a8de492688ca2315fb86ec379c7 (git) Affected: f1d662a7d5e5322e583aad6b3cfec03d8f27b435 , < 3da1fdf4efbc490041eb4f836bf596201203f8f2 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T03:56:00.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/manizada/CIFSwitch"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-01T18:55:00.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:10::el10"
],
"defaultStatus": "affected",
"product": "NVIDIA for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was found in the Linux kernel\u0027s CIFS client implementation. This could allow a local attacker to impersonate other users, bypass authentication in SMB mount operations, and potentially gain unauthorized access to network file shares or escalate privileges."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:08.721Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46243"
},
{
"name": "RHBZ#2481486",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481486"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46243.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23395"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27719"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27729"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25908"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23329"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24381"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23258"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33220"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26570"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33219"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33221"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33222"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33223"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23259"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:23395: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:33486: NVIDIA for RHEL 10"
},
{
"lang": "en",
"value": "RHSA-2026:27719: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION), Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:27729: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:25908: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:23329: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:24381: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33225: Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:23258: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:33220: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:26570: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33219: Red Hat Enterprise Linux BaseOS E4S (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33221: Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:33222: Red Hat Enterprise Linux BaseOS E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:33223: Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:33224: Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:23259: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T15:07:49.955Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel: smb: client: reject userspace cifs.spnego descriptions",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_spnego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7713bd320ed4fc3d08a227cd8e41242219a16981",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "9544559e59438a4b609b2fdfa0763d8360572824",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "cf20038657d6d4974349556a34e08fe0490bebbc",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "2035acfb17221729b1b8ac335e941868a04ca079",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "a3bbda6502a9398b816fa2e71c9a3f955f58013d",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "91f89c1d83e80417629791fcef6af8140d7d01c8",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "0aece6685fc80a8de492688ca2315fb86ec379c7",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
},
{
"lessThan": "3da1fdf4efbc490041eb4f836bf596201203f8f2",
"status": "affected",
"version": "f1d662a7d5e5322e583aad6b3cfec03d8f27b435",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifs_spnego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: reject userspace cifs.spnego descriptions\n\ncifs.spnego key descriptions contain authority-bearing fields such as\npid, uid, creduid, and upcall_target that cifs.upcall treats as\nkernel-originating inputs. However, userspace can also create keys of\nthis type through request_key(2) or add_key(2), allowing those fields to\nbe supplied without CIFS origin.\n\nOnly accept cifs.spnego descriptions while CIFS is using its private\nspnego_cred to request the key."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:05:20.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7713bd320ed4fc3d08a227cd8e41242219a16981"
},
{
"url": "https://git.kernel.org/stable/c/9544559e59438a4b609b2fdfa0763d8360572824"
},
{
"url": "https://git.kernel.org/stable/c/cf20038657d6d4974349556a34e08fe0490bebbc"
},
{
"url": "https://git.kernel.org/stable/c/2035acfb17221729b1b8ac335e941868a04ca079"
},
{
"url": "https://git.kernel.org/stable/c/a3bbda6502a9398b816fa2e71c9a3f955f58013d"
},
{
"url": "https://git.kernel.org/stable/c/91f89c1d83e80417629791fcef6af8140d7d01c8"
},
{
"url": "https://git.kernel.org/stable/c/0aece6685fc80a8de492688ca2315fb86ec379c7"
},
{
"url": "https://git.kernel.org/stable/c/3da1fdf4efbc490041eb4f836bf596201203f8f2"
}
],
"title": "smb: client: reject userspace cifs.spnego descriptions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46243",
"datePublished": "2026-06-01T16:22:29.211Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-07-02T12:05:08.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46227 (GCVE-0-2026-46227)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Severity ?
7.8 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4910280503f3af2857d5aa77e35b22d93a8960a8 , < f3a3f0b406b4b7eb3cea35a23fa2bf170848b104
(git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0dbc8cde64280fc37cdd678cced34eaf96cfb197 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0c7b55974f97b78d1109025eadf084e74cbf330f (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 6187a172d6ed57d6b2c327836e4407c6456e639d (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < bf0f40d8107e2ce827521968dc6926f3e13728ae (git) Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < abb5f36771cc4c05899b34000829a787572a8817 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the `SCTP_SENDALL` path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via a network abort) to trigger a use-after-free or type confusion vulnerability. Successful exploitation can lead to a controlled indirect call, potentially resulting in arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:27.645Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46227"
},
{
"name": "RHBZ#2482564",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482564"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46227.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34094: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:33899: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3a3f0b406b4b7eb3cea35a23fa2bf170848b104",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "0dbc8cde64280fc37cdd678cced34eaf96cfb197",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "0c7b55974f97b78d1109025eadf084e74cbf330f",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
},
{
"lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
"status": "affected",
"version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs. The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu(). The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp. After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns. @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:04:07.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
},
{
"url": "https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197"
},
{
"url": "https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f"
},
{
"url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
},
{
"url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
},
{
"url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
},
{
"url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
},
{
"url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
}
],
"title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46227",
"datePublished": "2026-05-28T09:40:47.518Z",
"dateReserved": "2026-05-13T15:03:33.106Z",
"dateUpdated": "2026-07-02T12:05:27.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-06-16 19:22
VLAI?
EPSS
Title
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 60a7be5ee74408147e439164ac067e418ca74bb4
(git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c13c6e9de91d7f1dd7df756b1fa5a1f968839d76 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:22:49.497362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:22:59.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:52:06.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
},
{
"url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
},
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-06-16T19:22:59.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41326 (GCVE-0-2026-41326)
Vulnerability from cvelistv5 – Published: 2026-04-24 18:46 – Updated: 2026-06-30 12:06
VLAI?
EPSS
Title
Kata Containers: CopyFile Policy Subversion via Symlinks
Summary
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0.
Severity ?
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kata-containers | kata-containers |
Affected:
>= 3.4.0, < 3.29.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41326",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:43:48.851429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:43:53.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-13T05:17:44.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-22T19:01:25.112Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Kata Containers. An oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:00.693Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41326"
},
{
"name": "RHBZ#2460859",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460859"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41326.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25200"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25200: Red Hat OpenShift Container Platform 4.19"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T19:00:36.343Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-22T19:01:25.112Z",
"value": "Made public."
}
],
"title": "kata-containers: Arbitrary file write inside guest image via CopyFile policy",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "kata-containers",
"vendor": "kata-containers",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:03:37.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc"
},
{
"name": "https://github.com/kata-containers/kata-containers/commit/1b9e49eb2763aa6ea6a99b276d3ff5e2c7f658f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kata-containers/kata-containers/commit/1b9e49eb2763aa6ea6a99b276d3ff5e2c7f658f2"
}
],
"source": {
"advisory": "GHSA-q49m-57vm-c8cc",
"discovery": "UNKNOWN"
},
"title": "Kata Containers: CopyFile Policy Subversion via Symlinks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41326",
"datePublished": "2026-04-24T18:46:21.993Z",
"dateReserved": "2026-04-20T14:01:46.672Z",
"dateUpdated": "2026-06-30T12:06:00.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23216 (GCVE-0-2026-23216)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:21 – Updated: 2026-06-11 17:53
VLAI?
EPSS
Title
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.
If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.
Fix this by releasing the spinlock before calling complete().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < ba684191437380a07b27666eb4e72748be1ea201
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 8518f072fc92921418cd9ed4268dd4f3e9a8fd75 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 275016a551ba1a068a3bd6171b18611726b67110 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 73b487d44bf4f92942629d578381f89c326ff77f (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 48fe983e92de2c59d143fe38362ad17ba23ec7f3 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 3835e49e146a4e6e7787b29465f1a23379b6ec44 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 9411a89e9e7135cc459178fa77a3f1d6191ae903 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:21.955601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T17:53:37.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba684191437380a07b27666eb4e72748be1ea201",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "8518f072fc92921418cd9ed4268dd4f3e9a8fd75",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "275016a551ba1a068a3bd6171b18611726b67110",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "73b487d44bf4f92942629d578381f89c326ff77f",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "48fe983e92de2c59d143fe38362ad17ba23ec7f3",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "3835e49e146a4e6e7787b29465f1a23379b6ec44",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "9411a89e9e7135cc459178fa77a3f1d6191ae903",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()\n\nIn iscsit_dec_conn_usage_count(), the function calls complete() while\nholding the conn-\u003econn_usage_lock. As soon as complete() is invoked, the\nwaiter (such as iscsit_close_connection()) may wake up and proceed to free\nthe iscsit_conn structure.\n\nIf the waiter frees the memory before the current thread reaches\nspin_unlock_bh(), it results in a KASAN slab-use-after-free as the function\nattempts to release a lock within the already-freed connection structure.\n\nFix this by releasing the spinlock before calling complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:34.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba684191437380a07b27666eb4e72748be1ea201"
},
{
"url": "https://git.kernel.org/stable/c/8518f072fc92921418cd9ed4268dd4f3e9a8fd75"
},
{
"url": "https://git.kernel.org/stable/c/275016a551ba1a068a3bd6171b18611726b67110"
},
{
"url": "https://git.kernel.org/stable/c/73b487d44bf4f92942629d578381f89c326ff77f"
},
{
"url": "https://git.kernel.org/stable/c/48fe983e92de2c59d143fe38362ad17ba23ec7f3"
},
{
"url": "https://git.kernel.org/stable/c/3835e49e146a4e6e7787b29465f1a23379b6ec44"
},
{
"url": "https://git.kernel.org/stable/c/9411a89e9e7135cc459178fa77a3f1d6191ae903"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23216",
"datePublished": "2026-02-18T14:21:53.699Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-06-11T17:53:37.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40164 (GCVE-0-2026-40164)
Vulnerability from cvelistv5 – Published: 2026-04-13 23:40 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed
Summary
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40164",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T19:08:48.249009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T19:27:38.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-13T23:40:12.693Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in jq, a command-line JSON processor. A remote attacker could exploit this vulnerability by providing a specially crafted JSON object. This object leverages a weakness in jq\u0027s hashing algorithm, which uses a hardcoded, publicly known seed. By crafting the JSON object to cause hash collisions, an attacker can degrade the performance of JSON object hash table operations, leading to significant CPU exhaustion and a denial of service (DoS) for systems processing the malicious JSON data."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-341",
"description": "Predictable from Observable State",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:09.700Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-40164"
},
{
"name": "RHBZ#2458084",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458084"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40164.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16252"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18048"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18047"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18046"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18045"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18040"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16692"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19151"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18043"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18042"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16693"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19365"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8579"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:26528: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:16252: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:18048: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18047: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:18046: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:18045: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:18044: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:18040: Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16692: Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19151: Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:18043: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:18042: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:16693: Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19365: Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25096: Red Hat AI Inference Server 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:30078: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30087: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:8579: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-14T00:01:04.003Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T23:40:12.693Z",
"value": "Made public."
}
],
"title": "jq: jq: Denial of Service via crafted JSON object causing hash collisions",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "jq",
"vendor": "jqlang",
"versions": [
{
"status": "affected",
"version": "\u003c 0c7d133c3c7e37c00b6d46b658a02244fdd3c784"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n\u00b2) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328: Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T23:40:12.693Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"
},
{
"name": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784"
}
],
"source": {
"advisory": "GHSA-wwj8-gxm6-jc29",
"discovery": "UNKNOWN"
},
"title": "jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40164",
"datePublished": "2026-04-13T23:40:12.693Z",
"dateReserved": "2026-04-09T19:31:56.014Z",
"dateUpdated": "2026-07-02T12:05:09.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43163 (GCVE-0-2026-43163)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18
VLAI?
EPSS
Title
md/bitmap: fix GPF in write_page caused by resize race
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/bitmap: fix GPF in write_page caused by resize race
A General Protection Fault occurs in write_page() during array resize:
RIP: 0010:write_page+0x22b/0x3c0 [md_mod]
This is a use-after-free race between bitmap_daemon_work() and
__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`
without locking, while the resize path frees that storage via
md_bitmap_file_unmap(). `quiesce()` does not stop the md thread,
allowing concurrent access to freed pages.
Fix by holding `mddev->bitmap_info.mutex` during the bitmap update.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 140cc839fbeb1ddb33a8da8811b716d88d3905b7
(git)
Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < d3af62411e19752c663fe4f424dbf49d95a4cc7c (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < d92b8fac294b5f915c50e65ce4ae2262e53614ec (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < a437e3bf30e32846079e470c1ba5ee790bccdf89 (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 5f73c8b33df9a605a591eab72d43a969600c1f8c (git) Affected: d60b479d177a5735b6b4db6ee5280ef6653f50e7 , < 46ef85f854dfa9d5226b3c1c46493d79556c9589 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "140cc839fbeb1ddb33a8da8811b716d88d3905b7",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "d3af62411e19752c663fe4f424dbf49d95a4cc7c",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "d92b8fac294b5f915c50e65ce4ae2262e53614ec",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "a437e3bf30e32846079e470c1ba5ee790bccdf89",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "5f73c8b33df9a605a591eab72d43a969600c1f8c",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
},
{
"lessThan": "46ef85f854dfa9d5226b3c1c46493d79556c9589",
"status": "affected",
"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: fix GPF in write_page caused by resize race\n\nA General Protection Fault occurs in write_page() during array resize:\nRIP: 0010:write_page+0x22b/0x3c0 [md_mod]\n\nThis is a use-after-free race between bitmap_daemon_work() and\n__bitmap_resize(). The daemon iterates over `bitmap-\u003estorage.filemap`\nwithout locking, while the resize path frees that storage via\nmd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,\nallowing concurrent access to freed pages.\n\nFix by holding `mddev-\u003ebitmap_info.mutex` during the bitmap update."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:18:58.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7"
},
{
"url": "https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8"
},
{
"url": "https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c"
},
{
"url": "https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec"
},
{
"url": "https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89"
},
{
"url": "https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f"
},
{
"url": "https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c"
},
{
"url": "https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589"
}
],
"title": "md/bitmap: fix GPF in write_page caused by resize race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43163",
"datePublished": "2026-05-06T11:27:41.265Z",
"dateReserved": "2026-05-01T14:12:55.990Z",
"dateUpdated": "2026-05-11T22:18:58.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43038 (GCVE-0-2026-43038)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-06-30 12:08
VLAI?
EPSS
Title
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
Sashiko AI-review observed:
In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet
where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2
and passed to icmp6_send(), it uses IP6CB(skb2).
IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso
offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm
at offset 18.
If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao
would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called
and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).
This would scan the inner, attacker-controlled IPv6 packet starting at that
offset, potentially returning a fake TLV without checking if the remaining
packet length can hold the full 18-byte struct ipv6_destopt_hao.
Could mip6_addr_swap() then perform a 16-byte swap that extends past the end
of the packet data into skb_shared_info?
Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and
ip6ip6_err() to prevent this?
This patch implements the first suggestion.
I am not sure if ip6ip6_err() needs to be changed.
A separate patch would be better anyway.
Severity ?
9.8 (Critical)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ca15a078bd907df5fc1c009477869c5cbde3b753 , < c438ba010171b70bad22fc18b1d5bdc3627476e8
(git)
Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7 (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < a4437faf135da293d16fcc4cc607316742bd0ebb (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 3d5127d998de617b130aae96b138dba22ac6a8a7 (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < e41953e7d118e2702bcb217879c173d9d1d3cd4e (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < a2edbb6393972a02114b6003953a5cef3104fada (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 1ceeebd5bd6d855b17a5df625109bfe29129d7cf (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 86ab3e55673a7a49a841838776f1ab18d23a67b5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s IPv6 ICMP error generation. A remote attacker could send a specially crafted IPv4 ICMP error packet with a Common Internet Protocol Security Option (CIPSO) IP option. This could lead to incorrect handling of packet control block data when generating an IPv6 ICMP error, potentially causing an out-of-bounds memory access. This memory corruption could result in information disclosure or a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:35.081Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-43038"
},
{
"name": "RHBZ#2464397",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464397"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43038.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24343"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30129"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22940"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23237"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23224"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25533"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22964"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22900"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:24343: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:30129: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:22940: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:23237: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:30848: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25121: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:25533: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:22964: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:25120: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:22900: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: ipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c438ba010171b70bad22fc18b1d5bdc3627476e8",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "a4437faf135da293d16fcc4cc607316742bd0ebb",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "3d5127d998de617b130aae96b138dba22ac6a8a7",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "e41953e7d118e2702bcb217879c173d9d1d3cd4e",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "a2edbb6393972a02114b6003953a5cef3104fada",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "1ceeebd5bd6d855b17a5df625109bfe29129d7cf",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "86ab3e55673a7a49a841838776f1ab18d23a67b5",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt-\u003edsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:31.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8"
},
{
"url": "https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"
},
{
"url": "https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb"
},
{
"url": "https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7"
},
{
"url": "https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"
},
{
"url": "https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada"
},
{
"url": "https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf"
},
{
"url": "https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5"
}
],
"title": "ipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43038",
"datePublished": "2026-05-01T14:15:35.986Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-06-30T12:08:35.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4878 (GCVE-0-2026-4878)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:49 – Updated: 2026-07-02 12:05
VLAI?
EPSS
Title
Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()
Summary
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
Severity ?
6.7 (Medium)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
0:2.69-7.el10_1.1 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.1 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Red Hat would like to thank Ali Raza for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-09T15:36:22.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/08/9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T03:56:06.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cost_management:4::el9"
],
"defaultStatus": "affected",
"product": "Cost Management 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1.5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Insights proxy 1.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3.9.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:10.916Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-4878"
},
{
"name": "RHBZ#2451615",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451615"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4878.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19456"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12423"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21254"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20595"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19458"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12441"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19346"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13285"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24346"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22957"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27998"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14937"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7473"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22634"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14162"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:19456: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:12423: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19130: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:21254: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:20595: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:19458: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:12441: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19346: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13285: Red Hat Enterprise Linux BaseOS (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:24346: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:22957: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:27998: Cost Management 4"
},
{
"lang": "en",
"value": "RHSA-2026:25096: Red Hat AI Inference Server 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:30078: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:30087: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:14937: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:29197: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:7473: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22634: Red Hat Insights proxy 1.5"
},
{
"lang": "en",
"value": "RHSA-2026:14162: Red Hat OpenShift distributed tracing 3.9.3"
},
{
"lang": "en",
"value": "RHSA-2026:21275: Red Hat Update Infrastructure 5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-26T06:56:21.213Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file()",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.69-7.el10_1.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.69-7.el10_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.69-7.el10_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-6.el8_10.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos",
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-4.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos",
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-4.el8_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos",
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-5.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos",
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-5.el8_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-10.el9_7.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-10.el9_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-10.el9_7.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-10.el9_8.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream",
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-9.el9_2.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream",
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-9.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream",
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.48-9.el9_6.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "413.92.202606160406-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "414.92.202606231112-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "415.92.202606030318-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "416.94.202606051757-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "418.94.202606051320-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "4.19.9.6.202606031700-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cost_management:4::el9"
],
"defaultStatus": "affected",
"packageName": "costmanagement/costmanagement-metrics-rhel9-operator",
"product": "Cost Management 4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780946239",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhaiis/model-opt-cuda-rhel9",
"product": "Red Hat AI Inference Server 3.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780681984",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "rhaiis/model-opt-cuda-rhel9",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782352950",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-spyre-rhel9",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782352919",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-rocm-rhel9",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782353093",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cuda-rhel9",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782352847",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-server-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1778101579",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-ui-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1778156756",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-server-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782159791",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-ui-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782166952",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "libcap-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.78-1.1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:insights_proxy:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "insights-proxy/insights-proxy-container-rhel9",
"product": "Red Hat Insights proxy 1.5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780420428",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
],
"defaultStatus": "affected",
"packageName": "rhosdt/opentelemetry-collector-rhel9",
"product": "Red Hat OpenShift distributed tracing 3.9.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1778056267",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
],
"defaultStatus": "affected",
"packageName": "rhosdt/opentelemetry-rhel9-operator",
"product": "Red Hat OpenShift distributed tracing 3.9.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1778056233",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
],
"defaultStatus": "affected",
"packageName": "rhosdt/opentelemetry-target-allocator-rhel9",
"product": "Red Hat OpenShift distributed tracing 3.9.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1778056245",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"packageName": "rhui5/cds-rhel9",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1779798159",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"packageName": "rhui5/haproxy-rhel9",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1779798164",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"packageName": "rhui5/installer-rhel9",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1779798165",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"packageName": "rhui5/rhua-rhel9",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1779798222",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "compat-libcap1",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "compat-libcap1",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "libcap",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Ali Raza for reporting this issue."
}
],
"datePublic": "2026-04-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T19:07:40.191Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:12423",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12423"
},
{
"name": "RHSA-2026:12441",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12441"
},
{
"name": "RHSA-2026:13285",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13285"
},
{
"name": "RHSA-2026:14162",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14162"
},
{
"name": "RHSA-2026:14937",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14937"
},
{
"name": "RHSA-2026:19130",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19130"
},
{
"name": "RHSA-2026:19346",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19346"
},
{
"name": "RHSA-2026:19456",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19456"
},
{
"name": "RHSA-2026:19458",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19458"
},
{
"name": "RHSA-2026:20595",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20595"
},
{
"name": "RHSA-2026:21254",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21254"
},
{
"name": "RHSA-2026:21275",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
},
{
"name": "RHSA-2026:22634",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22634"
},
{
"name": "RHSA-2026:22957",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22957"
},
{
"name": "RHSA-2026:23233",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"name": "RHSA-2026:23245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23245"
},
{
"name": "RHSA-2026:24346",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24346"
},
{
"name": "RHSA-2026:25044",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"name": "RHSA-2026:25096",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"name": "RHSA-2026:25181",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"name": "RHSA-2026:26542",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"name": "RHSA-2026:27998",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27998"
},
{
"name": "RHSA-2026:28887",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"name": "RHSA-2026:29197",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"name": "RHSA-2026:30078",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"name": "RHSA-2026:30087",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"name": "RHSA-2026:30088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"name": "RHSA-2026:30089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"name": "RHSA-2026:7473",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7473"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-4878"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447554"
},
{
"name": "RHBZ#2451615",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451615"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-26T06:56:21.213Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-4878",
"datePublished": "2026-04-09T14:49:02.942Z",
"dateReserved": "2026-03-26T06:32:41.308Z",
"dateUpdated": "2026-07-02T12:05:10.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46152 (GCVE-0-2026-46152)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-30 12:10
VLAI?
EPSS
Title
wifi: mac80211: drop stray 'static' from fast-RX rx_result
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: drop stray 'static' from fast-RX rx_result
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Severity ?
8.8 (High)
CWE
- CWE-1058 - Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3468e1e0c639032a603450f0830ccabfa76f5806 , < 03584528bfffb195e384698af9148b94e42e3f14
(git)
Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 1739fc31b4de06c5c78ce0741182770fb079091e (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < e131562d6f2b958148c35c98831b007f47f0e3d3 (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 3ef44f96ccc3e06e059dec57842e366f0c4b1893 (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba (git) |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Wi-Fi (mac80211) subsystem. The `ieee80211_invoke_fast_rx()` function uses a static variable for `rx_result`, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly reported. Such issues can result in unexpected network behavior or a denial of service within the wireless communication."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1058",
"description": "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:11.071Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-46152"
},
{
"name": "RHBZ#2482563",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482563"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46152.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27288: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26427: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26428: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03584528bfffb195e384698af9148b94e42e3f14",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "1739fc31b4de06c5c78ce0741182770fb079091e",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "e131562d6f2b958148c35c98831b007f47f0e3d3",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "3ef44f96ccc3e06e059dec57842e366f0c4b1893",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result\n\nieee80211_invoke_fast_rx() is documented as safe for parallel RX, but\nits per-invocation rx_result is declared static. Concurrent callers then\nshare one instance and can overwrite each other\u0027s result between\nieee80211_rx_mesh_data() and the switch on res.\n\nThat can make a packet that was queued or consumed by\nieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make\na packet that should continue return as queued.\n\nMake res an automatic variable so each invocation keeps its own result."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:58:25.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03584528bfffb195e384698af9148b94e42e3f14"
},
{
"url": "https://git.kernel.org/stable/c/1739fc31b4de06c5c78ce0741182770fb079091e"
},
{
"url": "https://git.kernel.org/stable/c/e131562d6f2b958148c35c98831b007f47f0e3d3"
},
{
"url": "https://git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893"
},
{
"url": "https://git.kernel.org/stable/c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba"
}
],
"title": "wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46152",
"datePublished": "2026-05-28T09:36:08.211Z",
"dateReserved": "2026-05-13T15:03:33.101Z",
"dateUpdated": "2026-06-30T12:10:11.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23455 (GCVE-0-2026-23455)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI?
EPSS
Title
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e35941d990123f155b02d5663e51a24f816b6f3 , < 2121f5fbe88daff0f1fc5bc47d359426c74b86b0
(git)
Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 65fa92f79677858b14b9e4b7275f26639afe2710 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 495e97af9e7249ee02b72bb1d0848a6efc3700f4 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < f5e4f4e4cdb75ec36802059a94195a31f193da60 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 633e8f87dad32263f6a57dccdb873f042c062111 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < b652b05d51003ac074b912684f9ec7486231717b (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < f173d0f4c0f689173f8cdac79991043a4a89bf66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2121f5fbe88daff0f1fc5bc47d359426c74b86b0",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "65fa92f79677858b14b9e4b7275f26639afe2710",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "495e97af9e7249ee02b72bb1d0848a6efc3700f4",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f5e4f4e4cdb75ec36802059a94195a31f193da60",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "633e8f87dad32263f6a57dccdb873f042c062111",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "b652b05d51003ac074b912684f9ec7486231717b",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f173d0f4c0f689173f8cdac79991043a4a89bf66",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:19.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"
},
{
"url": "https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"
},
{
"url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"
},
{
"url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"
},
{
"url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"
},
{
"url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"
},
{
"url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"
},
{
"url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"
}
],
"title": "netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23455",
"datePublished": "2026-04-03T15:15:36.869Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-05-11T22:07:19.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31786 (GCVE-0-2026-31786)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI?
EPSS
Title
Buffer overflow in drivers/xen/sys-hypervisor.c
Summary
In the Linux kernel, the following vulnerability has been resolved:
Buffer overflow in drivers/xen/sys-hypervisor.c
The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.
The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.
00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017
So use a memcpy instead of sprintf to have the correct value:
00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014
(the above have a hack to embed a zero inside and check it's
returned correctly).
This is XSA-485 / CVE-2026-31786
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
84b7625728ea311ea35bdaa0eded53c1c56baeaa , < e3af585e1728c917682b6a3de9a69b41fb9194d4
(git)
Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 8288d031a01dbacfde3fc643f7be3d23504de64d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < f458ba102da97fafca106327086fc95f3fc764cb (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 4b4defd2fce3f966c25adabf46644a85558f1169 (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < d5f59216650c51e5e3fcb7517c825bc8047f60ef (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 27fdbab4221b375de54bf91919798d88520c6e28 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:32.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/12"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-485.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3af585e1728c917682b6a3de9a69b41fb9194d4",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "8288d031a01dbacfde3fc643f7be3d23504de64d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "f458ba102da97fafca106327086fc95f3fc764cb",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "4b4defd2fce3f966c25adabf46644a85558f1169",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "d5f59216650c51e5e3fcb7517c825bc8047f60ef",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "52cecff98bda2c51eed1c6ce9d21c5d6268fb19d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "27fdbab4221b375de54bf91919798d88520c6e28",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it\u0027s\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:38.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4"
},
{
"url": "https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d"
},
{
"url": "https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb"
},
{
"url": "https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169"
},
{
"url": "https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a"
},
{
"url": "https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef"
},
{
"url": "https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d"
},
{
"url": "https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28"
}
],
"title": "Buffer overflow in drivers/xen/sys-hypervisor.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31786",
"datePublished": "2026-04-30T10:31:28.293Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:38.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43116 (GCVE-0-2026-43116)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-19 11:58
VLAI?
EPSS
Title
netfilter: ctnetlink: ensure safe access to master conntrack
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c1d10adb4a521de5760112853f42aaeefcec96eb , < 9e1196d27ef496f404c76f7a9d03761142d991c4
(git)
Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < 5e1c1d22268ae710c238342c8030c21daf298168 (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < d52fa1fa7440676b8c238037a050ab008c22737f (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < f338ced0473849c9f6ed0b77ca99f1aab5826787 (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < 497f99b26fffdc5635706d1b4811f1ed8ee21a5b (git) Affected: c1d10adb4a521de5760112853f42aaeefcec96eb , < bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_ecache.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e1196d27ef496f404c76f7a9d03761142d991c4",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "5e1c1d22268ae710c238342c8030c21daf298168",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "d52fa1fa7440676b8c238037a050ab008c22737f",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "f338ced0473849c9f6ed0b77ca99f1aab5826787",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "497f99b26fffdc5635706d1b4811f1ed8ee21a5b",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
},
{
"lessThan": "bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5",
"status": "affected",
"version": "c1d10adb4a521de5760112853f42aaeefcec96eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_core.h",
"net/netfilter/nf_conntrack_ecache.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ensure safe access to master conntrack\n\nHolding reference on the expectation is not sufficient, the master\nconntrack object can just go away, making exp-\u003emaster invalid.\n\nTo access exp-\u003emaster safely:\n\n- Grab the nf_conntrack_expect_lock, this gets serialized with\n clean_from_lists() which also holds this lock when the master\n conntrack goes away.\n\n- Hold reference on master conntrack via nf_conntrack_find_get().\n Not so easy since the master tuple to look up for the master conntrack\n is not available in the existing problematic paths.\n\nThis patch goes for extending the nf_conntrack_expect_lock section\nto address this issue for simplicity, in the cases that are described\nbelow this is just slightly extending the lock section.\n\nThe add expectation command already holds a reference to the master\nconntrack from ctnetlink_create_expect().\n\nHowever, the delete expectation command needs to grab the spinlock\nbefore looking up for the expectation. Expand the existing spinlock\nsection to address this to cover the expectation lookup. Note that,\nthe nf_ct_expect_iterate_net() calls already grabs the spinlock while\niterating over the expectation table, which is correct.\n\nThe get expectation command needs to grab the spinlock to ensure master\nconntrack does not go away. This also expands the existing spinlock\nsection to cover the expectation lookup too. I needed to move the\nnetlink skb allocation out of the spinlock to keep it GFP_KERNEL.\n\nFor the expectation events, the IPEXP_DESTROY event is already delivered\nunder the spinlock, just move the delivery of IPEXP_NEW under the\nspinlock too because the master conntrack event cache is reached through\nexp-\u003emaster.\n\nWhile at it, add lockdep notations to help identify what codepaths need\nto grab the spinlock."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:15.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e1196d27ef496f404c76f7a9d03761142d991c4"
},
{
"url": "https://git.kernel.org/stable/c/5e1c1d22268ae710c238342c8030c21daf298168"
},
{
"url": "https://git.kernel.org/stable/c/d52fa1fa7440676b8c238037a050ab008c22737f"
},
{
"url": "https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787"
},
{
"url": "https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b"
},
{
"url": "https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5"
}
],
"title": "netfilter: ctnetlink: ensure safe access to master conntrack",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43116",
"datePublished": "2026-05-06T07:40:41.185Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-19T11:58:15.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40170 (GCVE-0-2025-40170)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2026-06-16 19:33
VLAI?
EPSS
Title
net: use dst_dev_rcu() in sk_setup_caps()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: use dst_dev_rcu() in sk_setup_caps()
Use RCU to protect accesses to dst->dev from sk_setup_caps()
and sk_dst_gso_max_size().
Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
and ip_dst_mtu_maybe_forward().
ip4_dst_hoplimit() can use dst_dev_net_rcu().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 5d1be493d1110c9e720b4c51a6e587bb2fb4ac12
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < a805729c0091073d8f0415cfa96c7acd1bc17a48 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 99a2ace61b211b0be861b07fbaa062fca4b58879 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:33:10.426175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:33:20.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"include/net/ip6_route.h",
"include/net/route.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d1be493d1110c9e720b4c51a6e587bb2fb4ac12",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "a805729c0091073d8f0415cfa96c7acd1bc17a48",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "99a2ace61b211b0be861b07fbaa062fca4b58879",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"include/net/ip6_route.h",
"include/net/route.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use dst_dev_rcu() in sk_setup_caps()\n\nUse RCU to protect accesses to dst-\u003edev from sk_setup_caps()\nand sk_dst_gso_max_size().\n\nAlso use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),\nand ip_dst_mtu_maybe_forward().\n\nip4_dst_hoplimit() can use dst_dev_net_rcu()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:44:07.195Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d1be493d1110c9e720b4c51a6e587bb2fb4ac12"
},
{
"url": "https://git.kernel.org/stable/c/a805729c0091073d8f0415cfa96c7acd1bc17a48"
},
{
"url": "https://git.kernel.org/stable/c/99a2ace61b211b0be861b07fbaa062fca4b58879"
}
],
"title": "net: use dst_dev_rcu() in sk_setup_caps()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40170",
"datePublished": "2025-11-12T10:46:52.014Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-06-16T19:33:20.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23097 (GCVE-0-2026-23097)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
migrate: correct lock ordering for hugetlb file folios
Summary
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
336bf30eb76580b579dc711ded5d599d905c0217 , < e7396d23f9d5739f56cf9ab430c3a169f5508394
(git)
Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < ad97b9a55246eb940a26ac977f80892a395cabf9 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 5edb9854f8df5428b40990a1c7d60507da5bd330 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 526394af4e8ade89cacd1a9ce2b97712712fcc34 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b75070823b89009f5123fd0e05a8e0c3d39937c1 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 1b68efce6dd483d22f50d0d3800c4cfda14b1305 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b7880cb166ab62c2409046b2347261abf701530e (git) Affected: ef792d6ce0db6a56e56743b1de1716a982c3b851 (git) Affected: 5.9.9 , < 5.10 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:33.152666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:13.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b7880cb166ab62c2409046b2347261abf701530e",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"status": "affected",
"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851",
"versionType": "git"
},
{
"lessThan": "5.10",
"status": "affected",
"version": "5.9.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:03:50.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"
},
{
"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"
},
{
"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"
},
{
"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"
},
{
"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"
},
{
"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"
},
{
"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"
}
],
"title": "migrate: correct lock ordering for hugetlb file folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23097",
"datePublished": "2026-02-04T16:08:19.815Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-06-11T18:44:13.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…